I want to setup the salt pillar to make key value pairs available to a particular instance in a dynamic way. It appears that ext_pillar (which can be used to generate key pairs dynamically) cannot restrict access to particular minions. In my scenario minions can be destroyed and new ones can join automatically.
In this situation, one solution for my problem (which seems quite tedious and inefficient) is:
When a new minion is accepted on the Salt Master, via a script, generate the private data for that minion, and create a YAML file with this information as key-value pairs in the salt pillar directory.
Use a script to automatically edit the pillar top file to allow this minion access to the private data generated in the previous step.
Refresh the pillar data on that minion
Access the private data on the minion.
I am hoping there is a better way to do the same thing. Any ideas?
ext_pillar allows you return any data that you want. It is provided the minion id as well as the minion grains and other info. That allows you to decide what info to return from the ext_pillar. So you can, indeed, restrict access to data to particular minions.
Related
My app consists of two containers: the app itself and a database. I'm planning to wrap the app into a chart, thus paving a way for easy reproducible deployment.
Apart from setting/reading environment envs (which helm+kubernetes seems to handle really well), part of app's configuration is:
making sure the database is pre-filled with special auxiliary data (e.g. admin user exists, some user role names required to create new users are there, etc.).
I like the idea of having readable yaml files hold the entire configuration in a human readable format. However at a glance it doesn't seem that helm in any way would help with this (DB records) kind of configuration.
That being said, what is the best place to put code/configuration ensuring that DB contains certain auxiliary records? A config yaml file? An container init script, written in bash?
You are right, Kubernetes or Helm cannot help with preparing your pre-filled database records/schema.
You should probably have your application initialize those pre-filled data. If you don't want to put this logic into your application, you can ship an initialization script and configure an init container with Kubernetes.
Kubernetes makes sure every time your application container is restarted, the init container runs first. In the init container, you can execute a bash/python/... script that makes sure the records you want are there.
We are going to encrypt Mule servers and we need to store the private key for the same as environment variable. Where it should be stored ; in wrapper or in mule-conf xml OR could there be any other way to store the same?
It really depends what goal you have in mind - keep it secret/not readable, have it common for environment, have it common in cluster, share between projects/applications, have ability to modify, etc.
The most obvious and simplest way is to keep it in mule-project.xml.
Most important is the question - from whom it should be secret and not readable? You can store it(secret) in file which is readable only by particular user ID, so nobody (except root) can read it. You can store it in system environment variable. You can change it a little on the fly so nobody (even root) knows real value. However it will be in the application anyway (just before you submit it to encryption algorithm) and you don't trust your own application it will have this secret anyway. Determine whom you not trust and block them. But you cannot block absolutely everybody.
Most likely you want to prevent one environment (like DEV) to know secret for another environment (like PROD). Then store it is system environment variable and developers will not know it for PROD. Afraid that PROD root will use this secret by itself? Modify secret inside program (like add extra word) and root could not figure it out. But if developer who knows this approach tells root how to modify secret or vive versa root tells developer what is the system variable then we are back to stage where you cannot keep secret from absolutely everybody.
To make the question simple, I know that I can get some build information with https://jenkins_server/...///api/json|xml|python. And I get a lot of information for that build record.
However, I want to add more information to that build record. For example, the docker image created, or the tickets or files changed from last build to create release note, ... etc. How do I do that?
For now, I use a script to create a json file as an artifact and call that json file to get these information, but it seems a duplicate if I can add more data to the jenkins build object directly.
The Jenkins remote access API is designed to provide access to generic Jenkins-internal information, like build numbers, timestamps, fingerprints etc.
If you want to add your own data there, then you must extend Jenkins accordingly, e.g., by designing a plugin that advertises your (custom) information items as standard Jenkins-"internal" data. If you want to do that, you may want to have a look at they way fingerprint information is handled (I found that quite instructive).
However, I'd recommend that you stick with your current approach, and keep generic Jenkins-internal information separated from Job-specific data. It is less effort and clearly separates your own data from Jenkins' data.
I have a project running in vb.net. It's currently a very small project, so I have used XML serialization as the main way of storing information. I.e. creating a xml file in the .exe folder. and saving/reading from there.
Problem: Since the project is small, I have no SQL database setup and I would like to keep it that way. But I do want to create a user/password for access to the program.
What I have tried: I have tried using XML serialization, but hiding the xml file. Once I hide it, I'm unable to access the file (saying I have no permissions).
What's a good way to have the same utility without using SQL and not giving away security?
Hiding the file is pointless. You should simply hash the passwords and then store the data just as you do for any other data. That's exactly what you'd do if you were using a database too. When a user registers, you hash the password they provide and store the result. Anyone can then view the data without breaching security because they cannot get the original value from the hash. When a user logs in, you hash the password they provide and compare that to the value in the database and, if they match, the user is authenticated.
You should do some reading on hashing in general and also consider adding a salt for extra security, although that may not be worthwhile in this case.
I'm creating a user repository ldap backend for a series of web applications sharing the same users. I would like to store preference information in this ldap location. This way everything related to users is maintained in the same place and can be shared among all applications.
I'm thinking of a general structure like this:
ou=People,dc=domain,dc=com
uid=jdoe,ou=People,dc=domain,dc=com
ou=Preferences,uid=jdoe,dc=domain,dc=com
ou=firstpreference,ou=Preferences,uid=jdoe,dc=domain,dc=com
value : 123
value : 456
I have several questions:
Is jsut below the user entry the right place to start storing the preferences? What objectClass should this entry be? I'm experimenting with organizationalUnit but it doesn't seem right.
What is the best way to store name value pairs for the preferences? Here my best guest is to create an entry just below the preferences having a name and create the value just under it. This way I can account for multiple values. What should be the correct objectClass for those entries?
I'm working with OpenLDAP and wouldn't like to change the schemas that come with it. Is there a way to set this up using available schemas?
You can certainly store preferences as children of the user node. Alternatives would be on the user node itself or in a completely separate branch. Depends on how you will be maintaining it (who will have permissions, how granular the permissions are, how often new preferences and applications will be added, etc).
OU is the wrong object type. You should define your own schema to suit your application. Generally you want to keep schema changes to a minimum, so the schema you define should be designed to be extensible when new preferences / apps are needed.
You can either define an attribute for each preference and use the LDAP server's inbuilt name-value pair support. Or you can define a generic 'preferences' attribute and store the name and value in the data. Again, how you do it depends how many preferences there are, frequency of changes, ability to search and index fields, etc.
There's nothing to stop you using inbuilt types for everything. Just like there is nothing to stop you calling all your variables v1, v2 and your files stuff.txt. But when there aren't any inbuilt types that match your needs, this is the time to add your own. It's a pretty simple thing to do.
I don't think the LDAP directory would be the best place to store this, really. If it's web application preferences, you should store them with and in the web applications - in a shared fashion.
The LDAP directory is concerned with your user accounts, permissions, your organization's structure - I would not recommend putting application-specific settings inside the LDAP directory.
Marc
While LDAP is a versiatile read optimized database as appose to SQL being read/write optimized and NoSQL db's being key-value datastores. LDAP is great for large scale deployment with clustering already in mind that writes once and reads many times. But a use case that has many read/writes for key values then a NoSQL database like redis or memcached is better for basic key value datastores.