Store secrets securely
h2. The problem
a provider directory has lots of secrets. This requires that you keep your workstation secure and that you trust the git provider and that you keep the git provider secure. Also, currently with the leap platform, you have to equally trust all the sysadmins.
h2. The solution
(1) store secrets so that only the right sysadmin has access, and not the git server
(2) deploy secrets so that the right server can read them
(3) partition sysadmins, so that not everyone has access to everything
h2. How we store and deploy secrets now
we store secrets:
- secrets.json
- files/nodes and files/certs and files/ca
we deploy secrets:
- in hiera file
- via rsync of the file itself
h2. To research
- How can we integrate with blackbox?
- How can we partition users?
h2. Links
blackbox was originally written for use with puppet, so it has a lot of puppet support.
(from redmine: created on 2016-12-20)