[Puppet Users] Bolt: Running a ps-script making a web request with credentials

2019-11-22 Thread Andreas Torbiörnsson 
Hi group!

Hoping that someone can help me with  an issue I'm having. It's in a 
windows environment.
I'm trying to run a script on a remote windows machine using Bolt. The 
script looks up the latest version of chocolatey from a on prem nuget feed, 
downloads and installs chocolatey.

Running the script with this command:
bolt script run .\chocolatey_install.ps1 --nodes winrm://xxx --user 
userx--password --no-ssl 

It returns a 401 error when making a web request to the nuget feed, using 
System.Net.Webclient from .Net:
Querying latest package from http:
//xxx..xxx/DefaultCollection/_packaging/Testfeed/nuget/v2/Packages()?$filter=(Id%20eq%20%27chocolatey%27)%20and%20IsLatestVersion
  STDERR:
$invokeArgs = @{
 : System.Management.Automation.MethodInvocationException: Exception 
calling "DownloadString" with "1" argument(s): "The remote server returned 
an error: (401) Unauthorized." ---> System.Net.WebException: The remote 
server returned an error: (401) Unauthorized.
   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& 
request)
   at System.Net.WebClient.DownloadString(Uri address)
   at CallSite.Target(Closure , CallSite , Object , String )
   --- End of inner exception stack trace ---
   at System.Management.Automation.ExceptionHandlingOps.
CheckActionPreference(FunctionContext funcContext, Exception exception)
   at 
System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame
 
frame)
   at 
System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
 
frame)
   at 
System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
 
frame)
   at 
System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame 
frame)
   at 
System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
   at 
System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(ScriptBlockClauseToInvoke
 
clauseToInvoke, Boolean createLocalScope, Dictionary`2 functionsToDefine, 
List`1 variablesToDefine, ErrorHandlingBehavior errorHandlingBehavior, 
Object dollarUnder, Object input, Object scriptThis, Pipe outputPipe, 
InvocationInfo invocationInfo, Object[] args)
   at 
System.Management.Automation.ScriptBlock.<>c__DisplayClass57_0.b__0()
   at 
System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(Action
 
action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean 
useLocalScope, ErrorHandlingBehavior errorHandlingBehavior, Object 
dollarUnder, Object input, Object scriptThis, Pipe outputPipe, 
InvocationInfo invocationInfo, Boolean propagateAllExceptionsToTop, List`1 
variablesToDefine, Dictionary`2 functionsToDefine, Object[] args)
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(Cmdlet 
contextCmdlet, Boolean useLocalScope, ErrorHandlingBehavior 
errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis, 
Object[] args)
   at Microsoft.PowerShell.Commands.InvokeCommandCommand.EndProcessing()
   at System.Management.Automation.CommandProcessorBase.Complete()
+ CategoryInfo  : NotSpecified: (:) [Write-Error], 
WriteErrorException
+ FullyQualifiedErrorId : 
Microsoft.PowerShell.Commands.WriteErrorException




Here are the relevant parts of the code:
function Get-Downloader {
param (
  [string]$url
 )
  $downloader = new-object System.Net.WebClient
  $downloader.UseDefaultCredentials  = $true
 
  return $downloader
}



function Download-Package {
param (
  [string]$packageODataSearchUrl,
  [string]$file
 )
  $downloader = Get-Downloader $packageODataSearchUrl
  
  Write-Output "Querying latest package from $packageODataSearchUrl"
NEXT LINE IS WHERE IT CRASHES
  [xml]$pkg = $downloader.DownloadString($packageODataSearchUrl)


 I have verified that userx is allowed to query the server. I have also 
tested to manually move the script to the remote machine and run it locally 
as userx AND THAT WORKS. 
Does anyone know if there is a problem/bug when accessing the credentials 
of the user running a script (through WebClient.UseDefaultCredentials) when 
the script is run by Bolt? I can think of many workaround, but I can't 
understand why this won't work.

Cheers!
Toband, the frustrated developer

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7d5f7bdd-fa0c-4d9e-b95f-59d6d9e0df61%40googlegroups.com.

