[Infra] Service accounts and secret storage

Hey all,

Continuing the theme of "reducing the bus factor", I want to talk about
the accounts we use for things like Rackspace, Scaleway, etc.

Currently the rackspace account actually sends emails to a Red Hat
address - whilst this is "ok" I'd rather the community had its own
email address in there. Likewise I'm about to create an account on
Scaleway and I'd like to avoid using my own Red Hat account.

We don't have a mailserver for "*@theforeman.org" currently, and it's
probably overkill to run one. My solution would be to register a new
GMail account for infra stuff (theforeman@gmail.com or similar) and use
that for this kind of thing - does that work?

Then there's the matter of passwords - I don't want to be the only one
who can access this stuff (really bad bus factor :P). It also needs to
be easy to add/remove people who can see it. My thoughts turn to GPG -
perhaps a simple private Gist of the the encrypted data, encrypted with
all the keys of the people who are allowed to read it? That's easy to
re-encrypt later if the list of people/keys changes. Or we could host
the textfile somewhere (on the foreman.org?) I guess…

Thoughts?
Greg

Thanks for doing this. I'd suggest the easiest way possible, just create the
accounts and share passwords with the rest who should have access. But if
others prefer GPG, then secret gist sounds reasonable.

··· On pondělí 26. června 2017 14:31:32 CEST Greg Sutcliffe wrote: > Hey all, > > Continuing the theme of "reducing the bus factor", I want to talk about > the accounts we use for things like Rackspace, Scaleway, etc. > > Currently the rackspace account actually sends emails to a Red Hat > address - whilst this is "ok" I'd rather the community had its own > email address in there. Likewise I'm about to create an account on > Scaleway and I'd like to avoid using my own Red Hat account. > > We don't have a mailserver for "*@theforeman.org" currently, and it's > probably overkill to run one. My solution would be to register a new > GMail account for infra stuff (theforeman@gmail.com or similar) and use > that for this kind of thing - does that work? > > Then there's the matter of passwords - I don't want to be the only one > who can access this stuff (really bad bus factor :P). It also needs to > be easy to add/remove people who can see it. My thoughts turn to GPG - > perhaps a simple private Gist of the the encrypted data, encrypted with > all the keys of the people who are allowed to read it? That's easy to > re-encrypt later if the list of people/keys changes. Or we could host > the textfile somewhere (on the foreman.org?) I guess... > > Thoughts?


Marek

>Continuing the theme of "reducing the bus factor", I want to talk about
>the accounts we use for things like Rackspace, Scaleway, etc.
>
>Currently the rackspace account actually sends emails to a Red Hat
>address - whilst this is "ok" I'd rather the community had its own
>email address in there. Likewise I'm about to create an account on
>Scaleway and I'd like to avoid using my own Red Hat account.
>
>We don't have a mailserver for "*@theforeman.org" currently, and it's
>probably overkill to run one. My solution would be to register a new
>GMail account for infra stuff (theforeman@gmail.com or similar) and use
>that for this kind of thing - does that work?

I know ovirt has a private mailing list for this but the already have
their own mailserver so maybe a gmail account is good enough for us. Now
that they're going to stop processing emails it might even be OK to use.

>Then there's the matter of passwords - I don't want to be the only one
>who can access this stuff (really bad bus factor :P). It also needs to
>be easy to add/remove people who can see it. My thoughts turn to GPG -
>perhaps a simple private Gist of the the encrypted data, encrypted with
>all the keys of the people who are allowed to read it? That's easy to
>re-encrypt later if the list of people/keys changes. Or we could host
>the textfile somewhere (on the foreman.org?) I guess…

Personally I like pass1. It's basically a nice wrapper around gpg and
a neat directory structure with optional git integration. Since it can
encrypt files with multiple GPG keys it's usable for teams2, but I
have no experience with that part. We could simply store the git
repository somewhere on a foreman server or create a private gitlab
repository.

··· On Mon, Jun 26, 2017 at 01:31:32PM +0100, Greg Sutcliffe wrote:

Hi,

> We don't have a mailserver for "*@theforeman.org" currently, and it's
> probably overkill to run one. My solution would be to register a new
> GMail account for infra stuff (theforeman@gmail.com or similar) and use
> that for this kind of thing - does that work?

While I don't like GMail, that sounds like a sensible way to go, lacking
the alternatives.

