Last Updated Dec 08, 2014 — DevOps Expert

I was working with a customer recently to prove some concepts one of which involved sourcing a password from Cyberark Password Vault. To do this I used rules and performed an action  in the planning stage.

First I added a new property to all containers called CyberarkId using a type modification within the synthetic.xml file  (…./ext/synthetic.xml)


Screen Shot 2014-11-26 at 16.36.53Then I added a rule to invoke our script (…./ext/xl-rules.xml)


And created a python script that loops through the deltas, looks for containers with an assigned cyberark variable and uses that to look up a password.
In our demo case we are simply parsing a key=value text file, but this could easily be a REST call or some other wrapped API call to cyberark.  We might need to add some additional information to connect to cyberark or to retrieve our credentials by specifying more information, but that’s just gravy.

def emptyOrNone(s):
    return s is None or len(s.strip()) == 0
def extract_cyberark_aware_containers(deltas):
    containers = {}
    # Get our deployed containers
    for delta in deltas.deltas:
        delta_op = str(delta.operation)
        deployed = delta.previous if delta_op == "DESTROY" else delta.deployed
        container = deployed.container
        if container.hasProperty("cyberarkId") and not emptyOrNone(container.cyberarkId):
            # Ensure we only add our container once
            if in containers.keys():
            containers[] = container
    return [containers[ke] for ke in containers.keys()]
def update_passwords_from_cyberark(containers, context):
    f = open('/tmp/password.txt')
    id_pwds = f.readlines()
    for container in containers:
        cyber_ark_id = container.cyberarkId
        #call cyber ark
        # In our example password.txt is a simple key=value file.
        for id_pwd in id_pwds:
            id, pwd = id_pwd.split('=')
            if cyber_ark_id == id:
                container.setProperty("password", pwd)
update_passwords_from_cyberark(extract_cyberark_aware_containers(deltas), context)

This is cool and definitely serves to demonstrate the simple flexibility of XL Deploy, but with respect to this particular use case I would add the following cautionary note:
It might be fine for demonstrating the concept, but the idea of having every deployment to every container interact with a centralized tool (that may have been designed and optimized for occasional human access) adds quite an overhead to the deployment.  I suspect as this is scaled out to hundreds of servers we would have to think of another approach (perhaps a bulk update of infrastructure CIs periodically for example using the our Command Line Interface).
That said, it is however a good start, and with approximately 6 lines of configuration ( 2 if you like xml on a single line ) and a small python script we have made a powerful but manageable change to our deployment.
I think the biggest win for me is to have something tangible that shows us extending the product in a straight forward way and of course meeting one of the requirements of our growing user base.  Also in my context its a very quick way to get to talk about the problem of managing information such as credentials.  The issues of making deployments dependent on another single point of failure for example.

How have you extended XL Deploy and how did you find it?

Expect to see more examples of our rules framework in the coming weeks and months. XL Rules!

Are you ready to scale your enterprise?


What's New In The World of

August 4, 2023

Why Financial Services Need DevSecOps More Than Ever

With DevSecOps solutions, financial organizations can improve their security posture, meet regulatory requirements and focus on delivering innovative financial products.

Learn More
June 23, 2023

Governance and Compliance for DevOps at Scale

Implement a Software Chain of Custody in DevOps for compliance, traceability, and cost reduction. Gain visibility and automate processes with Release & Deploy.

Learn More
April 10, 2023

Continuous Delivery Implementation Done Right: Learn from National Broadband Ireland Story

Through NBI’s approach to be the best open-access operator in telecom, they have been supported by key technology partners, with automation capabilities provided by Release and Deploy underpinning integral aspects.

Learn More