Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

1,265 views

Published on

James Shubin, Red Hat

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,265
On SlideShare
0
From Embeds
0
Number of Embeds
234
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

  1. 1. Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
  2. 2. Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
  3. 3. 3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
  4. 4. Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
  5. 5. 5 JAMES SHUBIN
  6. 6. Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
  7. 7. 7 JAMES SHUBIN
  8. 8. Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
  9. 9. 9 JAMES SHUBIN
  10. 10. there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
  11. 11. hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
  12. 12. hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
  13. 13. blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
  14. 14. 14 do I love any of these solutions ? JAMES SHUBIN
  15. 15. NOPE 15 JAMES SHUBIN
  16. 16. My solution... JAMES SHUBIN
  17. 17. Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
  18. 18. live demo... JAMES SHUBIN
  19. 19. Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
  20. 20. Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
  21. 21. Q & A ? JAMES SHUBIN
  22. 22. Thank you & Happy Hacking ! JAMES SHUBIN

×