passbolt-salt/README.md

# About
This Python module allows you to manage secrets for Saltstack via Passbolt. This makes managing secrets easier than manually encrypting them and storing the encrpyted password in the Saltstack repository.

Additionally, it is possible to only have one source of truth for passwords for users and IT infrastructure while being able to manage access for each password. That means that all users can contribute to the Saltack configuration and manage (view/add/change) secrets within their responsibility.

# License
[MIT](LICENSE)

# Production Setup

1. Go to your Salt master and install the module with `salt-pip`

    ```shell
    salt-pip install passbolt-salt
    ```

    This will install this module and its dependencies.

3. Create a Passbolt account for the Salt master.

4. Copy the private and public PGP key files to `/etc/salt`.

5. Import the new Passbolt private key on the Salt master:
    ```shell
    gpg --import /etc/salt/passbolt_private.asc
    ```

6. Create a `/etc/salt/passbolt.ini` file with the following content:
    ```ini
    [PASSBOLT]
    SERVER = https://passbolt.example.com
    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
    USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
    PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
    ```

7. Change file permissions:
    ```shell
    chown salt /etc/salt/passbolt*
    chmod 600 /etc/salt/passbolt*
    ```

# Use Passwords of Passbolt Group in Pillar
Look into the [example](example) directory to see how the integration is done.

1. Create Pillar sls files for the different Salt minions, insert the content below and replace the group UUID.
    ```python
    #!py
    def run():
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
    ```
  Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.

2. In a state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`.
    ```
    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
    ```
  Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

# Performance
All passwords are decrypted with a single process (gpg-agent). If many minions need to access their Pillar at the same time, the gpg-agent becomes a bottleneck. To avoid this bottleneck, the Pillar cache can be enabled for the Salt master with `pillar_cache: True`. The following crontab entry updates the Pillar cache twice a day:
```
0 */12 * * * rm -rf /var/cache/salt/master/pillar_cache/* && salt '*' -b1 pillar.items
```

# YAML Replacement Structure
If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:
```yaml
passbolt:
  3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET
```
Update README 2020-02-01 19:57:50 +01:00			`# About`
Update README 2022-04-16 19:26:30 +02:00			`This Python module allows you to manage secrets for Saltstack via Passbolt. This makes managing secrets easier than manually encrypting them and storing the encrpyted password in the Saltstack repository.`

Change README > About 2023-01-14 12:12:07 +01:00			`Additionally, it is possible to only have one source of truth for passwords for users and IT infrastructure while being able to manage access for each password. That means that all users can contribute to the Saltack configuration and manage (view/add/change) secrets within their responsibility.`
Add source 2020-02-01 19:55:31 +01:00
Update README 2020-02-01 19:57:50 +01:00			`# License`
Update README, example 2022-04-16 19:02:58 +02:00			`[MIT](LICENSE)`
Update README 2020-02-01 19:57:50 +01:00
Adjust production deployment procedure 2023-12-18 17:38:42 +01:00			`# Production Setup`

			1. Go to your Salt master and install the module with `salt-pip`
Add source 2020-02-01 19:55:31 +01:00
Update README, example 2022-04-16 19:02:58 +02:00			```shell
Adjust production deployment procedure 2023-12-18 17:38:42 +01:00			`salt-pip install passbolt-salt`
Add source 2020-02-01 19:55:31 +01:00			```
Adjust production deployment procedure 2023-12-18 17:38:42 +01:00
Update README, example 2022-04-16 19:02:58 +02:00			`This will install this module and its dependencies.`
Add source 2020-02-01 19:55:31 +01:00
Adjust production deployment procedure 2023-12-18 17:38:42 +01:00			`3. Create a Passbolt account for the Salt master.`
Add source 2020-02-01 19:55:31 +01:00
			4. Copy the private and public PGP key files to `/etc/salt`.

Adjust production deployment procedure 2023-12-18 17:38:42 +01:00			`5. Import the new Passbolt private key on the Salt master:`
Update README, example 2022-04-16 19:02:58 +02:00			```shell
Import PGP Keys 2020-03-24 17:48:34 +01:00			`gpg --import /etc/salt/passbolt_private.asc`
			```

Fix readme numbering 2020-03-24 17:49:10 +01:00			6. Create a `/etc/salt/passbolt.ini` file with the following content:
Update README, example 2022-04-16 19:02:58 +02:00			```ini
Add source 2020-02-01 19:55:31 +01:00			`[PASSBOLT]`
Make URL generic 2020-03-24 17:03:04 +01:00			`SERVER = https://passbolt.example.com`
Add source 2020-02-01 19:55:31 +01:00			`#SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>`
			`USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]`
			`USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc`
			`USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc`
			`PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]`
			```

Fix readme numbering 2020-03-24 17:49:10 +01:00			`7. Change file permissions:`
Update README, example 2022-04-16 19:02:58 +02:00			```shell
Add source 2020-02-01 19:55:31 +01:00			`chown salt /etc/salt/passbolt*`
			`chmod 600 /etc/salt/passbolt*`
			```

Update README 2022-04-16 19:26:30 +02:00			`# Use Passwords of Passbolt Group in Pillar`
			`Look into the [example](example) directory to see how the integration is done.`

Update README.md 2022-04-25 10:57:47 +02:00			`1. Create Pillar sls files for the different Salt minions, insert the content below and replace the group UUID.`
Update README, example 2022-04-16 19:02:58 +02:00			```python
Add source 2020-02-01 19:55:31 +01:00			`#!py`
Fix run function 2020-02-01 22:33:28 +01:00			`def run():`
Revert "Support local file for passbolt replacement" This reverts commit f1750202bed2315198b240a5e86411fafe867080. 2021-05-29 20:07:29 +02:00			`from salt_passbolt import fetch_passbolt_passwords`
			`return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")`
Add source 2020-02-01 19:55:31 +01:00			```
Update README 2022-04-16 19:26:30 +02:00			`Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.`

			2. In a state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`.
Add source 2020-02-01 19:55:31 +01:00			```
			`password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}`
			```
Update README 2022-04-16 19:26:30 +02:00			`Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.`
Document replacement YAML structure 2021-05-29 20:11:35 +02:00
Update README 2022-04-16 19:26:30 +02:00			`# Performance`
			All passwords are decrypted with a single process (gpg-agent). If many minions need to access their Pillar at the same time, the gpg-agent becomes a bottleneck. To avoid this bottleneck, the Pillar cache can be enabled for the Salt master with `pillar_cache: True`. The following crontab entry updates the Pillar cache twice a day:
			```
			`0 /12 * * rm -rf /var/cache/salt/master/pillar_cache/* && salt '*' -b1 pillar.items`
			```
Document replacement YAML structure 2021-05-29 20:11:35 +02:00
Update README 2022-04-16 19:26:30 +02:00			`# YAML Replacement Structure`
README: fix development 2021-11-30 14:08:44 +01:00			`If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:`
Update README, example 2022-04-16 19:02:58 +02:00			```yaml
Document replacement YAML structure 2021-05-29 20:11:35 +02:00			`passbolt:`
			`3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET`
			```