XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Connecting xen to vault

    Scheduled Pinned Locked Moved Xen Orchestra
    5 Posts 2 Posters 250 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      siemba
      last edited by

      Hey guys, im wondering if it is possible to connect somehow xen to vault? So during creating vm it will fetch secrets from there?
      Or do you create vm and then you paste some secrets/values and then you delete it, so it is not visible anywhere as a plain text?

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Hi,
        Can you be a bit more specific on what you are trying to achieve exactly?

        When you said vault, are you talking about https://www.hashicorp.com/products/vault?

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          siemba @olivierlambert
          last edited by

          @olivierlambert yes you are right, i meant hashicorp vault. Okay so basically there are 2 things that make me think.

          First is that lets say i have couple secrets in vault for example: private keys, certs, passwords etc. that i would like to pass to my vm.
          For now i have one standard template and couple cloud-inits for different types of machines, but those "secrets" are visible in xen and i am wondering if it is safe from security point of view, if i put secrets as a plain text. (I think that is the most important thing)

          Next things is that, if it isnt safe then is there a way to fetch secrets from vault instead of passing them as a plain text. So when secret "x" will change on vault, it will be automatically changed in template.

          I hope now it is clearer than it was. Thanks in advance.

          1 Reply Last reply Reply Quote 0
          • olivierlambertO Offline
            olivierlambert Vates 🪐 Co-Founder CEO
            last edited by

            Can you be more precise about what you mean regarding "secrets visible in Xen"? Where exactly?

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              siemba @olivierlambert
              last edited by siemba

              @olivierlambert its custom config, not any bug. Ill point it out what i mean below.

              1. I have standard ubuntu template ->
              2. I would like my vm to be already customize, when its created, because its faster and easier when everything is in one place ->
              3. So for that i have created cloud-init for eg.->
              #cloud-config

hostname: <hostname>

package_update: true
package_upgrade: true

write_files:
  - path: /etc/ssl/certs/mydomain.crt
    content: |
      <certificate data>
  - path: /etc/ssl/private/mydomain.key
    content: |
      <private key data>

runcmd:
  - apt-get update
  - DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
              1. So my main problem is that this, particular cloud-init has fixed <certificate data> and <private key data>, that i would like to not be passed as a plain text, because it is a secret. To me its not done (for now) with best practices, but its very comfortable.

              So finally, i am wondering what is the best solution, for not putting secrets as a plain text, but rather keep them as a secret. I could create templates and later delete cloud-config with those data, but it would be more flexible, if there would be any chance to connect it to Hashicorp Vault or something that will dynamically fetch secrets.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post