Preparation 🙏🏻

turn off notifications

restart Emacs

zoom in the frame

(require 'zoom-frm)
(zoom-in/out 1)
(zoom-frm-unzoom)
(zoom-in/out 8)

clean up old data

docker-compose down
rm -f puppet/manifests/secrets.pp

start up new containers

./start.sh

The Conjur Puppet Demo 💪🏻

Introduction

This demo was created for PuppetConf 2017

presented by Ryan Prior, CyberArk software engineer
co-presented with Jody Hunt, CyberArk global directory of customer success
get Conjur: https://conjur.org
- on GitHub: https://github.com/cyberark/conjur (AGPLv3, PRs requested)
- the Puppet module: https://forge.puppet.com/cyberark/conjur
- this demo: https://github.com/ryanprior/conjur-puppet-demo
on social media:
- https://twitter.com/ryanprior
- https://twitter.com/conjurinc

Manual Secrets Management 😳🔓️🤷🏻‍♂️

The special DevOps thumb drive (aka SneakerNet 👟)

This is a manually managed “secrets” manifest which ops must keep private: file:thumb-drive/secrets.pp

cp thumb-drive/secrets.pp puppet/manifests/secrets.pp

./run-agent.sh

Problems with manual secrets management 💥

Why Hiera is not the solution 🤔📚️

Conjur Secrets Management 👌🏻🤠🔑

cp conjur/secrets.pp puppet/manifests/secrets.pp
docker-compose exec -T client /demo/load-secrets.sh

Generate a hostfactory token and give it to the Puppet Master

./generate-hostfactory-token.sh

Put this token in file:puppet/manifests/secrets.pp

Run the Puppet agent again

./run-agent.sh

Take a look at the Conjur policy 🔎

It’s in file:conjur/app.yml

Rotate a secret 🔄

docker-compose exec -T client sh -c '
conjur variable values add app/postgres-password "long director down so"
conjur variable values add app/vendor-oauth-token "ee16b985-c72b-4cd3-abec-af38c056db00"
'

Let’s do just a couple cool Conjur things! ❄️🆒

What hosts have we created so far?

docker-compose exec -T client \
  conjur list -k host

What are all the roles can fetch the app’s postgres password?

docker-compose exec -T client \
               conjur resource permitted_roles \
               variable:app/postgres-password \
               execute

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
conjur		conjur
puppet/manifests		puppet/manifests
thumb-drive		thumb-drive
tmp		tmp
.gitignore		.gitignore
Dockerfile.puppet		Dockerfile.puppet
LICENSE.txt		LICENSE.txt
README.org		README.org
docker-compose.yml		docker-compose.yml
generate-hostfactory-token.sh		generate-hostfactory-token.sh
load-secrets-using-conjur.sh		load-secrets-using-conjur.sh
run-agent.sh		run-agent.sh
start.sh		start.sh

License

ryanprior/conjur-puppet-demo

Folders and files

Latest commit

History

Repository files navigation