Skip to main content

Puppet

Visualize Visualize Puppet infrastructure, including servers, nodes, catalog, environment, factsets, and resources, and monitor changes through queries and alerts.

Installation Guide

Info

  • Puppet consists of the Puppet Server, which manages configurations, Puppet Agents, which apply them on nodes, and PuppetDB, which stores configuration, state, and report data. In this integration, the Puppet Server will store data in PuppetDB, and the integration will fetch data from PuppetDB.
  • The integration requires client certificates for strict security, assuming client-auth = need is set in the jetty.ini file for PuppetDB. Alternatively, client-auth = want is also acceptable.

Requirements

  • Ensure network connectivity between the Puppet Server and PuppetDB.
  • Install and configure PuppetDB: Puppet Docs
  • Connect PuppetDB and Puppet Server: Puppet Docs

Integration Configuration

To configure the integration, ensure you have the following:

  • PuppetDB URL: The IP or hostname where PuppetDB is configured.
  • PuppetDB Port: The port configured to respond to API calls over SSL.
  • CA Certificate: The Certificate Authority (CA) certificate.
  • Client Certificate: The client certificate. See instructions below for generating the certificate in Puppet.
  • Client Certificate Key: The private key file for the certificate being used to authenticate.

Configuration in Puppet

Authentication

Puppet supports TLS authentication for secure communication between systems.

For this integration, you will need to set up client certificates signed by Puppet's Certificate Authority (CA) to enable TLS authentication.

Generate Certificates

  1. Connect to the Puppet Server using SSH.

  2. Run the following command to create a certificate-key pair:

    puppetserver ca generate --certname <Certificate-Name> # For example: j1-integration-cert

  3. Verify the certificate generated and signeed by CA.

    puppetserver ca list --all

  4. Collect the following files to configure the integration in JupiterOne:

    • CA Certificate: /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • Client Certificate: /etc/puppetlabs/puppet/ssl/certs/<Certificate-Name>.pem
    • Client Certificate Key: /etc/puppetlabs/puppet/ssl/private_keys/<Certificate-Name>.pem

  5. Securely upload the certificate and key files to the JupiterOne platform to configure the Puppet integration.

Configuration in JupiterOne

  1. From the top navigation bar of the J1 Search homepage, go to Integrations.

  2. Search for Puppet and select it.

  3. Click the Add Instance button and configure the following settings:

    • PuppetDB URL: Provide the PuppetDB server IP or hostname (e.g., https://127.0.0.1).
    • PuppetDB Port: PuppetDB uses port 8081 by default. If you use a different port, provide that.
    • Client Certificate: The client certificate generated in Puppet.
    • Client Certificate Key: The private key for the client certificate.
    • CA Certificate: The Certificate Authority (CA) certificate.
    • Account Name: Provide a name to identify this Puppet instance in JupiterOne. When the Tag with Account Name option is checked, ingested entities will store this value in tag.AccountName.
    • Description: Add a description to assist your team in identifying this integration instance.
    • Polling Interval (optional): Select a polling interval that fits your monitoring needs. If unsure, leave this as DISABLED and manually execute the integration.

  4. Click Create Configuration to save your settings.

Troubleshooting

BAD Certificate Error

This error occurs when the provided CA certificate has issues. To resolve it, follow these steps:

# Create a backup of existing certificate files
cp -r /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl_back

# Delete the existing certificates
rm -rf /etc/puppetlabs/puppet/ssl

# Regenerate CA certificate
puppetserver ca setup

# Restart Puppet Server
systemctl restart puppetserver

No Alternative Certificate Subject Name Matches Target Hostname

This error occurs when the certificate name does not match the hostname you are querying.

Solution:

  1. Open the Puppet configuration file:
nano /etc/puppetlabs/puppet/puppet.conf
  1. Under the [main] section, define the certname parameter to match the hostname used for the PuppetDB URL:
[main]
certname = <hostname>
  1. Restart the Puppet Server:
systemctl restart puppetserver

Next Steps

Now that your integration instance has been configured, it will begin running based on the polling interval you provided, populating data within JupiterOne.

Continue to our Instance Management Guide to learn more about working with and editing integration instances.