Puppet CA chain retrieval doesn't rely on internal Puppet API methods

[micahlee]

On Puppet 6, the Conjur module reports the error:

undefined method `ssl_configuration' for #<Puppet::SSL::Validator::DefaultValidator:0x00000000069b2778>

This comes from

conjur-puppet/lib/facter/conjur.rb

Line 75 in 353c3e2

Puppet::SSL::Validator.default_validator.ssl_configuration.ca_chain_file

where we use the internal Puppet API to retrieve the Puppet CA chain.

This instance method existed in Puppet 5 but was removed in Puppet 6.

[sgnn7]

iIn puppet it looks like even getting the master server cert is fragile to the max - we assume that if the indirector is not :compiler we use methods only available in :rest indirector even though there’s like 16 different types.

I think we may need to figure out different asymmetric key data to encrypt the token with between agent and master

Logic flow:
https://github.com/cyberark/conjur-puppet/blob/v2.0.3/lib/facter/conjur.rb#L86-L89

    def standalone?
      # HACK is there a better way to detect if this is puppet apply?
      Puppet[:catalog_terminus] == :compiler
    end

    begin
        ...
        if standalone?
          config['token'] = token
        else
          config['encrypted_token'] = encrypt_for_master token
        end
      end

Use of rest-only methods (https://github.com/cyberark/conjur-puppet/blob/v2.0.3/lib/facter/conjur.rb#L73-L74):

    def puppet_certificate
      @puppet_certificate ||= begin
        itc = Puppet::Resource::Catalog.indirection.terminus.class
        get_ssl_cert itc.server, itc.port,
            Puppet::SSL::Validator.default_validator.ssl_configuration.ca_chain_file
      end
    end

Here, itc.server and itc.port are only available to REST indirector

[sgnn7]

Puppet:Util::Connection seemed promising but it's for querying the server settings (which are unavailable on the agent)