> Then there's the matter of passwords - I don't want to be the only one
> who can access this stuff (really bad bus factor :P). It also needs to
> be easy to add/remove people who can see it. My thoughts turn to GPG -
> perhaps a simple private Gist of the the encrypted data, encrypted with
> all the keys of the people who are allowed to read it? That's easy to
> re-encrypt later if the list of people/keys changes. Or we could host
> the textfile somewhere (on the foreman.org?) I guess…

In addition to pass, Ewoud already mentioned, I was recommended passbolt
(https://www.passbolt.com) and gopass (https://www.justwatch.com/gopass),
which is a rewrite of pass.

Regards

··· On Mon, Jun 26, 2017 at 01:31:32PM +0100, Greg Sutcliffe wrote: -- Michael Moll

Throwing yet another idea out there. Ansible Vault allows encrypting yaml
key value files and storing the encrypted file in git so that it can be
shared and stored in source control.

Eric

··· On Jun 27, 2017 5:37 AM, "Michael Moll" wrote:

Hi,

On Mon, Jun 26, 2017 at 01:31:32PM +0100, Greg Sutcliffe wrote:

We don’t have a mailserver for “*@theforeman.org” currently, and it’s
probably overkill to run one. My solution would be to register a new
GMail account for infra stuff (theforeman@gmail.com or similar) and use
that for this kind of thing - does that work?

While I don’t like GMail, that sounds like a sensible way to go, lacking
the alternatives.

Then there’s the matter of passwords - I don’t want to be the only one
who can access this stuff (really bad bus factor :P). It also needs to
be easy to add/remove people who can see it. My thoughts turn to GPG -
perhaps a simple private Gist of the the encrypted data, encrypted with
all the keys of the people who are allowed to read it? That’s easy to
re-encrypt later if the list of people/keys changes. Or we could host
the textfile somewhere (on the foreman.org?) I guess…

In addition to pass, Ewoud already mentioned, I was recommended passbolt
(https://www.passbolt.com) and gopass (https://www.justwatch.com/gopass),
which is a rewrite of pass.

Regards

Michael Moll


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

> Hi,
>
> While I don't like GMail, that sounds like a sensible way to go,
> lacking the alternatives.

I agree, but it's just for password recovery and so forth, so that it's
not tied to a single person. I don't expect to use it for anything
else.

> In addition to pass, Ewoud already mentioned, I was recommended
> passbolt (https://www.passbolt.com) and gopass (https://www.justwatch
> .com/gopass), which is a rewrite of pass.

I'll check those out, but tbh I'm wary of adding yet more 3rd-party
SaaS systems (even if they're FOSS), it's just more dependencies.
Thinking about it, a GPG encypted file somwehere on
downloads.theforeman.org would be enough, no?

··· On Tue, 2017-06-27 at 11:37 +0200, Michael Moll wrote:

On Tue, 2017-06-27 at 06:20 -0400, Eric D Helms wrote:

Throwing yet another idea out there. Ansible Vault allows encrypting
yaml key value files and storing the encrypted file in git so that it
can be shared and stored in source control.

Maybe I’m missing something, but where’s the value in Ansible here?
We’re not talking about API secrets for automation, we’re talking about
login details for the various services we use - i.e. for use by humans.

Greg

Ugh, do research before writing :stuck_out_tongue:

So pass / gopass not hosted, just passblot - possible, but would
require us to either host a simple git repo on the foreman infra (not a
big deal if it's SSH-access only anyway), or store it on GitHub
(probably not a good idea). Happy to go down that road if thats the
consensus.

Greg

··· On Tue, 2017-06-27 at 11:37 +0200, Michael Moll wrote: > > In addition to pass, Ewoud already mentioned, I was recommended > passbolt (https://www.passbolt.com) and gopass (https://www.justwatch > .com/gopass), which is a rewrite of pass.

Oh the mounts are an interesting feature of gopass. Annoying that
they're not in the base system even though they do have binary packages.

··· On Tue, Jun 27, 2017 at 11:37:35AM +0200, Michael Moll wrote: >Hi, > >On Mon, Jun 26, 2017 at 01:31:32PM +0100, Greg Sutcliffe wrote: >> We don't have a mailserver for "*@theforeman.org" currently, and it's >> probably overkill to run one. My solution would be to register a new >> GMail account for infra stuff (theforeman@gmail.com or similar) and use >> that for this kind of thing - does that work? > >While I don't like GMail, that sounds like a sensible way to go, lacking >the alternatives. > >> Then there's the matter of passwords - I don't want to be the only one >> who can access this stuff (really bad bus factor :P). It also needs to >> be easy to add/remove people who can see it. My thoughts turn to GPG - >> perhaps a simple private Gist of the the encrypted data, encrypted with >> all the keys of the people who are allowed to read it? That's easy to >> re-encrypt later if the list of people/keys changes. Or we could host >> the textfile somewhere (on the foreman.org?) I guess... > >In addition to pass, Ewoud already mentioned, I was recommended passbolt >(https://www.passbolt.com) and gopass (https://www.justwatch.com/gopass), >which is a rewrite of pass.

