Skip to main content

 https://knowledge.broadcom.com/external/article?articleNumber=390800

How to use GPG encrypted YAML in your Salt configuration


Issue/Introduction

Some integrations with Salt, like GitFS, require storing sensitive secret data as part of the Salt master configuration in order for the Salt master to access those resources. These secrets should be stored and retrieved securely. Storing plaintext credentials for authentication poses a security risk. To mitigate this, Salt provides SDB as a mechanism aimed at retrieving secrets securely. There are multiple integrations available, but we will use GPG-encrypted YAML in this example. See the SaltProject SDB documentation for more information (See link in additional information). This guide provides a step-by-step process to encrypt the Git password and integrate it into Salt's configuration.

Environment

Aria Config - all versions

Tanzu Salt - all versions

SaltProject - all versions

Resolution

  1. Install dependencies
    1. Install GnuGPG and RNG
      1. sudo yum install -y gnupg rng-tools
    2. Start RNG daemon
      1. sudo systemctl start rngd
      2. sudo systemctl enable rngd
  2. Create a phrase-less key for the Salt master
    1. If a phrase-less key is not used, then the phrase will. need to be entered each time the Salt master is started
    2. Create GPG directory
      1. We'll store the GPG keyring under the Salt master configuration directory to help ensure it is accessible by the Salt master
      2. sudo mkdir -p /etc/salt/pki/gpg
      3. sudo chown -R $(whoami):$(whoami) /etc/salt/pki/gpg
      4. sudo chmod 700 /etc/salt/pki/gpg
    3. Create the key
      1. gpg --homedir=/etc/salt/pki/gpg --gen-key
      2. Choose RSA key
      3. key size 2048
      4. Key should not expire
      5. Put "Salt Master" for real name
      6. Leave email address blank
      7. No passphrase
    4. Find and Export the GPG Key
      1. Run the following command to list keys in your keyring and identify the <key_id>:
        1. gpg --homedir=/etc/salt/pki/gpg --list-keys
        2. Look for the string after pub (e.g., rsa2048/1234ABCD) where 1234ABCD is your <key_id>.
    5. Export the GPG Key
      1. gpg --homedir=/etc/salt/pki/gpg --armor --export <key_id> > /etc/salt/pki/gpg/public.key
      2. gpg --homedir=/etc/salt/pki/gpg --armor --export-secret-key <key_id> > /etc/salt/pki/gpg/private.key
    6. Encrypt the Git Password and Store in YAML
      1. echo -n "my_git_password" | gpg --homedir=/etc/salt/pki/gpg --armor --encrypt -r <key_id>
    7. Store Encrypted Password in YAML
      1. Use the example content below to create a git_secrets.yaml file
        1. git_password:
            gpg: |
              -----BEGIN PGP MESSAGE-----
              <encrypted_password_here>
              -----END PGP MESSAGE-----
        2. This file can live in any secure directory accessible by the Salt master. It is not a direct part of the Salt master configuration. 
    8. Configure the SDB backend in the Salt master configuration. This info is probably best placed near the GitFS configuration, but can be placed in any file ending with a .conf file extension under the /etc/salt/master.d directory
      1. sdb:
          gpg:
            gpg_keydir: /etc/salt/pki/gpg
            gpg_keyname: <key_id>
            gpg_decrypt: true
    9. 5. Configure GitFS to Use the Encrypted Password
      1. gitfs_remotes:
          - https://your.git.repo/url:
            - user: your_git_user
            - password: sdb://git_password  # This is the important bit here to get your configuration to read from SDB
    10. Restart the Salt master

Assuming the Salt master starts successfully, you now have a GPG encrypted secret that is retrievable by the Salt master.

Additional Information

Comments

Post a Comment

Popular posts from this blog

  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more

57 Tips Every Admin Should Know

Active Directory 1. To quickly list all the groups in your domain, with members, run this command: dsquery group -limit 0 | dsget group -members –expand 2. To find all users whose accounts are set to have a non-expiring password, run this command: dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0 3. To list all the FSMO role holders in your forest, run this command: netdom query fsmo 4. To refresh group policy settings, run this command: gpupdate 5. To check Active Directory replication on a domain controller, run this command: repadmin /replsummary 6. To force replication from a domain controller without having to go through to Active Directory Sites and Services, run this command: repadmin /syncall 7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands: set l echo %logonserver% 8. To see what account you are logged on as, run this command: ...
Post a Comment
Read more
  The Guardrails of Automation VMware Cloud Foundation (VCF) 9.0 has redefined private cloud automation. With full-stack automation powered by Ansible and orchestrated through vRealize Orchestrator (vRO), and version-controlled deployments driven by GitOps and CI/CD pipelines, teams can build infrastructure faster than ever. But automation without guardrails is a recipe for risk Enter RBAC and policy enforcement. This third and final installment in our automation series focuses on how to secure and govern multi-tenant environments in VCF 9.0 with role-based access control (RBAC) and layered identity management. VCF’s IAM Foundation VCF 9.x integrates tightly with enterprise identity providers, enabling organizations to define and assign roles using existing Active Directory (AD) groups. With its persona-based access model, administrators can enforce strict boundaries across compute, storage, and networking resources: Personas : Global Admin, Tenant Admin, Contributor, Viewer Projec...
Post a Comment
Read more