Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Eric Thompson assigned an issue to Patrick Carlisle Puppet / PUP-8723 Agent Functions - Create Vault deferred evaluation Change By: Eric Thompson Assignee: Tony Vu Patrick Carlisle Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Eric Thompson assigned an issue to Tony Vu Puppet / PUP-8723 Agent Functions - Create Vault deferred evaluation Change By: Eric Thompson Assignee: Patrick Carlisle Tony Vu Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Henrik Lindberg commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Summarizing recent discussions: Since we cannot do everything at once and we will probably not know what different customers want until we start showing them one way to integrate with Vault: Make an integration with Vault configuring Vault to trust Puppet CA and use existing node certs Use the Vault Ruby Client library and package it in Puppet Agent This greatly simplifies our initial implementation and we can start showing this feature. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Tony Vu assigned an issue to Tony Vu Puppet / PUP-8723 Agent Functions - Create Vault deferred evaluation Change By: Tony Vu Assignee: Tony Vu Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Tony Vu assigned an issue to Patrick Carlisle Puppet / PUP-8723 Agent Functions - Create Vault deferred evaluation Change By: Tony Vu Assignee: Tony Vu Patrick Carlisle Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Jayant Sane commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Indeed and I already have tested Vault configured to use PuppetCA and its issued certificates. And yes setting up appropriate authorizations in Vault would need to be done separately (am guessing outside of Puppet or maybe whoever could write a module etc. to automate it via Puppet). Coming to the question of provisioning the individual nodes (agents) with necessary credentials (if/when using anything other than Puppet certificates) to be able to authenticate to Vault, I am wondering if it should be left as an exercise to the user. I was just concerned since there are & could be multitude of ways/options and whatever we try to provide is not likely to satisfy a good portion of users/customers. Creating an intermediary potentially having access to all secrets seems to go against the paradigm/model that users/customers try to go for secret management solutions like Vault (else why not just use hiera/e-yaml). But that was just my personal opinion. All said, I don't have any strong feelings against we providing/implementing either a mechanism to provision some other form of vault credentials on agents or hosting a rest endpoint on puppetserver to get tokens etc. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Henrik Lindberg commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Not being an expert with certs and CA, but after reading the Vault documentation it seems doable to have an integration with Puppet's CA for users that want that. That is just for establishing the identity of the requestor, then there is authorization to configure. If someone things they do not want puppet CA as authentication for things they have in their path, then they could still integrate puppet CA for another path in which they store specific puppet secrets. Maybe there are other better ways... Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Jayant Sane commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Fair - we cannot dictate any particular authentication methods customers should use with Vault. On the second bullet point, I recall some discussion earlier (think in the RichData and Late Binding document) where I wanted to know if we might take this approach where PuppetServer (or any Puppet entity) would act as an intermediary brokering requests to Vault which is what this seems like. As a side effect it would have access to all secrets and that time we seemed to prefer the other alternative - where only the intended recipients (nodes) would have access to their secrets (where they would authenticate to Vault or whichever secret store directly) and no one else. I realize that the agents/nodes need to be provisioned with the necessary credentials to be able to authenticate to Vault and depending on the form of authentication used, this intermediary model seems un-avoidable (where PuppetServer would inherently end up having access to all secrets) except in cases like certificate auth. And if we chose to support one, as you suggest, then certificate looked like a natural choice. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Henrik Lindberg commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation First, I don't think we can dictate what users should be using wrt Vault authentication, they may already have Vault and may use simple user/password, tokens, or certs. We may choose to only support one of them Secondly, we need to get the secret (login, token, or login) to the agent in a safe way. We can do that with one of: a task a REST endpoint in puppet server that obtains the token. That means that each apply would hit puppet server to get the token, puppet server in turn would get it from vault. Puppet server could be logged in for a longer period of time making the calls to vault slightly more efficient (as you pointed out). For masterless operation we probably want to have a third option where the secret is fed to puppet apply via env variable. It can then be set by some command the user wants to use. A task is easy to do, but users may not want to give nodes the power to log in and ask for a token. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Henrik Lindberg commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Jayant Sane We really do not need to keep the discussion about this as secrets to the community. We only need to do that if we are discussing something that is a CVE, a non open source feature, or if specific to a customer. So, I am going to summarize and comment in an open comment below this. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Henrik Lindberg commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation The idea here is to implement a function lookup_vault that calls vault to get the value of a key. It should use a caching mechanism that caches the connection to vault for the first call to the function to avoid costly reestablishment of this connection for each lookup. The function should probably wrap the returned value in an instance of Sensitive at all times. (Or users will have to do this when they write the logic for the deferred call). When implementing this, we need to decide on if we want to use a client library for talking to Vault or if we are using their REST endpoint. The advantage of using their REST endpoint is that we could possibly use our connection pool. We may want to add a mechanism to empty the function caches after all deferred functions have been evaluated to avoid squatting on a connection until the pool decides it should be closed. (Unless there is some other mechanism in the pool for TTL or similar). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Craig Gomes updated an issue Puppet / PUP-8723 Agent Functions - Create Vault deferred evaluation Change By: Craig Gomes Summary: Agent Lookup Functions - Create Vault deferred evaluation Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.