>> Hi,
>>
>> While I don't like GMail, that sounds like a sensible way to go,
>> lacking the alternatives.
>
>I agree, but it's just for password recovery and so forth, so that it's
>not tied to a single person. I don't expect to use it for anything
>else.

What are the options to use a @theforeman.org email address? Looks like
google now requires money for that where it used to be free. The
advantage would be that we can easily change the provider without
changing all accounts.

>> In addition to pass, Ewoud already mentioned, I was recommended
>> passbolt (https://www.passbolt.com) and gopass (https://www.justwatch
>> .com/gopass), which is a rewrite of pass.
>
>I'll check those out, but tbh I'm wary of adding yet more 3rd-party
>SaaS systems (even if they're FOSS), it's just more dependencies.
>Thinking about it, a GPG encypted file somwehere on
>downloads.theforeman.org would be enough, no?

Both pass and gopass operate on files/directories. Sync can happen
through git. Given there are also browser plugins you have the best of
both worlds (IMHO).

··· On Tue, Jun 27, 2017 at 11:51:55AM +0100, Greg Sutcliffe wrote: >On Tue, 2017-06-27 at 11:37 +0200, Michael Moll wrote:

On Tue, 2017-06-27 at 06:20 -0400, Eric D Helms wrote:

Throwing yet another idea out there. Ansible Vault allows encrypting
yaml key value files and storing the encrypted file in git so that it
can be shared and stored in source control.

Maybe I’m missing something, but where’s the value in Ansible here?
We’re not talking about API secrets for automation, we’re talking about
login details for the various services we use - i.e. for use by humans.

I agree that vault is not ideal.

Ohad will have to answer this, he still manages the DNS - there may be
mailforward options there (I use mailforward records on my DNS, via
ZoneEdit / EasyDNS)

Greg

··· On Tue, 2017-06-27 at 13:03 +0200, Ewoud Kohl van Wijngaarden wrote: > > What are the options to use a @theforeman.org email address? Looks > like google now requires money for that where it used to be free. > The advantage would be that we can easily change the provider > without changing all accounts.

> >
> > What are the options to use a @theforeman.org email address? Looks
> > like google now requires money for that where it used to be free.
> > The advantage would be that we can easily change the provider
> > without changing all accounts.
>
> Ohad will have to answer this, he still manages the DNS - there may be
> mailforward options there (I use mailforward records on my DNS, via
> ZoneEdit / EasyDNS)
>

Are you suggesting to host mail infra ourself, pay to google or some other
alternative?
Changing DNS records is a non issue.

thanks,
Ohad

··· On Tue, Jun 27, 2017 at 5:33 PM, Greg Sutcliffe wrote: > On Tue, 2017-06-27 at 13:03 +0200, Ewoud Kohl van Wijngaarden wrote:

Greg


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Just my $.02, but a lot of registrars provide a free mail forwarding
service. Could setup a private distribution list through google groups or
the like to forward mails to for the shared email.

··· On Tue, Jun 27, 2017 at 10:43 AM Ohad Levy wrote:

On Tue, Jun 27, 2017 at 5:33 PM, Greg Sutcliffe greg.sutcliffe@gmail.com > wrote:

On Tue, 2017-06-27 at 13:03 +0200, Ewoud Kohl van Wijngaarden wrote:

What are the options to use a @theforeman.org email address? Looks
like google now requires money for that where it used to be free.
The advantage would be that we can easily change the provider
without changing all accounts.

Ohad will have to answer this, he still manages the DNS - there may be
mailforward options there (I use mailforward records on my DNS, via
ZoneEdit / EasyDNS)

Are you suggesting to host mail infra ourself, pay to google or some other
alternative?
Changing DNS records is a non issue.

thanks,
Ohad

Greg


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

>
> Are you suggesting to host mail infra ourself

Nope.

> pay to google

Nope.

> or some other alternative? Changing DNS records is a non issue.

