The document discusses securely managing secrets with FreeIPA and Puppet. It describes existing solutions like hiera-gpg and hiera-eyaml as not being perfect due to private key management problems and having to trust Puppet too much. The proposed solution generates secrets locally using GPG encryption with a public key and stores them in FreeIPA for access management. The presentation concludes with information on learning more about this technique.
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)
1. Securely managing secrets
with FreeIPA and Puppet
James Shubin, @purpleidea
Config Mgmt. Architect
Systems Engineering Group, Red Hat
Puppet Camp, Boston 2014
1 JAMES SHUBIN
2. Who am I ?
● Puppet Hacker
● Config Mgmt. Architect @ Red Hat
● Technical Blogger: The Technical Blog of James
https://ttboj.wordpress.com/
● Physiologist (Cardiology Specialization)
● All around hoopy frood...
2 JAMES SHUBIN
3. 3
the status-quo of secret
management in puppet is
pretty poor...
JAMES SHUBIN
4. Example 1
class { '::foo':
password => 'super-secret-thing',
bad_idea => true,
}
4 JAMES SHUBIN
10. there are some solutions
which are better than others,
but they are still not perfect...
10
JAMES SHUBIN
11. hiera-gpg
● Cute, but private key management can be a problem...
● Probably a good idea for existing infrastructures,
where you have one repo that is widely shared...
● Other issues:
http://slashdevslashrandom.wordpress.com/2013/06/0
3/my-griefs-with-hiera-gpg/
● Code: https://github.com/crayfishx/hiera-gpg
11 JAMES SHUBIN
12. hiera-eyaml
● Better than hiera-gpg !
● Still has a private key management problem...
● Comes with nice secret editing tools...
● We still have to trust puppet more than necessary...
● Code: https://github.com/TomPoulton/hiera-eyaml
12 JAMES SHUBIN
13. blackbox
● Same problems as all the other asymmetric solutions
● Nice documentation !
● Honest and upfront about the risks...
● Comes with 20% more Limoncelli :)
● Code: https://github.com/StackExchange/blackbox
13 JAMES SHUBIN
14. 14
do I love any of these
solutions ?
JAMES SHUBIN
17. Local secret generation
● Good DevOps hackers use/know/love GPG (PGP)
● Tell puppet about your public key
● Locally generate and encrypt secrets with public key
● Optionally mail it out to your admin email address
● Use FreeIPA to build out your security infrastructure
17 JAMES SHUBIN
19. Red Hat funds good hackers so that we can...
● Work on open source / free software things...
● Speak at events like this...
● Hack on good products and solutions...
● For access to products, solutions, and support, visit:
ht tps: / / redhat .com/
19 JAMES SHUBIN
20. Learn more
● The Technical Blog of James:
https://ttboj.wordpress.com/
● Puppet-IPA:
https://github.com/purpleidea/puppet-ipa
● Technical article about this technique:
https://ttboj.wordpress.com/2014/06/06/securely-managing-
secrets-for-freeipa-with-puppet/
● Contact me if you have any other questions:
purpleidea @ { irc, twitter, redhat.com }
20 JAMES SHUBIN