Re: [Puppet Users] PE 2019.2 with Puppet Agent 5.x (Turn off new Intermediate CA architecture)

2019-11-22 Thread A Manzer 
Thanks Justin.

I think I was just Out Of Luck from the start, by starting with a PE 2019.2 
install, with only 5.x agents available.

For anyone who finds this in the future, what I ended up doing was using 
the Puppet *gem* on Raspbian.  I ended up essentially following this guide 
, 
which is a little wrong in the systemd section, but boils down to "Install 
`ruby-full`, `gem install puppet`, create systemd unit file to manage the 
puppet agent."  This got me Puppet Agent v6, so is able to communicate with 
my new PE installation.

On Tuesday, November 19, 2019 at 5:11:50 PM UTC-5, Justin Stoller wrote:
>
> sorry for the delay, kid got sick.
>
> On Sun, Nov 17, 2019 at 3:13 AM A Manzer > 
> wrote:
>
>> From what I saw, the new architecture is an Intermediate Signing Cert, 
>> signed by a bare *key*.  I'm not sure how I could copy that to an agent 
>> and have it trusted.
>>
>
> The $cadir/ca_crt.pem will contain both the intermediate and root cert. 
> The root's private key is also left in the cadir so you can put it in a 
> safe location. The intermediate's key is in the $cadir/ca_key.pem location.
>
> IIRC, for a 5.x agent connecting to a 6.x CA you'd need to move the 
> ca_crt.pem and signed agent cert to the agent out of band, while also 
> disabling crl checking. Kinda defeats the purpose of enabling intermediate 
> CAs if you have to disable the CRL though. But, the refactor to handle CRL 
> chains wasn't something we were comfortable putting into an LTS right away. 
> And most folks we've talked to have an older CA infrastructure w/ new 
> agents, so the backport hasn't been prioritized.
>
>>
>> turn off your master, delete your ssldir and restart it to have it create 
>>> a self signed root.
>>>
>> This is what I want to do!  But I'm not sure what options to set during 
>> installation/setup to turn that off.
>>
>
> If you have an existing ssldir I think PE will install w/o additional 
> configuration and just use the existing certs/keys. The installer mostly 
> runs Puppet and the code that bootstraps it is basically an `exec { 
> "puppetserver ca setup": creates => "/etc/puppetlabs/puppet/ssl/ca" }` .
>
> I *think* the master, if the service starts and there isn't an ssldir, 
> will re-create the keys/certs it needs, but as a 5.x compatible self signed 
> root - but don't try that unless you're prepared for everything to fail. I 
> think we left the old bootstrap code in there for demo purposes, but it's 
> not actively maintained.
>
> Again, there's probably a better way w/in PE to distribute the certs once 
> you've regen them for the CA/master to the console/pdb, but I don't know 
> it. You might want to try #puppet-enterprise in the community slack channel.
>
>
> hth,
> Justin
>
>>
>>  
>> On Saturday, November 16, 2019 at 4:46:01 PM UTC-5, Justin Stoller wrote:
>>>
>>> Depending on your security inclinations you might try turning crl 
>>> checking off on your 5.5 agent (iirc, that was the biggest issue - if not 
>>> the only issue). You might have to also copy the signed cert over to the 
>>> agent too).
>>>
>>> Otherwise, you may be able to turn off your master, delete your ssldir 
>>> and restart it to have it create a self signed root. Make sure the agent on 
>>> the master can then check in. I don't remember how that cert is then 
>>> propagated out to pdb and the console. You'll either need to hunt and 
>>> replace on disk (there's gotta be a task or `puppet infra` command though), 
>>> or uninstall/re-install pe (iirc, you can install a fresh pe onto an 
>>> existing ssldir).
>>>
>>> hth
>>>
>>> On Sat, Nov 16, 2019 at 4:33 AM A Manzer  wrote:
>>>
 Using the LTS is one option.