I'm talking about Mail Redirects or Mail Forwards - https://support.dns
imple.com/articles/email-forwarding/

In my DNS control panel at EasyDNS, there is a section marked "Mail
Forwards". These redirect incoming emails to other addresses, for
example:

scaleway@theforeman.org -> greg.sutcliffe@gmail.com

and so on. They are one way only (I can't send emails as the former,
only receive), but for site registrations / password recovery it's
ideal. In this case it would also be easy to update these targets if
the original person moves on.

I have no idea if your DNS has this feature though - in my case, I get
it for free on top of what I already pay for my DNS.

Greg

··· On Tue, 2017-06-27 at 17:43 +0300, Ohad Levy wrote:

>Just my $.02, but a lot of registrars provide a free mail forwarding
>service. Could setup a private distribution list through google groups or
>the like to forward mails to for the shared email.

That could work just as well though we should have some archive
somewhere.

··· On Tue, Jun 27, 2017 at 02:44:49PM +0000, Neil Hanlon wrote:

On Tue, Jun 27, 2017 at 10:43 AM Ohad Levy ohadlevy@gmail.com wrote:

On Tue, Jun 27, 2017 at 5:33 PM, Greg Sutcliffe greg.sutcliffe@gmail.com >> wrote:

On Tue, 2017-06-27 at 13:03 +0200, Ewoud Kohl van Wijngaarden wrote:

What are the options to use a @theforeman.org email address? Looks
like google now requires money for that where it used to be free.
The advantage would be that we can easily change the provider
without changing all accounts.

Ohad will have to answer this, he still manages the DNS - there may be
mailforward options there (I use mailforward records on my DNS, via
ZoneEdit / EasyDNS)

Are you suggesting to host mail infra ourself, pay to google or some other
alternative?
Changing DNS records is a non issue.

I don’t have a specific preference but using an email address
@theforeman.org doesn’t pin us on a specific provider and allows
migrations.

>
>> Just my $.02, but a lot of registrars provide a free mail forwarding
>> service. Could setup a private distribution list through google groups or
>> the like to forward mails to for the shared email.
>>
>
> That could work just as well though we should have some archive somewhere.
>
>>
>>>
>>>> >
>>>> > What are the options to use a @theforeman.org email address? Looks
>>>> > like google now requires money for that where it used to be free.
>>>> > The advantage would be that we can easily change the provider
>>>> > without changing all accounts.
>>>>
>>>> Ohad will have to answer this, he still manages the DNS - there may be
>>>> mailforward options there (I use mailforward records on my DNS, via
>>>> ZoneEdit / EasyDNS)
>>>>
>>>>
>>> Are you suggesting to host mail infra ourself, pay to google or some
>>> other
>>> alternative?
>>> Changing DNS records is a non issue.
>>>
>>
> I don't have a specific preference but using an email address @
> theforeman.org doesn't pin us on a specific provider and allows
> migrations.
>

I don't mind setting that up- any suggested friendly providers?

··· On Tue, Jun 27, 2017 at 5:51 PM, Ewoud Kohl van Wijngaarden < ewoud@kohlvanwijngaarden.nl> wrote: > On Tue, Jun 27, 2017 at 02:44:49PM +0000, Neil Hanlon wrote: > On Tue, Jun 27, 2017 at 10:43 AM Ohad Levy wrote: >> On Tue, Jun 27, 2017 at 5:33 PM, Greg Sutcliffe >> > >>> wrote: >>> On Tue, 2017-06-27 at 13:03 +0200, Ewoud Kohl van Wijngaarden wrote:


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

> >
> > Are you suggesting to host mail infra ourself
>
> Nope.
>
> > pay to google
>
> Nope.
>
> > or some other alternative? Changing DNS records is a non issue.
>
> I'm talking about Mail Redirects or Mail Forwards - https://support.dns
> imple.com/articles/email-forwarding/
>
> In my DNS control panel at EasyDNS, there is a section marked "Mail
> Forwards". These redirect incoming emails to other addresses, for
> example:
>
> scaleway@theforeman.org -> greg.sutcliffe@gmail.com
>
> and so on. They are one way only (I can't send emails as the former,
> only receive), but for site registrations / password recovery it's
> ideal. In this case it would also be easy to update these targets if
> the original person moves on.
>
> I have no idea if your DNS has this feature though - in my case, I get
> it for free on top of what I already pay for my DNS.
>

ACK.

If you require that account, please provide me off-list user@theforeman.org
-> email

··· On Tue, Jun 27, 2017 at 5:54 PM, Greg Sutcliffe wrote: > On Tue, 2017-06-27 at 17:43 +0300, Ohad Levy wrote:

Greg


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.