The CERN IT infrastructure consists of more than 40000 Puppet-managed virtual and
physical machines located in two data centers.
Many Puppet catalogs contain configuration that depends on sensitive data
which has to be centrally managed but accessible only by the relevant machines.
In order to distribute the secrets to hosts via Puppet,
we developed a system that provides Puppet resources that fetch secrets at catalog application time and a CLI for managing them.
This presentation will explain how this system works and how it is integrated with our configuration management stack, its limitations and future developments.
Carles Garcia Cabot is a computer engineer at CERN, the European Organization for Nuclear Research.
There, he has previously developed software for a Large Hadron Collider experiment and
worked on enhancing the network architecture for the data center.
Currently he is a member of the Configuration Management team and is developing tools to configure the IT infrastructure.