[cf-dev] Questions on credential rotation

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Questions on credential rotation

Krannich, Bernd

Hello all,

 

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:

 

1.          Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime

2.          Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]

3.          Credentials that cannot be rotated easily at all [3]

 

A couple of questions here:

 

·         Is the above summary accurate?

·         For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?

·         Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?

·         CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?

 

Thanks in advance,

Bernd

 

[1] https://www.youtube.com/watch?v=NUXpz0Dni50

[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example

[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example

[4] https://github.com/cloudfoundry-incubator/credhub

 

 

Bernd Krannich

SAP Cloud Platform

SAP SE

Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

 

[hidden email]

 

Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum

 

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

 

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

[cf-dev] Re: Questions on credential rotation

Dan Jahner
Hey Bernd, 

I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern. 

The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation. 

Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project. 

Thanks, 
Dan

On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <[hidden email]> wrote:

Hello all,

 

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:

 

1.          Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime

2.          Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]

3.          Credentials that cannot be rotated easily at all [3]

 

A couple of questions here:

 

·         Is the above summary accurate?

·         For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?

·         Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?

·         CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?

 

Thanks in advance,

Bernd

 

[1] https://www.youtube.com/watch?v=NUXpz0Dni50

[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example

[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example

[4] https://github.com/cloudfoundry-incubator/credhub

 

 

Bernd Krannich

SAP Cloud Platform

SAP SE

Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

 

[hidden email]

 

Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum

 

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

 

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

[cf-dev] Re: Re: Questions on credential rotation

Krannich, Bernd

Hey Dan,

 

Thank you very much for your reply!

 

> I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.

 

Sound great. We are actively following the developments in bosh-deployment and cf-deployment also with respect to credhub integration. It would be great if you could send an update via this list once you have reached the next phase here.

 

Thanks,

Bernd

 

P.S.: > We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.

Yes, I meant to write:

> CredHub [4] seems to be geared in the direction of “rotate”.

Repave is of course largely based on regular stemcell updates using BOSH.

 

P.P.S.: For the people reading through this thread, I corrected my footnotes which unfortunately pointed to the head of the master branch earlier:

[2] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L640

[3] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L872

 

From: Dan Jahner <[hidden email]>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Date: Thursday, 4. May 2017 at 22:22
To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Subject: [cf-dev] Re: Questions on credential rotation

 

Hey Bernd, 

 

I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern. 


The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation. 

 

Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project. 

 

Thanks, 

Dan

On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <[hidden email]> wrote:

Hello all,

 

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:

 

1.          Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime

2.          Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]

3.          Credentials that cannot be rotated easily at all [3]

 

A couple of questions here:

 

·         Is the above summary accurate?

·         For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?

·         Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?

·         CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?

 

Thanks in advance,

Bernd

 

[1] https://www.youtube.com/watch?v=NUXpz0Dni50

[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example

[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example

[4] https://github.com/cloudfoundry-incubator/credhub

 

 

Bernd Krannich

SAP Cloud Platform

SAP SE

Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

 

[hidden email]

 

Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum

 

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

 

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

[cf-dev] Re: Re: Re: Questions on credential rotation

Grifalconi, Michael

Hello all,

 

I would like to follow up this discussion with a proposal:

 

We all know that ideally all credentials shall be easily rotated by changing the value and hitting `deploy`.

 

Unfortunately, this is not yet the case for many secrets living into CF components.

Until then, it would be awesome if we could agree on having some sort of guideline about credentials rotation.

 

The idea is to allow operators to easily understand what can be changed right away, what need more attention and what should not be touched at all for now.

 

You can find more details about the proposal here

https://docs.google.com/document/d/1Oaz0ld-d0oJxTZD5QJazy6TpnpZmdCxWEzTHnYF8BcE/edit?usp=sharing

 

Here you can see an example of how this 'guideline' could look like for the capi-release.

https://github.com/tyyko/capi-release/blob/credentials-rotation-wiki/docs/credentials-rotation-wiki.md

 

It would be great to hear what you think / if you have something else in mind to solve the issue!

 

Best regards,

Michael

 

 

From: "Krannich, Bernd" <[hidden email]>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Date: Saturday, 6. May 2017 at 12:03
To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Subject: [cf-dev] Re: Re: Questions on credential rotation

 

Hey Dan,

 

Thank you very much for your reply!

 

> I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project.

 

Sound great. We are actively following the developments in bosh-deployment and cf-deployment also with respect to credhub integration. It would be great if you could send an update via this list once you have reached the next phase here.

 

Thanks,

Bernd

 

P.S.: > We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern.

Yes, I meant to write:

> CredHub [4] seems to be geared in the direction of “rotate”.

Repave is of course largely based on regular stemcell updates using BOSH.

 

P.P.S.: For the people reading through this thread, I corrected my footnotes which unfortunately pointed to the head of the master branch earlier:

[2] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L640

[3] https://github.com/cloudfoundry/cf-release/blob/01ccfbbb01bb8824594f67529a4c325214507f08/templates/cf.yml#L872

 

From: Dan Jahner <[hidden email]>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Date: Thursday, 4. May 2017 at 22:22
To: "Discussions about Cloud Foundry projects and the system overall." <[hidden email]>
Subject: [cf-dev] Re: Questions on credential rotation

 

Hey Bernd, 

 

I am the product manager of CredHub. We view our project as being part of the 'rotate' component of Justin's vision. Repave is focused on recreating instances to a known-good state, which is something outside of our area of concern. 


The current roadmap for CredHub is focused on pulling credentials into our system; specifically BOSH deployment and service credentials, later application credentials. Once we have a solid footing for storing and managing access to these credentials, we plan to explore what possibilities exist for reducing the friction of credential rotation. 

 

Although I haven't spent a long time investigating, I would agree with your characterization of the 3 classes of credentials. I think there is overwhelming agreement that all components should allow credential rotation without downtime, where possible, so I would expect it is on many teams' radar. If not, I am happy to start conversations once we get to that phase of our project. 

 

Thanks, 

Dan

On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <[hidden email]> wrote:

Hello all,

 

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it comes to security. Looking at how the “Rotate” aspect is handled in Cloud Foundry and other BOSH deployments today, we think there’s currently three classes of credentials:

 

1.          Credentials that can be rotated by updating them and doing a `bosh deploy` with zero downtime

2.          Credentials that can be rotated by updating them and doing a `bosh deploy` involving a downtime [2]

3.          Credentials that cannot be rotated easily at all [3]

 

A couple of questions here:

 

·         Is the above summary accurate?

·         For updates involving a downtime, the only naïve solution I could come up with is to support two sets of credentials during the transition. Are there any more strategies?

·         Are there any efforts to turn credentials falling under #2 and #3 into ones that can be updated without downtime?

·         CredHub [4] seems to be geared in the direction of “repave”. Is this the case and does this maybe even support work on the previous bullet?

 

Thanks in advance,

Bernd

 

[1] https://www.youtube.com/watch?v=NUXpz0Dni50

[2] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L634 might be a good example

[3] https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L865 might be a good example

[4] https://github.com/cloudfoundry-incubator/credhub

 

 

Bernd Krannich

SAP Cloud Platform

SAP SE

Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

 

[hidden email]

 

Pflichtangaben/Mandatory Disclosure Statement: www.sap.com/impressum

 

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

 

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.