Puppet is one of the most mature and widely used config management tools out there. But one question comes up time and again: where and how do I store secrets in Puppet code? HashiCorp Vault safely manages your secrets in an automated and secure way. In this webinar, Peter Souter will demonstrate how to use HashiCorp Vault for secrets management while using Puppet as the configuration management software.

1. Copyright © 2018
HashiCorp
May 23, 2018
How to Use HashiCorp
Vault with Hiera 5 for
Secret Management with
Puppet

2. “Technical Account Manager at HashiCorp
Peter Souter
Based in...
London, UK
Been using...
The HashiCorp stack and Puppet for about 7
years
Worn a lot of hats in my time...
Developer, Consultant, Pre-Sales, TAM
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS
Introductions - Who are these People?

3. “
Introductions - Who are these People?
Principal Solutions Architect at Puppet
Andrew Brader
Based in...
Philadelphia, Pennsylvania
Been using...
Puppet for about 8 years
Also worn a lot of hats in his time...
Developer, Consultant, Solutions Architect
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS

4. “
▪ You’re using Puppet to
manage systems
▪ You’re happy!
▪ Your infrastructure as
code is great!
▪ Everything is awesome!
Let's talk about the landscape

5. “
“Uhhh, the production passwords are in
plaintext in the Puppet code… and I accidentally
pushed it to a public Git repo...”
But there is a problem:

6. “▪ Puppet code needs to be treated like any code: secrets
need to be encrypted at rest
▪ You need to think about some things:
• How would you rotate your secrets?
• How would you know what was leaked?
• How do you onboard new team members?
• How do new secrets get introduced?
• How do you track what secrets have been changed?
Managing Secrets is Hard

7. “
Best Practises for Secrets in Puppet
Here’s something I made earlier! - https://www.youtube.com/watch?v=JwuXUxSCDGY

8. “▪Hiera-eyaml
▪Git-crypt
▪Mozilla’s SOPS
▪Transcrypt
▪Blackbox
Previous Secret Management Solutions
Different tools but the
same idea:
encrypted secrets in the git
repo with asymmetric
encryption (ie. public and
private keys)

9. “
These have a similar problems...
▪The rotation process is a little fiddly
▪Onboarding new team members is hard
▪Harder to keep track of who changed what
▪No easy way audit whats being used where

10. “
“If only there was a Secret management
application we could tap into to...”
There’s got to be a better way!?

11. “
Enter Vault!

12. “
Installing Vault with Puppet
class profile::vault_server {
class { '::vault':
manage_storage_dir => true,
storage => {
file => {
path => '/mnt/vault/data',
},
},
listener => {
tcp => {
address => '0.0.0.0:8200',
tls_disable => 1,
},
},
version => '0.10.1',
enable_ui => true,
}
}
▪ https://github.com/jsok/puppet-vault

13. “
▪ Hiera is just key/value lookup
▪ So, Hiera will plug into Vault with a little bit of Ruby glue
▪ https://github.com/davealden/hiera-vault
▪ This uses Hiera 5, so allows finer tuning and features
Plugging Hiera into Vault

14. “---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
address: https://vault:8200
token: 97402490-eeb0-6530-13f6-fc0525503f23
default_field: value
mounts:
generic:
- secret/puppet/%{::trusted.certname}/
An example Hiera backend configuration

15. “
confine_to_keys
▪ With automatic parameter lookup, it might be trying
to make a call to Vault for every parameter you
could set in your Puppet code
▪ This an increase to catalog compilation time, as it’s
an extra hop to check if it exists
▪ The backend has a key called “confine_to_keys”,
which allows you to set Vault lookup to certain
key-names
▪ For example, a regex that only allows lookup for
“password” or containing the string “vault”
▪

16. “▪ We can secure our lookup process even more by
creating a Hiera specific policy:
path "secret/puppet/*" {
capabilities = ["read", "list"]
}
▪ When we create a token using this policy, the Puppet
token will only be able to read values under the
Puppet namespace from Vault
Vault Policy for Hiera

17. “
How it looks architecturally

18. “$ puppet lookup <key> --explain
Environment Data Provider (hiera configuration version 5)
Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"
Hierarchy entry "Hiera-vault lookup"
Found key: "vault_lookup_example" value: "FOOBAR"
[hiera-vault] Client configured to connect to https://vault:8200
[hiera-vault] Looking in path secret/puppet/puppet.home/vault_lookup_example
[hiera-vault] Read secret: vault_lookup_example
Explain can help debug Hiera lookups

19. “
This is a sandbox example, and is not hardened
to production standards!
Standard Demo Pre-Warning!

20. Copyright © 2018 HashiCorp
Demo

21. “▪ One of the easiest solutions to integrate Vault on an
existing Puppet estate
▪ Minimises connectivity requirements: Vault only needs to
be able to talk to the Puppetserver, not all agents
▪ Debugging can be done normally through Hiera processes
▪ However, you can’t do finer tuned control like one could
do with a cubbyhole system
There are advantages and disadvantages

22. “▪ Use Puppet to configure consul-env or
consul-template
Advantages
● Secrets never touch Puppet
● Puppet does not need to run on a regular
interval to catch changes
● Puppet does not need to interact with
Vault at all
Disadvantages
● Go's templating language is not fun
● Added indirection
● Wouldn’t work for non templated resources
(user management for example)
Alternative Solution: consul-env/template
▪ {{ with vault "postgresql/creds/readonly" }}
[config]
username = "{{ .Data.username }}"
password = "{{ .Data.password }}"
{{ end }}

23. “▪ Use a library in your application to talk to
Vault directly
▪ Vault-rails, Vault-spring
Advantages
● More performant
● More control over interactions with Vault
● Less responsibility on configuration
management
Disadvantages
● Requires applications to be Vault-aware
● Requires engineering effort
● Slower (for existing applications)
Alternative Solution: Direct Integration
▪ class Person < ActiveRecord::Base
include Vault::EncryptedModel
vault_attribute :ssn
end
class AddEncryptedSSNToPerson < ActiveRecord::Migration
add_column :persons, :ssn_encrypted, :string
end
person = Person.new
person.ssn = "123-45-6789"
person.save #=> true
person.ssn_encrypted #=> "vault:v0:EE3EV8P5hyo9h..."

24. Copyright © 2018 HashiCorp
Q&A

25. “● Using HashiCorp's Vault With Puppet - Seth Vargo, PuppetConf 2016
○ https://www.youtube.com/watch?v=PEdhD1hOpds
● Good Opsec Hygiene with Puppet - Peter Souter, PuppetConf 2016
○ https://www.youtube.com/watch?v=JwuXUxSCDGY
● Hiera 5 Vault Backend
○ https://github.com/davealden/hiera-vault
● Vault Puppet module
○ https://forge.puppet.com/jsok/vault
Would you like to know more?