search

saltstack-formulas / users-formula

Configure users via pillar
http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
Other
99 stars 362 forks source link

[FEATURE] Implement storing ssh keys for users in separate pillar files #224

Open MurzNN opened 3 years ago

MurzNN commented 3 years ago

Is your feature request related to a problem?

In pillar.example there are example how to read keys from state files:

    ssh_keys:
      # or you can provide path to key on Salt fileserver
      privkey: salt://path_to_PRIVATEKEY
      pubkey: salt://path_to_PUBLICKEY

But storing private keys in state files is insecure, for example here is recommendation to not do this. And most of users will follow that example, without understanding the security risks when store private keys as files into state storage.

Also filling long private key text inside yaml is not good solution too, because operating with separate files is much more universal (eg for regenerating, reusing in other scripts).

Describe the solution you'd like

For solve this problem will be good to implement reading contents if ssh keys from file inside pillar structure.

Here is feature request about build-in support for this in SaltStack, so we could use something like this:

    ssh_keys:
      # or you can provide path to key on Salt fileserver
      privkey: pillar://path_to_PRIVATEKEY
      pubkey: pillar://path_to_PUBLICKEY

but it is closed with recommendation to use salt.pillar.file_tree, that isn't suitable for current task.

So, is it possible to implement this feature in users-formula itself? Or maybe you can provide some workaround for this?

Describe alternatives you've considered

Some alternatives are provided in issues https://github.com/saltstack/salt/issues/18406, https://github.com/saltstack/salt/issues/3790 and https://github.com/saltstack/salt/issues/1543 but they isn't good.

MurzNN commented 3 years ago

Here https://github.com/saltstack-formulas/nginx-formula/blob/master/pillar.example#L291 is example how this is implemented in nginx-formula:

  certificates:
    'www.example.com':

      # choose one of: deploying this cert by pillar (e.g. in combination with
      # ext_pillar and file_tree)
      # public_cert_pillar: certs:example.com:fullchain.pem
      # private_key_pillar: certs:example.com:privkey.pem

And here is the code that implement this: https://github.com/saltstack-formulas/nginx-formula/blob/cb98ed05c69af62c32e4b780498421cf4bdd2856/nginx/certificates.sls#L58-L62

MurzNN commented 3 years ago

At now I composed this workaround for store keys in separate plain files:

users:
  alice:
    ssh_keys:
      {%- import_text 'ssh-keys/alice_rsa' as ssl_cert %}
      privkey: |
        {{ ssl_cert|indent(8) }}
      {%- import_text 'ssh-keys/alice_rsa_pub' as ssl_cert_pub %}
      pubkey: |
        {{ ssl_cert_pub|indent(8) }}