1

I'm starting to use cloudify and in the spirit of DevOps where infrastructure is code I want to have the passwords stored in a safe and centralized place.
It seems to me that I am supposed to put the credentials in the .properties file of the relevant service but versioning the plain password seems like a bad idea and not versioning it also seems like a bad idea (code which is unversioned).

I know chef has encrypted data bags and I was wondering if cloudify has something similar? If not is there a different best practice I should be aware of?

Thanks

Ittai
  • 5,625
  • 14
  • 60
  • 97

1 Answers1

6

With the upcoming Cloudify 2.3.0 release, you will be able to add overrides to property setting in the install-* command line. So your recipe should include a properties file with a default, possibly empty, password. This password should not actually do anything.

When you actually install the service, use overrides to set the actual password. This will keep the clear-text password out of your versioned properties file.

Barak
  • 3,066
  • 2
  • 20
  • 33
  • There is a 2.3.0 early access build available here: http://www.cloudifysource.org/downloads/early_access.html – Barak Nov 29 '12 at 12:23
  • Thanks for your answer. Where would you suggest storing the actual passwords? It can be tens of passwords very quickly. Thanks again. – Ittai Nov 29 '12 at 15:22
  • That depends on what you are trying to do. Storing passwords in a source control system is usually a bad idea. You can use a third party identity service like stormpath, or just stick to a secure local repository, like keepass. You can even store the passwords in the Cloudify attribute store, though you will still need to encryot them first, leaving you to store the master key. – Barak Dec 02 '12 at 09:57
  • Thanks for your comment. I thought this through and since I want my CI server (jenkins) to trigger the deploys I think I'll just have a text file which only its user can read (via os permissions). I still think the chef way of having different data bags (and encrypted data bags) for different environments allows for better maintenance but this might be a matter of taste. thanks. – Ittai Dec 02 '12 at 12:50