Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Credhub-based secret management #428

Closed
wants to merge 1 commit into from
Closed

Add support for Credhub-based secret management #428

wants to merge 1 commit into from

Conversation

dennisjbell
Copy link
Member

Genesis started as a vault-based system, but since then, Credhub has been utilized to store and generate secrets for some kits, most notably the cf-genesis-kit. It is not a 1:1 replacement for vault, with significant differences in storage and behaviour. However, we want to be able to continue using genesis primitives to manage secrets in the same way.

To this end, the lib/Genesis/Credhub.pm library will attempt to bridge the differences to form a common vocabulary. This will include, but not limited to:

  1. using variables from the rendered manifest instead of kit.yml to define the secrets behaviour
  2. check script will only error on missing credhub values if they are not specified by variables or bosh_variables sections
  3. rotate secrets will use regenerate, but will have to handle changes to the manifest (ie if I change the password length or certificate properties, how does that get sent to credhub prior to regeneration without deploying the manifest.

lib/Genesis/Vault.pm defines the general behaviour, and can be used as a guide. As it will mainly be done as running credhub cli commands, you'll want to be familiar with run, read_json_from, and lines subroutines in lib/Genesis.pm

@dennisjbell dennisjbell added the * Work In Progress Do NOT merge, as it is in an incomplete state label Feb 12, 2021
@dennisjbell dennisjbell marked this pull request as draft February 12, 2021 06:11
@rkoster rkoster self-assigned this Feb 15, 2021
@rkoster
Copy link
Contributor

rkoster commented Feb 15, 2021
edited
Loading

Collecting some research notes on for implementation direction:

Cf-deployment specifies update_mode for at least some variables: https://github.com/cloudfoundry/cf-deployment/blob/main/cf-deployment.yml#L2070

The bosh director has support for forwarding this information to credhub: https://www.pivotaltracker.com/n/projects/956238/stories/164818604
And is used here: https://github.com/cloudfoundry/bosh/blob/e0ac496c97eff51c3c7071928f2b96e4b347847c/src/bosh-director/lib/bosh/director/config_server/client.rb#L89-L116

Credhub api docs are currently down but below a screenshot from a local copy:
image

Credhub cli go client supports converge: cloudfoundry/credhub-cli@37f2848

Credhub cli generate command has --no-overwrite flag, no --mode or similar to set converge, regenerate has nothing like that. But if we already have all generation options from the manifest we should be able to use generate.

https://bosh.io/docs/manifest-v2/#features

Warning
The converge_variables feature can result in unintended side effects. It will regenerate all variables associated with a deployment, even those that are specified in a runtime config. For this reason we strongly recommend that you use the update_mode configuration on the variable that you wish to converge.

From the above it seems like the following requirements could be handled by BOSH using converge_variables and update_mode:

  • 1. using variables from the rendered manifest instead of kit.yml to define the secrets behaviour by setting update_mode to no-overwrite for "fixed" secrets and CA's and converge on all others
  • 2. check script will only error on missing credhub values if they are not specified by variables or bosh_variables sections this should not be needed anymore since changes to variable options should trigger the generation of new credential version when update_mode is set to converge
  • 3.1 rotate secrets will use regenerate
  • 3.2 but will have to handle changes to the manifest (ie if I change the password length or certificate properties, how does that get sent to credhub prior to regeneration without deploying the manifest.) This is exactly what update_mode converge was designed for

@rkoster
Copy link
Contributor

rkoster commented Feb 15, 2021

3.1 could be implemented using the bosh variables cli command in combination with bosh manifest (to get the variable update_mode, so we can skip no-overwrite and isCa) and bosh config (to get runtime-config variable definitions).

The above should work just fine for the simple cases, but does not fix the 3 phase deploy required for rotating ca's.
Or the cc db encryption key, which requires an errand. Or the application ca used by diego to create certs on the fly.

@mrferris mrferris added this to the genesis-v2.9.0 milestone Jun 8, 2021
@mrferris mrferris linked an issue Oct 27, 2021 that may be closed by this pull request
Feature near-parity between Credhub and Vault #444
Open
@dennisjbell dennisjbell deleted the branch master December 26, 2021 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rkoster rkoster

Labels
* Work In Progress Do NOT merge, as it is in an incomplete state
Projects
None yet
Milestone
genesis-v2.10.0
Development

Successfully merging this pull request may close these issues.

Feature near-parity between Credhub and Vault
4 participants
@dennisjbell @rkoster @mrferris @thomasmitchell