Re: Questions on credential rotation


Krannich, Bernd <bernd.krannich@...>
 

Hey Dan,

Thank you very much for your reply!

I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.
Sound great. We are actively following the developments in bosh-deployment and cf-deployment also with respect to credhub integration. It would be great if you could send an update via this list once you have reached the next phase here.

Thanks,
Bernd

P.S.: > We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.
Yes, I meant to write:
CredHub [4] seems to be geared in the direction of “rotate”.
Repave is of course largely based on regular stemcell updates using BOSH.

P.P.S.: For the people reading through this thread, I corrected my footnotes which unfortunately pointed to the head of the master branch earlier:
[2] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L640
[3] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L872

From: Dan Jahner <djahner(a)pivotal.io>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Thursday, 4. May 2017 at 22:22
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Questions on credential rotation

Hey Bernd,

I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.

The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation.

Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.

Thanks,
Dan
On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>> wrote:
Hello all,

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:


1. Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime

2. Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]

3. Credentials that cannot be rotated easily at all [3]

A couple of questions here:


• Is the above summary accurate?

• For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?

• Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?

• CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?

Thanks in advance,
Bernd

[1] https://www.youtube.com/watch?v=NUXpz0Dni50
[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example
[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example
[4] https://github.com/cloudfoundry-incubator/credhub


Bernd Krannich
SAP Cloud Platform
SAP SE
Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

E bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>

Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum<http://www.sap.com/company/legal/impressum.epx/>

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.