One of the main issues is ensuring that the sensitive contents of the catalog do not make their way back into PuppetDB, Foreman, etc....
I've been toying with the idea of adding a special, non-translated function to Puppet core that will provide direction for the agent itself to reach out to a 'trusted' data source regardless of placement in the catalog. Essentially, this would be a special string, combined with some sort of metaparameter that alters the catalog content on the fly. It should absolutely be doable and the Conjur FOSS codebase is close to there but doesn't quite hit the mark across the board for what I would like. If anyone would like to start this, I'd be more than happy to help contribute when I have time. Otherwise, I'll just hack at it when I get the chance. Thanks, Trevor On Thu, Mar 10, 2016 at 11:01 AM, Craig Dunn <cr...@craigdunn.org> wrote: > > > On Thu, Mar 10, 2016 at 3:09 PM, Thomas Müller <tho...@chaschperli.ch> > wrote: > >> I'm too interested in how people manage credentials without having it in >> the catalog. >> > > The problem as I see it is that there isn't a blanket approach. If you > need a secret value in a template, that template is already compiled into > the catalog before the agent receives it, and there are numerous ways to > get a file on a system. One idea would be a kind of "eyaml in reverse" > approach, where files could be deployed with inline encrypted data, and > then a type and provider to do a pattern substitution on the file on the > agent using local keys. > > But the problem isn't just files - what about, for example, exec commands > that need to use a secret in the command line? file_line resources? > augeas? - theres a whole host of places the data might end up. > > I think the bigger issue to address would be why are your catalogs not > considered a safe place to have this data? Access to the catalog should be > at the same level of trust as root access to the agent. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CACxdKhGrdrciDbSnPNAnGSjfspNP7azB%2BvMofR057dODZ9VL2A%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CACxdKhGrdrciDbSnPNAnGSjfspNP7azB%2BvMofR057dODZ9VL2A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoUwF3AOLt8nxaMsBKSG-dbn_f_8vD9iHyct0dtqn8304Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
