Page MenuHomeDevCentral
Differential D2669

Avoid to share credentials between dev and prod Docker engines
ClosedPublic
Actions

Authored by DorianWinty on Apr 15 2022, 11:52.
Tags
None
Referenced Files
F3764265: D2669.diff
Fri, Nov 22, 04:50
Unknown Object (File)
Thu, Nov 21, 07:27
Unknown Object (File)
Tue, Nov 19, 17:29
Unknown Object (File)
Tue, Nov 19, 09:31
Unknown Object (File)
Tue, Nov 19, 01:37
Unknown Object (File)
Mon, Nov 18, 17:44
Unknown Object (File)
Wed, Nov 13, 23:10
Unknown Object (File)
Wed, Nov 13, 05:32
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T1425: Provision secrets through Salt
T1724: Split Docker engines between production (docker-001) and dev (dwellers)
Commits
rOPS7e0c3d8bb793: Avoid to share credentials between dev and prod Docker engines
Summary

The same Vault policy was applied for all Docker engines.

As plan is to repurpose Dwellers as a development Docker engine,
security requirements require separate sets of credentials.

As we don't currently have well defined environments, to assign
to each server a virtual role "paas-docker-<env>" will do nicely.

This is a follow-up for af9db00760be.

Ref T1724, T1425.

Test Plan

salt dwellers credentials.get_password nasqueron.etherpad.api should fail.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
docker_security
Build Status
Buildable 4186
Build 4438: arc lint + arc unit

Event Timeline

DorianWinty requested review of this revision.Apr 15 2022, 11:52
DorianWinty created this revision.
Harbormaster completed remote builds in B4186: Diff 6744.Apr 15 2022, 11:52
dereckson accepted this revision.Apr 15 2022, 12:10
This revision is now accepted and ready to land.Apr 15 2022, 12:10
dereckson added a comment.EditedApr 15 2022, 12:19
Complector
$ cd /opt/salt/nasqueron-operations

$ git fetch --all
 * [new branch]      docker-vault-policies -> datacube/docker-vault-policies

$ git checkout docker-vault-policies

$ salt-call --local state.sls roles/vault/policies
local:
    Data failed to compile:
----------
    Rendering SLS 'base:roles/vault/policies' failed: Jinja variable 'salt.utils.templates.AliasedLoader object' has no attribute 'credentials.build_policies_by_node'

$ salt-call --local saltutil.sync_all
[...]
    modules:
        - modules.credentials
[...]

$ salt-call --local state.sls roles/vault/policies
[...]
----------                                                                                                                     
          ID: salt-node-docker-001                                                                                             
    Function: vault.policy_present                                                                                             
      Result: True                                                                                                             
     Comment: Policy exists, and has the correct content                                                                       
     Started: 12:17:12.080163                                                                                                  
    Duration: 14.678 ms                                                                                                        
     Changes:  
[...]

Ok, we're no op for docker-001, so it picks the correct content.
And it didn't try to create a policy for Dwellers.

Note for a future change: We should remove the saltmaster role on Ysul and WindRiver, to avoid give Ysul a policy allowing Salt there to have full access to sys/policies/acl, etc.

dereckson added a comment.EditedApr 15 2022, 12:22

Manually deleted policies for dwellers, Ysul and windriver.

Current code doesn't create empty policies so if we delete everything for one machine, it will keep former policy. Will fix that in _modules/credentials.py this week-end.

Ysul and WindRiver should lose the saltmaster role, per T923.

dereckson edited the summary of this revision. (Show Details)Apr 15 2022, 12:51
dereckson edited the summary of this revision. (Show Details)
dereckson added a task: T1724: Split Docker engines between production (docker-001) and dev (dwellers).
DorianWinty retitled this revision from Add role for spliting prod and dev credentials on vault to Add role for split of prod and dev credentials on vault.Apr 15 2022, 17:36
DorianWinty edited the summary of this revision. (Show Details)
DorianWinty retitled this revision from Add role for split of prod and dev credentials on vault to To split the prod and dev credentials on vault.
dereckson retitled this revision from To split the prod and dev credentials on vault to Avoid to share credentials between dev and prod Docker engines.Apr 15 2022, 17:49
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)
dereckson edited the summary of this revision. (Show Details)Apr 15 2022, 17:53
dereckson added a task: T1425: Provision secrets through Salt.
Closed by commit rOPS7e0c3d8bb793: Avoid to share credentials between dev and prod Docker engines (authored by DorianWinty, committed by dereckson). · Explain WhyApr 15 2022, 19:51
This revision was automatically updated to reflect the committed changes.
dereckson added a commit: rOPS7e0c3d8bb793: Avoid to share credentials between dev and prod Docker engines.

Revision Contents
Changeset List

PathSize
pillar/
credentials/
2 lines
nodes/
2 lines

Diff 6744

View Options

pillar/credentials/vault.sls

Loading...
View Options

pillar/nodes/nodes.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator