search

python / psf-salt

PSF infrastructure configuration
MIT License
115 stars 58 forks source link

Backup central key management #484

Closed ewdurbin closed 2 months ago

ewdurbin commented 2 months ago

Description

Alternative to #476.

This moves SSH key management to be the responsibility of a pillar extension, which are ultimately stored on the salt master host, can be regenerated/rotated by just deleting the files on disk. Also consolidates all backup configuration into a single file, which is nice!

Major disadvantage of this relative to #476 is that it does not ensure private keys are generated and resident to the backup client host.

ewdurbin commented 2 months ago

Demonstration of key management:

On backup host:

root@backup-server:~# salt-call pillar.get backup_keys
local:
    ----------
    downloads:
        ----------
        private:
            None
        public:
            ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdCRhg1G7zrOA8yDo9EdO/hbCCimcBbktvobyZpoiTV downloads@backup
    python-docs:
        ----------
        private:
            None
        public:
            ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwei2CunIkeyqZNOZ9mKuX0pdqKA5JjGVj76ZDBO0Wd python-docs@backup

On downloads host:

root@downloads:~# salt-call pillar.get backup_keys
local:
    ----------
    downloads:
        ----------
        private:
            -----BEGIN OPENSSH PRIVATE KEY-----
            b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
            ...snipped even though this is just a dev environment...
            bCCimcBbktvobyZpoiTVAAAAEGRvd25sb2Fkc0BiYWNrdXABAgMEBQ==
            -----END OPENSSH PRIVATE KEY-----
        public:
            ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdCRhg1G7zrOA8yDo9EdO/hbCCimcBbktvobyZpoiTV downloads@backup

On docs host:

root@docs:~# salt-call pillar.get backup_keys
local:
    ----------
    python-docs:
        ----------
        private:
            -----BEGIN OPENSSH PRIVATE KEY-----
            b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
            ...snipped even though this is just a dev environment...
            pdqKA5JjGVj76ZDBO0WdAAAAEnB5dGhvbi1kb2NzQGJhY2t1cAECAw==
            -----END OPENSSH PRIVATE KEY-----
        public:
            ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwei2CunIkeyqZNOZ9mKuX0pdqKA5JjGVj76ZDBO0Wd python-docs@backup

On a host with no backup configuration (salt-master):

root@salt-master:~# salt-call pillar.get backup_keys
local:
    ----------
github-actions[bot] commented 2 months ago

Don't forget to pull the latest changes on salt.nyc1.psf.io!