NB-Public
/
passbolt-salt
mirror of https://github.com/netzbegruenung/passbolt-salt
13
1
Fork 0
Code Issues Releases Wiki Activity

Update README

This commit is contained in:
Sven Seeberg 2022-04-16 19:26:30 +02:00
parent 73026a1ebd
commit 23afd986c3
Signed by: sven.seeberg
GPG Key ID: 29559DD5A83806B5
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -1,11 +1,12 @@
# About
This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.
This Python module allows you to manage secrets for Saltstack via Passbolt. This makes managing secrets easier than manually encrypting them and storing the encrpyted password in the Saltstack repository.
Additionally, it is possible to only have one source of truth for passwords for users and IT infrastructure while being able to manage access for each password. That means that all users can contribute to the Saltack configuration and manage (add & change) secrets within their responsibility.
# License
[MIT](LICENSE)
# Setup
1. Clone this repo
2. Go to directory, run (requires `python3-setuptools`)
@ -40,21 +41,31 @@ This Python module retrieves passwords for Passbolt groups to make them availabl
chmod 600 /etc/salt/passbolt*
```
8. Create Pillar sls files for the different Salt minions. Use the example below as content for the sls files and replace the group UUID. Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.
# Use Passwords of Passbolt Group in Pillar
Look into the [example](example) directory to see how the integration is done.
1. Create Pillar sls files for the different Salt minions, insert the content below and eplace the group UUID.
```python
#!py
def run():
from salt_passbolt import fetch_passbolt_passwords
return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
```
You can also look into the [example](example) directory.
9. In state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.
Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.
2. In a state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`.
```
password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
```
Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.
# Performance
All passwords are decrypted with a single process (gpg-agent). If many minions need to access their Pillar at the same time, the gpg-agent becomes a bottleneck. To avoid this bottleneck, the Pillar cache can be enabled for the Salt master with `pillar_cache: True`. The following crontab entry updates the Pillar cache twice a day:
```
0 */12 * * * rm -rf /var/cache/salt/master/pillar_cache/* && salt '*' -b1 pillar.items
```
# YAML Replacement Structure
If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:
```yaml
passbolt: