Date
1 - 1 of 1
Questions on credential rotation
Grifalconi, Michael <michael.grifalconi@...>
Hello all,
I would like to follow up this discussion with a proposal:
We all know that ideally all credentials shall be easily rotated by changing the value and hitting `deploy`.
Unfortunately, this is not yet the case for many secrets living into CF components.
Until then, it would be awesome if we could agree on having some sort of guideline about credentials rotation.
The idea is to allow operators to easily understand what can be changed right away, what need more attention and what should not be touched at all for now.
You can find more details about the proposal here
https://docs.google.com/document/d/1Oaz0ld-d0oJxTZD5QJazy6TpnpZmdCxWEzTHnYF8BcE/edit?usp=sharing
Here you can see an example of how this 'guideline' could look like for the capi-release.
https://github.com/tyyko/capi-release/blob/credentials-rotation-wiki/docs/credentials-rotation-wiki.md
It would be great to hear what you think / if you have something else in mind to solve the issue!
Best regards,
Michael
From: "Krannich, Bernd" <bernd.krannich(a)sap.com>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Saturday, 6. May 2017 at 12:03
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Questions on credential rotation
Hey Dan,
Thank you very much for your reply!
Thanks,
Bernd
P.S.: > We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.
Yes, I meant to write:
P.P.S.: For the people reading through this thread, I corrected my footnotes which unfortunately pointed to the head of the master branch earlier:
[2] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L640
[3] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L872
From: Dan Jahner <djahner(a)pivotal.io>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Thursday, 4. May 2017 at 22:22
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Questions on credential rotation
Hey Bernd,
I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.
The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation.
Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.
Thanks,
Dan
On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>> wrote:
Hello all,
We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:
1. Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime
2. Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]
3. Credentials that cannot be rotated easily at all [3]
A couple of questions here:
• Is the above summary accurate?
• For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?
• Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?
• CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?
Thanks in advance,
Bernd
[1] https://www.youtube.com/watch?v=NUXpz0Dni50
[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example
[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example
[4] https://github.com/cloudfoundry-incubator/credhub
Bernd Krannich
SAP Cloud Platform
SAP SE
Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany
E bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>
Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum<http://www.sap.com/company/legal/impressum.epx/>
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
I would like to follow up this discussion with a proposal:
We all know that ideally all credentials shall be easily rotated by changing the value and hitting `deploy`.
Unfortunately, this is not yet the case for many secrets living into CF components.
Until then, it would be awesome if we could agree on having some sort of guideline about credentials rotation.
The idea is to allow operators to easily understand what can be changed right away, what need more attention and what should not be touched at all for now.
You can find more details about the proposal here
https://docs.google.com/document/d/1Oaz0ld-d0oJxTZD5QJazy6TpnpZmdCxWEzTHnYF8BcE/edit?usp=sharing
Here you can see an example of how this 'guideline' could look like for the capi-release.
https://github.com/tyyko/capi-release/blob/credentials-rotation-wiki/docs/credentials-rotation-wiki.md
It would be great to hear what you think / if you have something else in mind to solve the issue!
Best regards,
Michael
From: "Krannich, Bernd" <bernd.krannich(a)sap.com>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Saturday, 6. May 2017 at 12:03
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Questions on credential rotation
Hey Dan,
Thank you very much for your reply!
I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.Sound great. We are actively following the developments in bosh-deployment and cf-deployment also with respect to credhub integration. It would be great if you could send an update via this list once you have reached the next phase here.
Thanks,
Bernd
P.S.: > We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.
Yes, I meant to write:
CredHub [4] seems to be geared in the direction of “rotate”.Repave is of course largely based on regular stemcell updates using BOSH.
P.P.S.: For the people reading through this thread, I corrected my footnotes which unfortunately pointed to the head of the master branch earlier:
[2] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L640
[3] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L872
From: Dan Jahner <djahner(a)pivotal.io>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Thursday, 4. May 2017 at 22:22
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Questions on credential rotation
Hey Bernd,
I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.
The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation.
Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.
Thanks,
Dan
On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>> wrote:
Hello all,
We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:
1. Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime
2. Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]
3. Credentials that cannot be rotated easily at all [3]
A couple of questions here:
• Is the above summary accurate?
• For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?
• Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?
• CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?
Thanks in advance,
Bernd
[1] https://www.youtube.com/watch?v=NUXpz0Dni50
[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example
[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example
[4] https://github.com/cloudfoundry-incubator/credhub
Bernd Krannich
SAP Cloud Platform
SAP SE
Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany
E bernd.krannich(a)sap.com<mailto:bernd.krannich(a)sap.com>
Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum<http://www.sap.com/company/legal/impressum.epx/>
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.