Puppet agents can fetch or calculate data for themselves at catalog application time. One use case for this is to securely retrieve sensitive information like passwords from a secrets store.
The Deferred
type enables these two capabilities. It instructs agents to execute a function locally to resolve a data value at the time of catalog application. When compiling catalogs, functions are normally executed on the master, with results entered into the catalog directly. The complete and fully resolved catalog is then sent to the agent for application. Starting in Puppet 6.0, you can defer the function call until the agent applies the catalog, meaning the agent calls the function on the agent instead of on the master. This way, agents can use a function to fetch data like secrets directly, rather than having the master act as an intermediary.
Integrations with secret stores
The Forge already hosts some community modules that provide integrations with secret stores.
Azure Key Vault: works on both the master and the server.
Cyberark Conjur: works on the master.
Hashicorp Vault: works on the agent.
Cyberark AIM: works on the agent (coming soon).
Using a Deferred
function
An example of using the Deferred
type to wrap a function and execute on the agent.
Deferred
function example
Prior to Puppet 6.0, you used a function executed on the master to evaluate a result and store it in the catalog. See the Puppet code below, which prints the result of myfunction
.
$d = myfunction("myarg1", “myarg2”)
node default {
notify { example :
message => $d
}
}
To execute this function on the agent, wrap it with the Deferred
type. In this case, the function name is the first parameter and the function's parameters are passed as an array. Converting the same call to myfunction
using Deferred
looks like this:$d = Deferred(“myfunction”, ["myarg1", “myarg2”])