Opened 19 months ago

Last modified 13 months ago

#30009 needs_review project

consider trocla for secrets management in puppet

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: #29387 Points:
Reviewer: Sponsor:


secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.

Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.

So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.

Child Tickets

Change History (3)

comment:1 Changed 19 months ago by anarcat

Owner: changed from tpa to anarcat
Parent ID: #29387
Status: newassigned

this is part of the larger question of how to publish our repository, as I believe that using (and contributing to) a module commonly used by the community (trocla) is more in line with the sharing approach than the current implementation that is custom-made for TPO.

comment:2 Changed 13 months ago by anarcat

Status: assignedneeds_review

trocla's puppet module ( has been merged into our infrastructure and is being tested for grafana authentication (#30023).

comment:3 Changed 13 months ago by anarcat

after a bumpy start, this seems to be working well now. i added documentation on trocla (and incidentally, hkdf while i was there) in the Puppet docs/wiki. that will need to be updated if we convert from hkdf().

Note: See TracTickets for help on using tickets.