puppet camp boston 2014: securely managing secrets with freeipa and puppet (intermediate)
DESCRIPTION
James Shubin, Red HatTRANSCRIPT
1 JAMES SHUBIN
Securely managing secrets with FreeIPA and Puppet
James Shubin, @purpleideaConfig Mgmt. ArchitectSystems Engineering Group, Red Hat
Puppet Camp, Boston 2014
2 JAMES SHUBIN
Who am I ?
● Puppet Hacker
● Config Mgmt. Architect @ Red Hat
● Technical Blogger: The Technical Blog of Jameshttps://ttboj.wordpress.com/
● Physiologist (Cardiology Specialization)
● All around hoopy frood...
3
JAMES SHUBIN
the status-quo of secret management in puppet is
pretty poor...
4 JAMES SHUBIN
Example 1
class { '::foo':
password => 'super-secret-thing',
bad_idea => true,
}
5 JAMES SHUBIN
6 JAMES SHUBIN
Example 2
class { '::foo':
hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...',
bad_idea => true,
}
7 JAMES SHUBIN
8 JAMES SHUBIN
Example 3
# secret.yaml
---
foo::params::password: 'ohai'
foo::params::bad_idea: true
9 JAMES SHUBIN
10
JAMES SHUBIN
there are some solutions which are better than others, but they are still not perfect...
11 JAMES SHUBIN
hiera-gpg
● Cute, but private key management can be a problem...
● Probably a good idea for existing infrastructures, where you have one repo that is widely shared...
● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/
● Code: https://github.com/crayfishx/hiera-gpg
12 JAMES SHUBIN
hiera-eyaml
● Better than hiera-gpg !
● Still has a private key management problem...
● Comes with nice secret editing tools...
● We still have to trust puppet more than necessary...
● Code: https://github.com/TomPoulton/hiera-eyaml
13 JAMES SHUBIN
blackbox
● Same problems as all the other asymmetric solutions
● Nice documentation !
● Honest and upfront about the risks...
● Comes with 20% more Limoncelli :)
● Code: https://github.com/StackExchange/blackbox
14
JAMES SHUBIN
do I love any of these solutions ?
15 JAMES SHUBIN
NOPE
JAMES SHUBIN
My solution...
17 JAMES SHUBIN
Local secret generation
● Good DevOps hackers use/know/love GPG (PGP)
● Tell puppet about your public key
● Locally generate and encrypt secrets with public key
● Optionally mail it out to your admin email address
● Use FreeIPA to build out your security infrastructure
JAMES SHUBIN
live demo...
19 JAMES SHUBIN
Red Hat funds good hackers so that we can...
● Work on open source / free software things...
● Speak at events like this...
● Hack on good products and solutions...
● For access to products, solutions, and support, visit:
ht tps: / / redhat .com/
20 JAMES SHUBIN
Learn more
● The Technical Blog of James:https://ttboj.wordpress.com/
● Puppet-IPA:https://github.com/purpleidea/puppet-ipa
● Technical article about this technique:https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/
● Contact me if you have any other questions:purpleidea @ { irc, twitter, redhat.com }
JAMES SHUBIN
Q & A ?
JAMES SHUBIN
Thank you & Happy Hacking !