https://www.puppet.com/community logo
Join Slack
Powered by
This message was deleted.
# puppet
s
This message was deleted.
b
I have an internal LastPass server and I see a relatively not-so-old module for such.
y
I’d go with vault I think
vault can use puppet certs to grant you permissions
i.e. you can add your Puppet CA cert to the Vault TLS auth backend and then it’ll allow any cert which is signed with this CA to read things (need to setup some policies though)
b
Is "puppet vault" a product that stores the secrets or a module that can access secrets (eg: Hashicorp). I'm not quite clear on what "vault" is just yet.
From How to Enhance Your Vault Secrets Management Strategy With Puppet: 1. 2. The Puppet agent authenticates to Vault to get the secrets data via a deferred function utilizing the Vault lookup plugin. Is "vault" in this context a 3rd-party product such as Hashicorp Vault or is "Vault" a Puppet product?
j
Once you have the desired content, make sure to wrap it in 
Binary
so that it can be serialized to the agent:
Copy code
file { '/etc/krb5.keytab':
  ensure => file,
  content => Sensitive(Binary(...)),
}
b
I'm not so sure how to extract the keytab content....
I was thinking I just uploaded the file to "vault" and then puppet does it's thing.
v
we don't manage content of the file , we rely on 
adcli join
to create a proper one and if that doesn't work - wipe everything out and run 
adcli join
again 🙂
b
But adcli join requires a name/password. Is that something you manage, too?
v
Copy code
<%- |
  String $domain_controller
| -%>
/bin/echo -n <%= $sssd::admin_password %> | /usr/sbin/adcli delete-computer <%= $sssd::option %> \
--login-user=<%= $sssd::admin_name %> \
--domain=<%= $sssd::domain_name %> \
--domain-controller=<%= $domain_controller %> \
<%= $sssd::computer_name %> \
--stdin-password <%= $sssd::delete_path %>; \
/bin/sleep 10; \
/bin/echo -n <%= $sssd::admin_password %> | /usr/sbin/adcli join <%= $sssd::option %> \
--login-user=<%= $sssd::admin_name %> \
--domain=<%= $sssd::domain_name %> \
--domain-controller=<%= $domain_controller %> \
--domain-ou="<%= $sssd::computers_ou %>" \
--computer-name=<%= $sssd::computer_name %> \
--service-name=cifs \
--stdin-password <%= $sssd::join_path %>
b
I see what you're doing there, but how do you keep from running the script on every puppet run?
an exec resource with "creates"?
v
yep
Copy code
exec { 'adcli_join':
      command   => Sensitive(epp("${module_name}/sssd_join.epp", {
        domain_controller => $sssd::servers[0],
      })),
      timeout   => 600,
      tries     => 2,
      try_sleep => 5,
      creates   => '/etc/krb5.keytab',
    }
b
And do you use eyaml to obfuscate the password?
v
correct
b
hahah...I'm starting to get the hang of things.
v
have special account to add/delete computers
b
That's most helpful. Thank you. I'm still gonna give vault a try in the near future. I have uses for it for other things, too.
and a special thanks @vchepkov, I've always wondered how the /etc/krb5.keytab got created.
👍 1
y
I mean Hashicorp Vault above, yes
b
@vchepkov I noticed that you have variables prepended with sssd::. Did you modify the sssd class module so that admin_password and admin_name are parameters of the class or is there some other magic that's happening that you didn't paste into your reply. Since sgnl05/sssd doesn't have sssd::admin_name or sssd::admin_password the values in the .epp template aren't getting assigned. (for me at least).
d
v
We have in-house developed module
b
That explains it then. Thanks!
2 Views
Open in Slack
PreviousNext
Powered by