On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote:
> Clearly puppet has root level access to the system so you do not (should
> not ?) care much about preventing access to these systems, the aim is to
> not inadvertently divulge secrets through manifests and nothing else.
And puppet logs. And forgetting the secrets around.
With puppet you do not have interactive (password) prompt available so
everything including secrets needs to be pre-created and pre-populated
before the puppet apply starts. Or, where possible, generated and
immediatelly encrypted -- I find that approach very clever. But
unfortunately it can only be used for the initial FreeIPA server
installation, it seems -- in all the subsequent operations, we need to
pass the existing matching credential.
I wonder if we could be able to pass the passwords to puppet via file
descriptors from some invoking wrapper ...
Principal Software Engineer, Identity Management Engineering, Red Hat
Freeipa-devel mailing list