Agent Side Lookups with HashiCorp Vault and Puppet 6
Mar 07, 2019
Learn about deferred functions in Puppet 6, which unlocks new authentication methods and workflows for HashiCorp Vault + Puppet setups.
Technical Account Manager, HashiCorp
Senior Principal Integration Engineer, Puppet
Puppet is one of the most mature configuration management tools and HashiCorp Vault is a leader in secrets management. But previously, if you wanted to use them in a Puppet-focused workflow, you had to do this from a top-down based model using Hiera. The Vault connections were only between the Puppet server and Vault, limiting the options you had in terms of authentication. The new Puppet 6 release comes with a new feature—deferred functions—which enables more authentication methods and new workflows when used with Vault for secrets management.
Deferred functions are agent-based rather than master-based. This allows users to leverage Vault in more ways. Instead of being locked into a more basic Hiera hierarchy, operators can use any authentication method available on the agent side, including leveraging the existing certificate authority (CA) from the Puppet master with the Vault certificate backend.
In this webinar, HashiCorp technical account manager Peter Souter and Puppet engineer Chris Barker will demonstrate how the new deferred function feature in Puppet 6 can be used to perform Vault lookups from the agent side, unlocking new Vault+Puppet workflows. They'll also discuss the process of using Puppet and Vault in conjunction with Terraform and cover Vault+puppet certificate handling.
This webinar builds upon Peter's blog post from last year: How to use Vault with Hiera 5 for secret management with Puppet. Read that blog to supplement and more fully introduce the context for this webinar demo and discussion.
0:00 — Intro to using Vault with Puppet 6 8:40 — Demo: New features for authentication between Vault and Puppet 6 16:40 — Demo break, Intro to using Puppet through Terraform 18:20 – Puppet & certificates 25:35 — Q&A start 34:00 — Finish Demo 44:10 — Finish Q&A
If Vault were to go down and you were pulling the secrets at the agent side, would there be a cache or would we be overwriting a working config file (potentially) with a broken one?
If Vault is down, will that cause all Puppet clients using Vault fail to run?
In our infrastruce we are using Puppet v.4.10. How difficult is to adapt Vault for using the certs?
I have a quick question: how are secret values handled in Puppet reports in Puppet 6?
Is Puppet looking to backport Vault capabilities to Puppet 5?
I have a question about Puppet template resolution via deferred. What options exist for using deferred data in those?
How would this demo work if you had multiple Puppet servers not sharing a CA?