Page MenuHomeDevCentral

Avoid to share credentials between dev and prod Docker engines
ClosedPublic

Authored by DorianWinty on Apr 15 2022, 11:52.
Tags
None
Referenced Files
F3777566: D2669.id.diff
Mon, Nov 25, 01:50
Unknown Object (File)
Fri, Nov 22, 16:37
Unknown Object (File)
Fri, Nov 22, 04:50
Unknown Object (File)
Thu, Nov 21, 07:27
Unknown Object (File)
Tue, Nov 19, 17:29
Unknown Object (File)
Tue, Nov 19, 09:31
Unknown Object (File)
Tue, Nov 19, 01:37
Unknown Object (File)
Mon, Nov 18, 17:44
Subscribers
None

Details

Summary

The same Vault policy was applied for all Docker engines.

As plan is to repurpose Dwellers as a development Docker engine,
security requirements require separate sets of credentials.

As we don't currently have well defined environments, to assign
to each server a virtual role "paas-docker-<env>" will do nicely.

This is a follow-up for af9db00760be.

Ref T1724, T1425.

Test Plan

salt dwellers credentials.get_password nasqueron.etherpad.api should fail.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

DorianWinty created this revision.
This revision is now accepted and ready to land.Apr 15 2022, 12:10
Complector
$ cd /opt/salt/nasqueron-operations

$ git fetch --all
 * [new branch]      docker-vault-policies -> datacube/docker-vault-policies

$ git checkout docker-vault-policies

$ salt-call --local state.sls roles/vault/policies
local:
    Data failed to compile:
----------
    Rendering SLS 'base:roles/vault/policies' failed: Jinja variable 'salt.utils.templates.AliasedLoader object' has no attribute 'credentials.build_policies_by_node'

$ salt-call --local saltutil.sync_all
[...]
    modules:
        - modules.credentials
[...]

$ salt-call --local state.sls roles/vault/policies
[...]
----------                                                                                                                     
          ID: salt-node-docker-001                                                                                             
    Function: vault.policy_present                                                                                             
      Result: True                                                                                                             
     Comment: Policy exists, and has the correct content                                                                       
     Started: 12:17:12.080163                                                                                                  
    Duration: 14.678 ms                                                                                                        
     Changes:  
[...]

Ok, we're no op for docker-001, so it picks the correct content.
And it didn't try to create a policy for Dwellers.

Note for a future change: We should remove the saltmaster role on Ysul and WindRiver, to avoid give Ysul a policy allowing Salt there to have full access to sys/policies/acl, etc.

Manually deleted policies for dwellers, Ysul and windriver.

Current code doesn't create empty policies so if we delete everything for one machine, it will keep former policy. Will fix that in _modules/credentials.py this week-end.

Ysul and WindRiver should lose the saltmaster role, per T923.

DorianWinty retitled this revision from Add role for spliting prod and dev credentials on vault to Add role for split of prod and dev credentials on vault.Apr 15 2022, 17:36
DorianWinty edited the summary of this revision. (Show Details)
DorianWinty retitled this revision from Add role for split of prod and dev credentials on vault to To split the prod and dev credentials on vault.
dereckson retitled this revision from To split the prod and dev credentials on vault to Avoid to share credentials between dev and prod Docker engines.Apr 15 2022, 17:49
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)