Skip to main content

 https://knowledge.broadcom.com/external/article?articleNumber=390800

How to use GPG encrypted YAML in your Salt configuration


Issue/Introduction

Some integrations with Salt, like GitFS, require storing sensitive secret data as part of the Salt master configuration in order for the Salt master to access those resources. These secrets should be stored and retrieved securely. Storing plaintext credentials for authentication poses a security risk. To mitigate this, Salt provides SDB as a mechanism aimed at retrieving secrets securely. There are multiple integrations available, but we will use GPG-encrypted YAML in this example. See the SaltProject SDB documentation for more information (See link in additional information). This guide provides a step-by-step process to encrypt the Git password and integrate it into Salt's configuration.

Environment

Aria Config - all versions

Tanzu Salt - all versions

SaltProject - all versions

Resolution

  1. Install dependencies
    1. Install GnuGPG and RNG
      1. sudo yum install -y gnupg rng-tools
    2. Start RNG daemon
      1. sudo systemctl start rngd
      2. sudo systemctl enable rngd
  2. Create a phrase-less key for the Salt master
    1. If a phrase-less key is not used, then the phrase will. need to be entered each time the Salt master is started
    2. Create GPG directory
      1. We'll store the GPG keyring under the Salt master configuration directory to help ensure it is accessible by the Salt master
      2. sudo mkdir -p /etc/salt/pki/gpg
      3. sudo chown -R $(whoami):$(whoami) /etc/salt/pki/gpg
      4. sudo chmod 700 /etc/salt/pki/gpg
    3. Create the key
      1. gpg --homedir=/etc/salt/pki/gpg --gen-key
      2. Choose RSA key
      3. key size 2048
      4. Key should not expire
      5. Put "Salt Master" for real name
      6. Leave email address blank
      7. No passphrase
    4. Find and Export the GPG Key
      1. Run the following command to list keys in your keyring and identify the <key_id>:
        1. gpg --homedir=/etc/salt/pki/gpg --list-keys
        2. Look for the string after pub (e.g., rsa2048/1234ABCD) where 1234ABCD is your <key_id>.
    5. Export the GPG Key
      1. gpg --homedir=/etc/salt/pki/gpg --armor --export <key_id> > /etc/salt/pki/gpg/public.key
      2. gpg --homedir=/etc/salt/pki/gpg --armor --export-secret-key <key_id> > /etc/salt/pki/gpg/private.key
    6. Encrypt the Git Password and Store in YAML
      1. echo -n "my_git_password" | gpg --homedir=/etc/salt/pki/gpg --armor --encrypt -r <key_id>
    7. Store Encrypted Password in YAML
      1. Use the example content below to create a git_secrets.yaml file
        1. git_password:
            gpg: |
              -----BEGIN PGP MESSAGE-----
              <encrypted_password_here>
              -----END PGP MESSAGE-----
        2. This file can live in any secure directory accessible by the Salt master. It is not a direct part of the Salt master configuration. 
    8. Configure the SDB backend in the Salt master configuration. This info is probably best placed near the GitFS configuration, but can be placed in any file ending with a .conf file extension under the /etc/salt/master.d directory
      1. sdb:
          gpg:
            gpg_keydir: /etc/salt/pki/gpg
            gpg_keyname: <key_id>
            gpg_decrypt: true
    9. 5. Configure GitFS to Use the Encrypted Password
      1. gitfs_remotes:
          - https://your.git.repo/url:
            - user: your_git_user
            - password: sdb://git_password  # This is the important bit here to get your configuration to read from SDB
    10. Restart the Salt master

Assuming the Salt master starts successfully, you now have a GPG encrypted secret that is retrievable by the Salt master.

Additional Information

Comments

Post a Comment

Popular posts from this blog

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
Post a Comment
Read more
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more
  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more