Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-07-11 Thread Henrik Lindberg (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Henrik Lindberg commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 Summarizing recent discussions: Since we cannot do everything at once and we will probably not know what different customers want until we start showing them one way to integrate with Vault: 
 
Make an integration with Vault configuring Vault to trust Puppet CA and use existing node certs 
Use the Vault Ruby Client library and package it in Puppet Agent 
 This greatly simplifies our initial implementation and we can start showing this feature.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-07-10 Thread Tony Vu (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Tony Vu assigned an issue to Tony Vu  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Puppet /  PUP-8723  
 
 
  Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
Change By: 
 Tony Vu  
 
 
Assignee: 
 Tony Vu  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-07-10 Thread Tony Vu (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Tony Vu assigned an issue to Patrick Carlisle  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Puppet /  PUP-8723  
 
 
  Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
Change By: 
 Tony Vu  
 
 
Assignee: 
 Tony Vu Patrick Carlisle  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-06-15 Thread Jayant Sane (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Jayant Sane commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 Indeed and I already have tested Vault configured to use PuppetCA and its issued certificates. And yes setting up appropriate authorizations in Vault would need to be done separately (am guessing outside of Puppet or maybe whoever could write a module etc. to automate it via Puppet).  Coming to the question of provisioning the individual nodes (agents) with necessary credentials (if/when using anything other than Puppet certificates) to be able to authenticate to Vault, I am wondering if it should be left as an exercise to the user. I was just concerned since there are & could be multitude of ways/options and whatever we try to provide is not likely to satisfy a good portion of users/customers. Creating an intermediary potentially having access to all secrets seems to go against the paradigm/model that users/customers try to go for secret management solutions like Vault (else why not just use hiera/e-yaml). But that was just my personal opinion.  All said, I don't have any strong feelings against we providing/implementing either a mechanism to provision some other form of vault credentials on agents or hosting a rest endpoint on puppetserver to get tokens etc.   
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this 

Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-06-14 Thread Henrik Lindberg (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Henrik Lindberg commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 Not being an expert with certs and CA, but after reading the Vault documentation it seems doable to have an integration with Puppet's CA for users that want that. That is just for establishing the identity of the requestor, then there is authorization to configure. If someone things they do not want puppet CA as authentication for things they have in their path, then they could still integrate puppet CA for another path in which they store specific puppet secrets. Maybe there are other better ways...  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-06-13 Thread Jayant Sane (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Jayant Sane commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 Fair - we cannot dictate any particular authentication methods customers should use with Vault.  On the second bullet point, I recall some discussion earlier (think in the RichData and Late Binding document) where I wanted to know if we might take this approach where PuppetServer (or any Puppet entity) would act as an intermediary brokering requests to Vault which is what this seems like. As a side effect it would have access to all secrets and that time we seemed to prefer the other alternative - where only the intended recipients (nodes) would have access to their secrets (where they would authenticate to Vault or whichever secret store directly) and no one else.  I realize that the agents/nodes need to be provisioned with the necessary credentials to be able to authenticate to Vault and depending on the form of authentication used, this intermediary model seems un-avoidable (where PuppetServer would inherently end up having access to all secrets) except in cases like certificate auth. And if we chose to support one, as you suggest, then certificate looked like a natural choice.   
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit 

Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-06-12 Thread Henrik Lindberg (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Henrik Lindberg commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 First, I don't think we can dictate what users should be using wrt Vault authentication, they may already have Vault and may use simple user/password, tokens, or certs. We may choose to only support one of them Secondly, we need to get the secret (login, token, or login) to the agent in a safe way. We can do that with one of: 
 
a task 
a REST endpoint in puppet server that obtains the token. That means that each apply would hit puppet server to get the token, puppet server in turn would get it from vault. Puppet server could be logged in for a longer period of time making the calls to vault slightly more efficient (as you pointed out). 
 For masterless operation we probably want to have a third option where the secret is fed to puppet apply via env variable. It can then be set by some command the user wants to use. A task is easy to do, but users may not want to give nodes the power to log in and ask for a token.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at 

Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-06-12 Thread Henrik Lindberg (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Henrik Lindberg commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 Jayant Sane We really do not need to keep the discussion about this as secrets to the community. We only need to do that if we are discussing something that is a CVE, a non open source feature, or if specific to a customer. So, I am going to summarize and comment in an open comment below this.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-05-14 Thread Henrik Lindberg (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Henrik Lindberg commented on  PUP-8723  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
 The idea here is to implement a function lookup_vault that calls vault to get the value of a key. It should use a caching mechanism that caches the connection to vault for the first call to the function to avoid costly reestablishment of this connection for each lookup. The function should probably wrap the returned value in an instance of Sensitive at all times. (Or users will have to do this when they write the logic for the deferred call). When implementing this, we need to decide on if we want to use a client library for talking to Vault or if we are using their REST endpoint. The advantage of using their REST endpoint is that we could possibly use our connection pool. We may want to add a mechanism to empty the function caches after all deferred functions have been evaluated to avoid squatting on a connection until the pool decides it should be closed. (Unless there is some other mechanism in the pool for TTL or similar).  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.


Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation

2018-05-14 Thread Craig Gomes (JIRA)
Title: Message Title


 
 
 
 

 
 
 

 
   
 Craig Gomes updated an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Puppet /  PUP-8723  
 
 
  Agent Functions - Create Vault deferred evaluation   
 

  
 
 
 
 

 
Change By: 
 Craig Gomes  
 
 
Summary: 
 Agent  Lookup  Functions  - Create Vault deferred evaluation  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.