Integrations/Puppet

Automate package delivery with Puppet and Cloudsmith

Puppet gives your teams declarative, code-driven control over infrastructure configuration. Pair it with Cloudsmith to serve private Debian and RPM packages directly to your Puppet-managed nodes, with secure authentication, GPG-signed repositories, and full audit trails baked in.

How we support Puppet

Cloudsmith gives your Puppet manifests a secure, reliable source of truth for every package your infrastructure depends on. From Debian to RPM, private or public, Cloudsmith fits natively into your existing Puppet workflow.
    Native Debian repository support
    Cloudsmith repositories work as native apt sources. Use the Puppet apt module to configure GPG keys and sources directly in your manifests, with no custom scripts required.
    Flexible authentication
    Authenticate Puppet agents against Cloudsmith using API keys or OIDC. Create dedicated service accounts for bot and automation use cases, keeping credentials isolated and independently revocable.
    GPG-signed packages
    Every Cloudsmith repository ships with a GPG key you can wire directly into your Puppet manifest, ensuring agents only install packages with verified provenance.
    Fast, reliable package delivery
    Cloudsmith's CDN-backed infrastructure with 600+ edge points of presence ensures your Puppet agents can pull packages quickly, regardless of where your nodes are deployed.
    Full audit trails and observability
    Client and audit logs give you a complete record of every package request made by your Puppet agents, so you can trace exactly what was installed, when, and from which node.

Why teams integrate Cloudsmith with Puppet

Without a managed artifact registry, Puppet deployments rely on fragile, public package sources that can change without warning. Cloudsmith gives every node a stable, secure, and auditable supply of packages.
Without CloudsmithPuppet manifests point directly at public repositories. An upstream change, outage, or package removal breaks your catalog runs mid-deployment, with no way to pin or roll back.
With CloudsmithCloudsmith serves as a private, immutable mirror of every package your manifests depend on. Upstream changes never reach your nodes until you decide they should.
Without CloudsmithThere is no consistent authentication layer across Puppet agents. Teams share credentials in plain text inside manifests or rely on open, unauthenticated repositories.
With CloudsmithCloudsmith entitlement tokens give each node or team scoped, revocable access to exactly the repositories they need, with no credentials baked into your manifest code.
Without CloudsmithPackage downloads have no audit trail. When a compliance audit arrives, there is no record of which node installed what, or when - leaving gaps in your software supply chain.
With CloudsmithCloudsmith logs every package request with node-level detail. You get a full, queryable audit trail that satisfies compliance requirements without any additional tooling.

Frequently asked questions

  1. Cloudsmith supports Debian (apt) and RedHat (yum/dnf) repositories natively, which are the most common formats used with Puppet. Both public and private repositories are supported, and Puppet's official apt and yum modules can configure them directly from your manifests.

  2. Cloudsmith supports API keys and OIDC-based authentication. For automated Puppet agents and bots, create dedicated service accounts with scoped API keys so credentials are isolated and independently revocable. OIDC removes the need to store long-lived secrets entirely.

  3. Cloudsmith generates a GPG signing key for each repository. In your Puppet manifest, use the apt::key resource with the 20-byte fingerprint and the key URL provided in the Cloudsmith repository settings. This ensures all packages installed on your nodes are cryptographically verified before installation.

  4. Yes. Cloudsmith's cloud-native infrastructure is built to scale without you managing any underlying hardware. Its CDN-backed delivery with 600+ edge points of presence ensures consistent, low-latency downloads for Puppet agents regardless of where your nodes are geographically located.

  5. Yes. Cloudsmith's client logs capture every package request, including the requesting node, timestamp, package version, and authentication method used. These logs are queryable and exportable, giving your team full traceability across your Puppet-managed infrastructure.

Integrations

Discover more Cloudsmith Integrations