Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret management solutions research #241

Open
moisesguimaraes opened this issue Mar 22, 2018 · 3 comments
Open

Secret management solutions research #241

moisesguimaraes opened this issue Mar 22, 2018 · 3 comments

Comments

@moisesguimaraes
Copy link

Hi all o/

I'm working on a research to select a secret management solution to protect secrets on TripleO (OpenStack installer). The main goal is to secure secrets from the undercloud (undercloud-passwords.conf) ansible playbooks, hiera/puppet, openstack configuration files, and any other secret we have there.

This is the data I have collected so far, the lines are explained after the table:

    +-----------------------+-------------+-------------------+---------------+
    |           \           | Custodia    | Hashicorp Vault   | FreeIPA Vault |
    +-----------------------+-------------+-------------------+---------------+
    | open source           | yes         | yes               | yes           |
    +-----------------------+-------------+-------------------+---------------+
    | part of redhat        | yes         | no (hashicorp)    | yes           |
    +-----------------------+-------------+-------------------+---------------+
    | ansible integration   |             | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | hiera integration     |             | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | castellan integration | in progress | yes               |               |
    +-----------------------+---   -------+-------------------+---------------+
    | barbican itegration   | in progress | in progress       |               |
    +-----------------------+-------------+-------------------+---------------+
    | community             |             | irc, mail, gitter |               |
    +-----------------------+-------------+-------------------+---------------+
    | high availability     | ?           | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | RDO package           |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | RHEL package          |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | Fedora package        |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | CentOS package        | no          | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | Maintenance burden    | high        | very low          |               |
    +-----------------------+-------------+-------------------+---------------+
    | Biggest issue         | maintenance | premium features  | performance   |
    +-----------------------+-------------+-------------------+---------------+

[ansible | hiera ] integration: can I retrieve a protected secret to a variable in an ansible playbook or chef recipe?

[ castellan | barbican ] integration: can this secret manager act as a backend to castellan or barbican?

comunity: where can I find help?

[RDO, RHEL, Fedora, CentOS] packages: are there packages available in this systems?
@simo5
Copy link
Member

simo5 commented Mar 22, 2018

So let me try to give you pointers I can figure out right away:

  • Ansible Integration: if you can use curl/wget you can get secrets, so I would say "yes"
  • Community: IRC #latchset on freenode (#freeipa for FreeIPA Vault btw, freeipa also has mailing lists), and issues on github.
  • High Availability: yes via load balancers, the protocol is stateless.
  • Packages: Custodia is packaged on all major distros as it is a dependency for FreeIPA

Now to the once I do not understand:

  • Maintenance burden: what does it mean ?

Finally note that Custodia is not really meant to store secrets, although it has sample code for doing that, it's core strenght is in giving you a simple REST API and a pluggable service that can be easily routed and transformed as needed, for segmentation/performance/other reasons.

@moisesguimaraes
Copy link
Author

Hi @simo5,

Thanks for your help!

Maintenance burden means that features we'd like to have or bug fixes would have to be implemented by our team. We have in our team people contributing to custodia already. This issue is basically to figure out the FreeIPA Vault column. As freeipa/freeipa doesn't support issues, I was redirected to this repo at #freeipa irc channel.

Thanks also for highlighting that Custodia isn't meant to store secrets, I wasn't aware of that.

@tiran
Copy link
Member

tiran commented Mar 23, 2018

If you have questions concerning IPA vault, feel free to write a mail to the FreeIPA users mailing list. You can find information about the list on https://www.freeipa.org/page/Contribute

FreeIPA doesn't use github for issues. It's using pagure as issue tracker. The issue tracker is for bugs and feature requests. General questions should go on the users mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tiran @moisesguimaraes @simo5