Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST] Allow to disable credential issuance to minions #109

Open
lkubb opened this issue Dec 19, 2024 · 0 comments
Open

[FEATURE REQUEST] Allow to disable credential issuance to minions #109

lkubb opened this issue Dec 19, 2024 · 0 comments

Comments

@lkubb
Copy link
Member

lkubb commented Dec 19, 2024

Is your feature request related to a problem? Please describe.
Some users might prefer to not distribute authentication credentials to minions at all, relying on the external pillar module only instead.

This came up in saltstack/salt#67029.

Describe the solution you'd like
Add a switch that causes the master to reject all non-impersonated credential requests.

Describe alternatives you've considered
Blocking access to Vault at the network level (does not prevent the credentials from being leaked in the first place).

Additional context
While I don't see many practical benefits of this approach, not unnecessarily distributing credentials does make sense. It's also very simple to implement.

Note that this switch would not disable the SSH wrapper modules since they run in a similar fashion to pillar rendering.
@lkubb lkubb changed the title [FEATURE REQUEST] Allow to disable credential issuance [FEATURE REQUEST] Allow to disable credential issuance to minions Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lkubb