Sharing Password Attributes between Appliances


#1

Hello,

I’m trying to determine the best way to share Password attributes of class instances between different ManageIQ/CloudForms appliances.

Use case:

  • We have a team of several develops all working on the same code
  • Password attributes have been populated for logins to share resources (databases, servers, etc…)
  • Developers want to export and import automation databases between each other (sharing a common “core” database).
  • Developers want to push these automation databases to test.
  • Test databases then need to get pushed to production.

Problems we’re facing

  • When exporting from one ManageIQ appliance into a different ManageIQ appliance, all of the “password” fields are reset. This means that sharing passwords between developers, or from development to test does not work.
  • Exporting and importing on the same appliance works fine.

Question(s)

  • What is the recommended way distribute “Password” attributes between appliances across the development, test, and production lifecycle?

#2

I just implemented a solution to this using a “Configuration Domain” as had been suggested elsewhere in these forums. You can set up a domain in each environment that contains your secrets (encrypted with that environment’s key).

Then reference that domain in your code.

cfg = $evm.instantiate('/config/secrets/infoblox')
user = cfg['username']
pass = cfg.decrypt('password')

You end up having to maintain your secrets in each environment, but you can shift code around at will and it will pick up the secrets from the environment it’s running in!