Page MenuHomeDevCentral

Avoid to share credentials between dev and prod Docker engines
ClosedPublic

Authored by DorianWinty on Apr 15 2022, 11:52.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 21, 05:07
Unknown Object (File)
Fri, Dec 20, 04:42
Unknown Object (File)
Tue, Dec 17, 07:56
Unknown Object (File)
Sun, Dec 15, 08:02
Unknown Object (File)
Sun, Dec 15, 04:58
Unknown Object (File)
Fri, Dec 13, 18:47
Unknown Object (File)
Fri, Dec 13, 14:37
Unknown Object (File)
Mon, Dec 9, 09:09
Subscribers
None

Details

Summary

The same Vault policy was applied for all Docker engines.

As plan is to repurpose Dwellers as a development Docker engine,
security requirements require separate sets of credentials.

As we don't currently have well defined environments, to assign
to each server a virtual role "paas-docker-<env>" will do nicely.

This is a follow-up for af9db00760be.

Ref T1724, T1425.

Test Plan

salt dwellers credentials.get_password nasqueron.etherpad.api should fail.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
docker_security
Build Status
Buildable 4186
Build 4438: arc lint + arc unit

Event Timeline

DorianWinty created this revision.
This revision is now accepted and ready to land.Apr 15 2022, 12:10
Complector
$ cd /opt/salt/nasqueron-operations

$ git fetch --all
 * [new branch]      docker-vault-policies -> datacube/docker-vault-policies

$ git checkout docker-vault-policies

$ salt-call --local state.sls roles/vault/policies
local:
    Data failed to compile:
----------
    Rendering SLS 'base:roles/vault/policies' failed: Jinja variable 'salt.utils.templates.AliasedLoader object' has no attribute 'credentials.build_policies_by_node'

$ salt-call --local saltutil.sync_all
[...]
    modules:
        - modules.credentials
[...]

$ salt-call --local state.sls roles/vault/policies
[...]
----------                                                                                                                     
          ID: salt-node-docker-001                                                                                             
    Function: vault.policy_present                                                                                             
      Result: True                                                                                                             
     Comment: Policy exists, and has the correct content                                                                       
     Started: 12:17:12.080163                                                                                                  
    Duration: 14.678 ms                                                                                                        
     Changes:  
[...]

Ok, we're no op for docker-001, so it picks the correct content.
And it didn't try to create a policy for Dwellers.

Note for a future change: We should remove the saltmaster role on Ysul and WindRiver, to avoid give Ysul a policy allowing Salt there to have full access to sys/policies/acl, etc.

Manually deleted policies for dwellers, Ysul and windriver.

Current code doesn't create empty policies so if we delete everything for one machine, it will keep former policy. Will fix that in _modules/credentials.py this week-end.

Ysul and WindRiver should lose the saltmaster role, per T923.

DorianWinty retitled this revision from Add role for spliting prod and dev credentials on vault to Add role for split of prod and dev credentials on vault.Apr 15 2022, 17:36
DorianWinty edited the summary of this revision. (Show Details)
DorianWinty retitled this revision from Add role for split of prod and dev credentials on vault to To split the prod and dev credentials on vault.
dereckson retitled this revision from To split the prod and dev credentials on vault to Avoid to share credentials between dev and prod Docker engines.Apr 15 2022, 17:49
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)