Page MenuHomePhabricator
Create Task
Maniphest T112005

Setup a way to store secrets and access them from puppet inside the Tool Labs project
Closed, ResolvedPublic
Actions

Description

For k8s auth passwords and perhaps SSL certs in the future.

Probably be doable with a a puppetmaster for the project. Must verify that non-root users can't get access to the secrets even in the labs puppetmaster roles.

Details

SubjectRepoBranchLines +/-
hiera: Add support for 'secret' datadiroperations/puppetproduction+13 -0
puppet: Have a 'secret' repository for self hosted puppetmastersoperations/puppetproduction+16 -1
tools: Add puppetmaster/client rolesoperations/puppetproduction+37 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Sep 9 2015, 8:41 PM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added projects: Cloud-Services, Toolforge.
yuvipanda added subscribers: Aklapper, yuvipanda.

Should basically track production branch as closely as possible (faster git pulls maybe?)

valhallasw subscribed.Sep 10 2015, 7:46 AM

Can we solve this using just ssh auth? We already have host-based auth infra in place, after all.

Otoh, having a generic secure storage also sounds like a good plan.

scfc subscribed.Sep 10 2015, 2:34 PM

What's the purpose of this? If it's just a one-time job when setting up a new Kubernetes host, doing it manually seems acceptable to me (and much less work than setting up a non-leaking Puppet master); we do that already for the proxy servers as well.

yuvipanda added a comment.Sep 10 2015, 2:37 PM
  1. Adding user accounts - need to be added in the central apiserver and provision password on each user's homedir. Can't do it like we do for replica.my.cnf since the k8s master server has no nfs.
  2. TLS certs for each nodes.

So the webproxy is only one thing that doesn't change and has to be on only two places, while this is a bit more dynamic.

scfc added a comment.Sep 10 2015, 2:52 PM

As I wrote in T107993#1567549:

You don't need to involve NFS (directly). You can set up the certificate generator on any machine as a HTTP/whatever service, do the auth* via is_in_tools_project($IP) && identd($IP, $port) and then let the "client" write it to the local disk (which will probably be NFS :-)).

But a certificate generator certainly requires a process maintaining a certificate revocation list and distributing it to where it needs to be.

yuvipanda added a comment.Sep 10 2015, 2:58 PM

That is a lot more complexity than just setting up a private puppetmaster
:) we also shouldn't be doing any extra, non upstreamable pieces in the
infrastructure if we can help it, and I definitely think an authenticating
proxy falls in that category.

Also not doing TLS client certificates right now - not sure how much
kubernetes supports revocation checking. Will move to that in the next
couple of months though :)

coren subscribed.EditedSep 10 2015, 3:08 PM

I'm not seeing a less bad way of doing it offhand. It might perhaps be possible to actually do it the replicas.my.cnf way by having labstore* do it asynchronously? This wouldn't require k8s do have NFS mounts itself.

yuvipanda added a comment.Sep 10 2015, 3:10 PM

How would we be able to do it in labstore without k8s having nfs? The credentials will have to be generated somwehere (k8s master or labstore) and then securely transferred to the other... Not sure if that is simpler.

coren added a comment.Sep 10 2015, 3:58 PM

I should think it fairly easy to transfer credentials to the k8s master from labstore (rsync, or something else); but that's an extra piece of home-spun software to maintain.

(It might actually be worthwhile to see if the mysql system could be generalized, however, given that we now have at least three use case for "need to generate credentials per-uid in labs and distribute to the user and the service")

yuvipanda added a comment.Sep 10 2015, 4:00 PM

Indeed, it's 'another piece of home-spun software' that I hope we do not have.

yuvipanda added a subscriber: Joe.Sep 30 2015, 7:16 AM

@Joe suggested we just have a private repo on labs puppetmaster, which I highly approve of!

valhallasw triaged this task as Low priority.Oct 4 2015, 11:51 AM
valhallasw moved this task from Backlog to Ready to be worked on on the Toolforge board.
yuvipanda added a project: labs-sprint-117.Oct 5 2015, 5:04 PM
yuvipanda set Security to None.
gerritbot subscribed.Oct 5 2015, 8:37 PM

Change 243800 had a related patch set uploaded (by Yuvipanda):
tools: Add puppetmaster/client roles

https://gerrit.wikimedia.org/r/243800

gerritbot added a project: Patch-For-Review.Oct 5 2015, 8:37 PM
gerritbot added a comment.Oct 5 2015, 8:46 PM

Change 243800 merged by Yuvipanda:
tools: Add puppetmaster/client roles

https://gerrit.wikimedia.org/r/243800

yuvipanda mentioned this in rOPUP12d1f9213420: tools: Add puppetmaster/client roles.Oct 5 2015, 8:46 PM
yuvipanda added a comment.Oct 5 2015, 10:41 PM

Ok, there's now tools-puppetmaster-01 setup to serve as puppetmaster for the k8s master node, two workers and the dynamicproxies!

yuvipanda moved this task from To do to Doing on the labs-sprint-117 board.Oct 6 2015, 3:16 AM
yuvipanda added a comment.Oct 6 2015, 4:33 AM

There are two ways of doing this:

  1. Add a modulepath for secrets to the self hosted puppetmaster's config somewhow or
  2. Make the secrets as local cherrypicks on top of the labs-private repo

I vastly prefer #1 in this case.

We should also replicate the private puppetmaster setup in palladium, which has;

  1. Source repo in /root/private
  2. A post commit hook that pushes it to /var/lib/git/<whatever>
  3. A post commit hook that pushes it to /var/lib/git/<whatever> on second host as well
coren added a comment.Oct 8 2015, 4:03 PM

With modulepath, what happens when one makes a local clone of the puppet tree?

gerritbot added a comment.Oct 9 2015, 11:48 PM

Change 244827 had a related patch set uploaded (by Yuvipanda):
puppet: Have a 'secret' repository for self hosted puppetmasters

https://gerrit.wikimedia.org/r/244827

gerritbot added a comment.Oct 10 2015, 12:54 AM

Change 244827 merged by Yuvipanda:
puppet: Have a 'secret' repository for self hosted puppetmasters

https://gerrit.wikimedia.org/r/244827

yuvipanda added a comment.Oct 10 2015, 1:35 AM

Done! (ish!). Still needs I think to figure out how to make hiera also look at the secret repo for files...

gerritbot added a comment.Oct 10 2015, 1:56 AM

Change 244841 had a related patch set uploaded (by Yuvipanda):
hiera: Add support for 'secret' datadir

https://gerrit.wikimedia.org/r/244841

gerritbot added a comment.Oct 10 2015, 4:17 AM

Change 244841 merged by Yuvipanda:
hiera: Add support for 'secret' datadir

https://gerrit.wikimedia.org/r/244841

yuvipanda added a comment.Oct 10 2015, 6:14 AM

I think this is all done now.

yuvipanda added a comment.Oct 10 2015, 6:15 AM

There's no secret repo on the labs puppetmaster and that seems to be ok.

yuvipanda closed this task as Resolved.Oct 10 2015, 6:15 AM
yuvipanda claimed this task.
yuvipanda moved this task from Doing to Done on the labs-sprint-117 board.Oct 10 2015, 6:17 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits