Hi all.
Is there a preferred way to pass a (different) secret to every host
being installed?
Something to implement a workflow like:
- admin asks Salt to (re)install a host
- salt handles shutdown and switch reconfiguration (OT)
- salt tells FAIserver to enable install of given host
- FAI gene
Hey,
I'm not sure if this is preferred or not, but the approach I take is to
have a command we run first, that copies any required secrets (and will
generate SSH host keys and puppet certs if required first) into the NFS
root. A cron job runs every 15 minutes and cleans up any of those
secrets whi
Hi Andrew.
That's an option, but is seems less secure: while PXE net have to be
quite "locked down", NFS could potentially be exposed on a "public"
network (say to handle reinstalls on many networks with a single server).
If only machines had an "attestation key" by default... Maybe an USB key
Hey,
Yes, agreed, depends on the use case. For the gear I'm dealing with
they're on physically very secure networks and NFS is firewalled off.
You could potentially have a kernel token as you suggest and then go to
fetch the secrets from a HashiCorp Vault with an approval needing to be
issued.
