Jira (BOLT-1270) Bolt should have an encrypted data store

[Lucy Wyman (JIRA)]

Lucy Wyman updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store Change By: Lucy Wyman Summary: eyaml encryption for sensitive inventory Bolt should have an encrypted data store Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Lucy Wyman (JIRA)]

Lucy Wyman updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store Change By: Lucy Wyman

Questions: - How do you interact with this feature within the inventory ? Out of scope: - Connect to third party encrypted data stores, ie. Vault

Add Comment

[Lucy Wyman (JIRA)]

Lucy Wyman updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store Change By: Lucy Wyman

Questions: - How do you interact with this feature within the inventory?

- Should you be able to have a single file with encrypted data in it that can be used by multiple users, or is it on a per user basis? Do you need to be able to share the data with multiple people? *The easiest solution seems like encrypted data should be on a per user basis.* - Does the sensitive data live in the inventory or in an external file? TODO: - Look at Ansible Vault - how does that work?

Out of scope: - Connect to third party encrypted data stores, ie. Vault

Add Comment

[Nick Maludy (JIRA)]

Nick Maludy assigned an issue to Nick Maludy

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Nick Maludy Assignee: Nick Maludy

Add Comment

[Alex Dreyer (JIRA)]

Alex Dreyer updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Alex Dreyer Questions: - How do you interact with this feature within Bolt should support eyaml data in the inventory ? file. - Should you Users should be able to have a single file with encrypted embed bolt eyaml data in it that can be used by multiple users, or is it on a per user basis? Do you need the inventory file similar to be able to share how the data with multiple people? * prompt plugin works. The easiest solution seems like encrypted data plugin should be on called eyaml, It should have a per user basis.* single key "encrypted-value" that {noformat} nodes: - Does uri: my_node      config:        winrm:          password:            _plugin: eyaml            encrypted-value: >                   ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv                   NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh                   jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y                   l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd                   /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm                   IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==] {noformat} Users should configure the sensitive data live eyaml plugin in bolt yaml under the inventory or in an external file? {{plugins:eyaml}} section. relative paths to keys should be relative to the {{Boltdir}}. TODO {noformat} --- ssh :   host - Look at Ansible Vault key - check: false plugins:    eyaml:       pkcs7_private_key: keys/private_key.pkcs7.pem       pkcs7_public_key:  keys/public_key.pkcs7.pem {noformat} Questions: - What should the {{encrypted-value}} key be called? - Can bolt expose the "eyaml" command directly or do we need {{bolt eyaml encrypt}} and {{bolt eyaml create-keys}} the latter seems out of scope unless documenting how does that work to use eyaml proves difficult ? Can we put eyaml in {{/opt/puppetlabs/bin/eyaml}} or does it need to be {{/opt/puppetlabs/bolt/bin/eyaml}}. - Should we leverage the hiera-eyaml's gem plugins or just support pkcs7. If we're not going to leverage eyaml plugins we should probably just call this the pkcs7 plugin. Out of scope: - Connect to third party encrypted data stores, ie. Vault . These should be separate plugins.

Add Comment

[Cas Donoghue (JIRA)]

Cas Donoghue commented on BOLT-1270

Re: Bolt should have an encrypted data store Eyaml plugins https://github.com/voxpupuli/hiera-eyaml#encryption-plugins

Add Comment

[Lucy Wyman (JIRA)]

Lucy Wyman updated an issue

Puppet Task Runner / BOLT-1270

Bolt should have an encrypted data store

Change By: Lucy Wyman Bolt should support eyaml data in the inventory file. Users should be able to embed bolt eyaml data in the inventory file similar to how the prompt plugin works. The plugin should be called eyaml, It should have a single key "encrypted-value" that {noformat} nodes:    - uri: my_node      config:        winrm:          password:            _plugin: eyaml            encrypted-value: >

ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv                   NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh                   jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y                   l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd                   /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm                   IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==] {noformat}

Users should configure the eyaml plugin in bolt yaml under the {{plugins:eyaml}} section. relative paths to keys should be relative to the {{Boltdir}}. {noformat} --- ssh:   host-key-check: false

plugins:    eyaml:       pkcs7_private_key: keys/private_key.pkcs7.pem       pkcs7_public_key:  keys/public_key.pkcs7.pem {noformat} Questions: -

What should the {{encrypted-value}} key be called? - Can bolt expose the "eyaml" command directly or do we need {{bolt eyaml encrypt}} and {{bolt eyaml create-keys}} the latter seems out of scope unless documenting how to use eyaml proves difficult? Can we put eyaml in {{/opt/puppetlabs/bin/eyaml}} or does it need to be {{/opt/puppetlabs/bolt/bin/eyaml}}.

- Should we leverage the hiera-eyaml's gem plugins or just support pkcs7. If we're not going to leverage eyaml plugins we should probably just call this the pkcs7 plugin.

- User should not have to run eyaml command to encrypt a value - Do we need bolt eyaml commands? Yes, behaves like {{hiera eyaml}} command and uses the hiera cli class. - {{bolt eyaml createkeys}} calls hiera create key - {{bolt eyaml encrypt}} with f s and p options - {{bolt eyaml decrypt}} with f and s options Out of scope: - Connect to third party encrypted data stores, ie. Vault. These should be separate plugins.

Add Comment

[Lucy Wyman (JIRA)]

Lucy Wyman updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Lucy Wyman Sprint: Bolt Ready for Grooming Kanban

Add Comment

[Alex Dreyer (JIRA)]

Alex Dreyer assigned an issue to Alex Dreyer

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Alex Dreyer Assignee: Nick Maludy Alex Dreyer

Add Comment

[Tom Beech (JIRA)]

Tom Beech updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Tom Beech Fix Version/s: BOLT Next

Add Comment

[Tom Beech (JIRA)]

Tom Beech updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Tom Beech Release Notes Summary: Adds an eyaml plugin and support for embedding eyaml data in the inventory. Release Notes: New Feature

Add Comment

[Alex Dreyer (JIRA)]

Alex Dreyer updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Alex Dreyer Release Notes Summary: Adds an a hiera eyaml compatible pkcs7 plugin and support for embedding eyaml data in the inventory.

Add Comment

[Michelle Fredette (JIRA)]

Michelle Fredette updated an issue

Puppet Task Runner / BOLT-1270 Bolt should have an encrypted data store

Change By: Michelle Fredette Labels: docs_reviewed

Add Comment