Skip to content

Latest commit

 

History

History
92 lines (79 loc) · 2.63 KB

README.org

File metadata and controls

92 lines (79 loc) · 2.63 KB

Preparation 🙏🏻

turn off notifications

restart Emacs

zoom in the frame

(require 'zoom-frm)
(zoom-in/out 1)
(zoom-frm-unzoom)
(zoom-in/out 8)

clean up old data

docker-compose down
rm -f puppet/manifests/secrets.pp

start up new containers

./start.sh

The Conjur Puppet Demo 💪🏻

Introduction

This demo was created for PuppetConf 2017

Manual Secrets Management 😳🔓️🤷🏻‍♂️

The special DevOps thumb drive (aka SneakerNet 👟)

This is a manually managed “secrets” manifest which ops must keep private: file:thumb-drive/secrets.pp

cp thumb-drive/secrets.pp puppet/manifests/secrets.pp
./run-agent.sh

Problems with manual secrets management 💥

Why Hiera is not the solution 🤔📚️

Conjur Secrets Management 👌🏻🤠🔑

cp conjur/secrets.pp puppet/manifests/secrets.pp
docker-compose exec -T client /demo/load-secrets.sh

Generate a hostfactory token and give it to the Puppet Master

./generate-hostfactory-token.sh

Put this token in file:puppet/manifests/secrets.pp

Run the Puppet agent again

./run-agent.sh

Take a look at the Conjur policy 🔎

It’s in file:conjur/app.yml

Rotate a secret 🔄

docker-compose exec -T client sh -c '
conjur variable values add app/postgres-password "long director down so"
conjur variable values add app/vendor-oauth-token "ee16b985-c72b-4cd3-abec-af38c056db00"
'

Let’s do just a couple cool Conjur things! ❄️🆒

What hosts have we created so far?

docker-compose exec -T client \
  conjur list -k host

What are all the roles can fetch the app’s postgres password?

docker-compose exec -T client \
               conjur resource permitted_roles \
               variable:app/postgres-password \
               execute