On Windows when upgrading with a new logon user and password, the windows service does not get updated.

[tuxmea]

During an upgrade of Puppet Agent on Windows, the Puppet service resource does not manage the logon user and password.
This is only set during initial installation and not managed later on.

At some customers the security requests to change passwords regularly. This also affects service accounts.

[joshcooper]

@tuxmea I thought gMSA was designed to solve this issue, so credentials can be rotated centrally without having to reconfigure each node? Puppet supports running as a gMSA service. There used to be blog post about it. Our MSI properties also discuss this https://www.puppet.com/docs/puppet/8/install_agents.html#msi_properties

Of course, if the service is running as domain service or local account, then having the ability to manage the credentials in the module makes sense.

[anthonysomerset]

so theres a workaround for this - i have a related issue

it may be down to this from here: https://puppet.com/docs/puppet/latest/install_agents.html#msi_properties

Important: If you set a non-default value for PUPPET_SERVER, PUPPET_CA_SERVER, PUPPET_AGENT_CERTNAME, or PUPPET_AGENT_ENVIRONMENT, the installer replaces the existing value in puppet.conf and re-uses the value at upgrade unless you specify a new value. Therefore, if you've customized these properties, don't change the setting directly in puppet.conf; instead, re-run the installer and set a new value at installation.

I had this issue because my CA server hostname is not default/same as the master so during some upgrades it gets reverted to original

you can workaround it with an override of puppet_agent::install_options, e.g. for me:

puppet_agent::install_options:
  - REINSTALLMODE="amus"
  - PUPPET_SERVER="puppet-enc.domain"
  - PUPPET_CA_SERVER="puppet-ca.domain"

you could add additonal lines for PUPPET_AGENT_ACCOUNT_USER and the related params from the MSA properties and any upgrade will change to the configured values on next upgrade

[joshcooper]

@tuxmea it is possible to specify the credentials as install_options, which are passed directly through to msiexec, like this:

class { 'puppet_agent':
  package_version => '8.10.0',
  source => 'C:/packages/puppet-agent-8.10.0-x64.msi',
  install_options => [
    'REINSTALLMODE="amus"', 
    'PUPPET_AGENT_ACCOUNT_USER="PuppetSvc"',
    'PUPPET_AGENT_ACCOUNT_PASSWORD="SuperSecret"',
  ]
}

During the upgrade, the MSI will update the user/password:

MSI (s) (DC:60) [03:49:21:385]: PROPERTY CHANGE: Modifying PUPPET_AGENT_ACCOUNT_USER property. Its current value is 'LocalSystem'. Its new value: 'PuppetSvc'.
MSI (s) (DC:60) [03:49:21:385]: PROPERTY CHANGE: Adding PUPPET_AGENT_ACCOUNT_PASSWORD property. Its value is '**********'.

However, if the package's current and desired versions are insync, then the credentials aren't updated.

Also there isn't a way to use sensitive.

I could see adding domain/user/password parameters to the puppet_agent class to ensure those values are insync. Checking the password is a little tricky, because the only way to know if the password is insync is to attempt to login with those credentials, like we do in the user provider https://github.com/puppetlabs/puppet/blob/e227c27540975c25aa22d533a52424a9d2fc886a/lib/puppet/util/windows/adsi.rb#L326-L328