https://github.com/ryanprior/conjur-puppet-demo

PuppetConf 2017 Conjur Demo
https://github.com/ryanprior/conjur-puppet-demo

automation demo devsecops machine-identity puppet secrets security

Last synced: 3 days ago
JSON representation

PuppetConf 2017 Conjur Demo

• Host: GitHub
• URL: https://github.com/ryanprior/conjur-puppet-demo
• Owner: ryanprior
• License: other
• Created: 2017-10-11T06:40:22.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2018-02-08T05:06:48.000Z (over 7 years ago)
• Last Synced: 2025-05-07T23:03:36.462Z (10 days ago)
• Topics: automation, demo, devsecops, machine-identity, puppet, secrets, security
• Language: Puppet
• Homepage: https://www.youtube.com/watch?v=jYvfSYDcLXk
• Size: 5.86 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.org
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
* Preparation 🙏🏻

** TODO turn off notifications

** TODO restart Emacs

** TODO zoom in the frame

#+BEGIN_SRC elisp :results output silent

  (require 'zoom-frm)

  (zoom-in/out 1)

  (zoom-frm-unzoom)

  (zoom-in/out 8)

#+END_SRC

** TODO clean up old data

#+BEGIN_SRC sh :results output silent

  docker-compose down

  rm -f puppet/manifests/secrets.pp

#+END_SRC

** TODO start up new containers

#+BEGIN_SRC sh :results output silent

  ./start.sh

#+END_SRC

* The Conjur Puppet Demo 💪🏻

** Introduction

This demo was created for PuppetConf 2017

- presented by Ryan Prior, CyberArk software engineer

- co-presented with Jody Hunt, CyberArk global directory of customer success

- get Conjur: https://conjur.org

  + on GitHub: https://github.com/cyberark/conjur (AGPLv3, PRs requested)

  + the Puppet module: https://forge.puppet.com/cyberark/conjur

  + this demo: https://github.com/ryanprior/conjur-puppet-demo

- on social media:

  + https://twitter.com/ryanprior

  + https://twitter.com/conjurinc

** Manual Secrets Management 😳🔓️🤷🏻‍♂️

*** The special DevOps thumb drive (aka SneakerNet 👟)

This is a manually managed "secrets" manifest which ops must keep private:

file:thumb-drive/secrets.pp

#+BEGIN_SRC sh :results output silent

  cp thumb-drive/secrets.pp puppet/manifests/secrets.pp

#+END_SRC

#+BEGIN_SRC sh

  ./run-agent.sh

#+END_SRC

*** Problems with manual secrets management 💥

*** Why Hiera is not the solution 🤔📚️

** Conjur Secrets Management 👌🏻🤠🔑

#+BEGIN_SRC sh :results value verbatim

  cp conjur/secrets.pp puppet/manifests/secrets.pp

  docker-compose exec -T client /demo/load-secrets.sh

#+END_SRC

*** Generate a hostfactory token and give it to the Puppet Master

#+BEGIN_SRC sh

  ./generate-hostfactory-token.sh

#+END_SRC

Put this token in file:puppet/manifests/secrets.pp

*** Run the Puppet agent again

#+BEGIN_SRC sh

  ./run-agent.sh

#+END_SRC

*** Take a look at the Conjur policy 🔎

It's in file:conjur/app.yml

*** Rotate a secret 🔄

#+BEGIN_SRC sh :results verbatim

  docker-compose exec -T client sh -c '

  conjur variable values add app/postgres-password "long director down so"

  conjur variable values add app/vendor-oauth-token "ee16b985-c72b-4cd3-abec-af38c056db00"

  '

#+END_SRC

*** Let's do just a couple cool Conjur things! ❄️🆒

What hosts have we created so far?

#+BEGIN_SRC sh

docker-compose exec -T client \

  conjur list -k host

#+END_SRC

What are all the roles can fetch the app's postgres password?

#+BEGIN_SRC sh

  docker-compose exec -T client \

                 conjur resource permitted_roles \

                 variable:app/postgres-password \

                 execute

#+END_SRC