Puppet and Node-Side Secrets
December 16, 2015 | DevOps | Andrew Racine
Earlier this week one of our platform developers, Rafal Rzepecki, had the opportunity to guest blog on the Puppet Labs blog. You can view the original blog post here.
Rafal’s post was inspired by the presentation our Vice President, Josh Bregman, gave at PuppetConf back in October. Josh’s presentation focused on using Puppet with a secrets server. You can watch the video of Josh’s presentation here.
In Rafal’s blog post, he discusses that in today’s modern infrastructure environments, machines are as distrustful of one another as they are of humans. This dynamic creates a need for enterprises to identify all of the components of their infrastructure with secrets so that trust, collaboration, and security remain priorities in an automated environment.
Rafal goes on to show how putting these secrets in things like configuration managment files may seem like a good idea, but in reality these files will end up in the company Git repository, making them freely available to everyone who has access to Git. Not ideal.
The solution Rafal proposes is to encrypt a hiera YAML file for the host and then leverage nodes so that the secrets don’t need to pass through the puppet master. This configuration ensures that a compromise of the master isn’t as fatal — an attacker cannot surreptitiously obtain access to other systems. The master can push updates to nodes that extract secrets and send them somewhere, but the manifest changes required would make the attack much more visible.
You can read through Rafal’s full explanation, complete with sample code, on the Puppet Blog.