latchset / custodia

An API to manage secrets storage and retrieval
GNU General Public License v3.0
85 stars 27 forks source link

Secret management solutions research #241

Open moisesguimaraes opened 6 years ago

moisesguimaraes commented 6 years ago

Hi all o/

I'm working on a research to select a secret management solution to protect secrets on TripleO (OpenStack installer). The main goal is to secure secrets from the undercloud (undercloud-passwords.conf) ansible playbooks, hiera/puppet, openstack configuration files, and any other secret we have there.

This is the data I have collected so far, the lines are explained after the table:

    +-----------------------+-------------+-------------------+---------------+
    |           \           | Custodia    | Hashicorp Vault   | FreeIPA Vault |
    +-----------------------+-------------+-------------------+---------------+
    | open source           | yes         | yes               | yes           |
    +-----------------------+-------------+-------------------+---------------+
    | part of redhat        | yes         | no (hashicorp)    | yes           |
    +-----------------------+-------------+-------------------+---------------+
    | ansible integration   |             | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | hiera integration     |             | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | castellan integration | in progress | yes               |               |
    +-----------------------+---   -------+-------------------+---------------+
    | barbican itegration   | in progress | in progress       |               |
    +-----------------------+-------------+-------------------+---------------+
    | community             |             | irc, mail, gitter |               |
    +-----------------------+-------------+-------------------+---------------+
    | high availability     | ?           | yes               |               |
    +-----------------------+-------------+-------------------+---------------+
    | RDO package           |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | RHEL package          |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | Fedora package        |             | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | CentOS package        | no          | no                |               |
    +-----------------------+-------------+-------------------+---------------+
    | Maintenance burden    | high        | very low          |               |
    +-----------------------+-------------+-------------------+---------------+
    | Biggest issue         | maintenance | premium features  | performance   |
    +-----------------------+-------------+-------------------+---------------+

[ansible | hiera ] integration: can I retrieve a protected secret to a variable in an ansible playbook or chef recipe?

[ castellan | barbican ] integration: can this secret manager act as a backend to castellan or barbican?

comunity: where can I find help?

[RDO, RHEL, Fedora, CentOS] packages: are there packages available in this systems?

simo5 commented 6 years ago

So let me try to give you pointers I can figure out right away:

Now to the once I do not understand:

Finally note that Custodia is not really meant to store secrets, although it has sample code for doing that, it's core strenght is in giving you a simple REST API and a pluggable service that can be easily routed and transformed as needed, for segmentation/performance/other reasons.

moisesguimaraes commented 6 years ago

Hi @simo5,

Thanks for your help!

Maintenance burden means that features we'd like to have or bug fixes would have to be implemented by our team. We have in our team people contributing to custodia already. This issue is basically to figure out the FreeIPA Vault column. As freeipa/freeipa doesn't support issues, I was redirected to this repo at #freeipa irc channel.

Thanks also for highlighting that Custodia isn't meant to store secrets, I wasn't aware of that.

tiran commented 6 years ago

If you have questions concerning IPA vault, feel free to write a mail to the FreeIPA users mailing list. You can find information about the list on https://www.freeipa.org/page/Contribute

FreeIPA doesn't use github for issues. It's using pagure as issue tracker. The issue tracker is for bugs and feature requests. General questions should go on the users mailing list.