Contact Vault with Self-signed CA

[valentin2105]

Hello,

First of all, thanks for the module.

I'm trying to make this module work with a Vault Cluster exposing port 8200 with a Self-signed CA .

For the Deferred mode, It work after modifying the puppet.conf of the agent , by adding localcacert pointing to my CA, in the main section.

But for the "Puppet server mode" (without Deferred), (which I need because the configuration file that I want to deploy is a ERB template and the Deferred seem not work in this mode because its created on the server side.)

It give us Java errors :

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried adding the CA and even the vault node certificate in the Java Keystore, but it seem ignored. (after server restart)

Any feedback on this ?

I read that we need to use puppet'CA, but in my case, we have a specific CA different from the puppet one, and have to use it.

[cgaspar-deshaw]

You don't want to evaluate the EPP server side, as that exposes the secrets to the compile server. Do something like:

content => Deferred('inline_epp', [file($my_epp_path), $parameters])

We also have a ruby function to find the template file based on Puppet::Parser::Files.find_template(file, scope.compiler.environment) to make the above more ergonomic.

All of this really should be easier.

[valentin2105]

I succeeded connect my Puppet to Vault by using the Puppet certificates to Vault TLS.
And I avoid Deferred because our Puppet recipes are writted in only ERB template. (and too much work to move to EPP).

I would be nice to be able to add the Vault CA on the PuppetServer keystore ?

Nobody have achieved that ?