 I disagree that it says that pre-6 agents won't play with a 6 server.  
 On that page I linked, there's a compatibility matrix that shows 5.x 
 agents 
 are compatible with PE 2019.1.  Also, the first phrase of the quote says 
 that I can use pre-6.x agents.

 I think I'm closer: I found a page on Puppet 6 Intermediate CA 
 , but 
 it only tells me how to convert *to* an intermediate CA architecture, 
 not *from* an intermediate CA architecture.

 On Saturday, November 16, 2019 at 7:02:01 AM UTC-5, LinuxDan wrote:
>
> Use 2018.1.11 (LTS)
>
> It clearly says that pre-6 agents won’t play with a 6 server.
>
> —-
>
> "Sometimes I think the surest sign that intelligent life exists 
> elsewhere in the universe is that none of it has tried to contact us."
>
> Bill Waterson (Calvin & Hobbes)
>
> On Nov 16, 2019, at 6:50 AM, A Manzer  wrote:
>
> 
> I've been using Puppet Enterprise at work quite successfully for a 
> long time.  So I finally decided to take advantage of the "Run 10 nodes 
> for 
> free" offer and run PE at h

Re: [Puppet Users] default production environment gets deleted by puppet-code

2019-11-22 Thread Becca Robinson 
Hi Claude,

When setting up your control repo, please ensure that you have all of your 
forge modules listed in the Puppetfile.
Code manager will overwrite the contents of your environments directory with 
what is defined in the control repo and Puppetfile.

Here are some helpful links to help you get started setting up code manager on 
PE.

https://puppet.com/docs/pe/2019.2/control_repo.html#how-the-control-repository-works
 

https://puppet.com/docs/pe/2019.2/puppetfile.html#about-puppetfiles 

https://puppet.com/docs/pe/2019.2/puppetfile.html#declare-puppet-forge-modules-in-the-puppetfile
 

https://puppet.com/docs/pe/2019.2/code_mgr_how_it_works.html#how_code_manager_works
 

https://puppet.com/docs/pe/2019.2/code_mgr_config.html#configuring_code_manager 




-- 
Becca Robinson




> On Nov 22, 2019, at 7:08 AM, Claude Bisdorff  wrote:
> 
> Hello,
> I recently started to test puppet enterprise. 
> We did the integration with gitlab to manage code. Deploying code from gitlab 
> works well, but each time I do a "puppet-code deploy -all"or  puppet-code 
> deploy , this deletes the default production environment( 
> "/etc/puppetlabs/code/environments/production" ) on my puppet server, thus 
> also all the modules I have installed from puppet forge. Restarting 
> puppetserver of course recreates it, but all my modules are lost. 
> 
> I don't know if it is related to my config in puppet or if I did some mistake 
> in gitlab, since I played around with the environments. 
> I see an environment master in gitlab and two custom ones I created. The 
> production environment does not appear in gitlab, is this normal? 
> 
> What else could be the reason for this? 
> 
> Kind regards 
> Claude 
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/ccf3aa61-73c5-40b6-a64d-f3abc5ffcf60%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/737B1ED9-9ACC-4683-9B4A-B069DBF805DA%40puppet.com.

[Puppet Users] default production environment gets deleted by puppet-code

2019-11-22 Thread Claude Bisdorff 
Hello,
I recently started to test puppet enterprise. 
We did the integration with gitlab to manage code. Deploying code from 
gitlab works well, but each time I do a "puppet-code deploy -all"or  
puppet-code deploy , this deletes the default production 
environment( "/etc/puppetlabs/code/environments/production" ) on my puppet 
server, thus also all the modules I have installed from puppet forge. 
Restarting puppetserver of course recreates it, but all my modules are 
lost. 

I don't know if it is related to my config in puppet or if I did some 
mistake in gitlab, since I played around with the environments. 
I see an environment master in gitlab and two custom ones I created. The 
production environment does not appear in gitlab, is this normal? 

What else could be the reason for this? 

Kind regards 
Claude 


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ccf3aa61-73c5-40b6-a64d-f3abc5ffcf60%40googlegroups.com.