Search code examples
encryptionpuppetpuppet-enterprisehiera

Per module hiera data with eyaml?

I have been using hiera to store information in

./modulename/data

using a hiera.yaml file under ./modulename/hiera.yaml

one looks like this:

#
---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "source file"
    path: "source.yaml"

I would like to use eyaml to encrypt the file, but doing something like this gives me errors in the hiera.yaml...

#
---
version: 5
defaults:
  datadir: data
  data_hash: eyaml_data
hierarchy:
  - name: "authorized_keys"
    path: "auth_keys.eyaml"
eyaml:
  pkcs7_private_key: data/keys/private_key.pkcs7.pem
  pkcs7_public_key: data/keys/public_key.pkcs7.pem

I figure there is some setup to the module specific hiera.yaml that I can use to decrypte the file or specific lines in the file, but I'm unable to find a lot on eyaml beyond how to set it up for use in /etc/puppet/puppet/keys

I've created the pkcs7 keys in ./modulename/data/keys/

the pkcs7_public and private keys do not have to be the ones under data/keys in the module directory, they could be the global ones in /etc/puppet/puppet/keys

Solution

  • I believe I found my answer, it was in some of the docs for hiera-eyaml:

    https://github.com/voxpupuli/hiera-eyaml

    Hopefully if anyone else has this question my findings can help :)

    you can use the hiera.yaml config described in the doc under ./ModuleName/hiera.yaml

    Here is my test example, I modified an existing test module to test this working. I think it requires:

    • PE 2017.1
    • latest hiera and puppet that comes with v 2017.1
    • gem install hiera-eyaml & puppetserver gem install hiera-eyaml (I had to run this a few times for the modules to show up correctly as well as some puppet agent -t runs)
    • log out and log back in for env paths

    Here is my module:

    $ tree master_cron/
master_cron/
├── data
│   └── secrets.eyaml
├── hiera.yaml
└── manifests
    └── init.pp

$ ll /etc/puppetlabs/puppet/keys/
total 8.0K
drwxr-xr-x. 2 pe-puppet pe-puppet   63 Mar 18 16:51 .
drwxr-xr-x. 4 root      root       207 Mar 18 17:03 ..
-rw-------. 1 pe-puppet pe-puppet 1.7K Mar 18 16:51 private_key.pkcs7.pem
-rw-r--r--. 1 pe-puppet pe-puppet 1.1K Mar 18 16:51 public_key.pkcs7.pem

$ cat hiera.yaml
---
version: 5
defaults:
    datadir: data
hierarchy:
    - name: "secret data"
      lookup_key: eyaml_lookup_key
      path: "secrets.eyaml"
      options:
        pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem 
        pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
...

    You could specific a key for the module itself, and put in in data/keys... 

    $ cat data/secrets.eyaml
---
master_cron::jobs:
  "chown_pe-puppet":
    environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
    minute: '*/5'
    user: root
    command: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACTtCuqFaS+5YS0DN/lLL6oV78W0lB55eQtZYIGug2SNFhLSA2h1FK/NmcsRE/YmVRJXqCeWTgFIxHch2mcWEYSLbdsWmq9WO45giUNt/MQp9hEMHmO27L63Vxl5GsvECP8yfWW6uinroOG6O95swag+W68nTrrLpV26KqP1mq+aoNw8ognNsm6IqG/FBMCgpWtGMmipBeSMXaXoUxS6wFANjMm0Ak0ykaGmwIYK1dHTosnNw8VX7d8u1oAzpgeWEkET0g8U+Q4z0W4ZNeWUIatJY1Lq30r3LOUswg+xIGmZAEro+KfQlOI1ENDx+/4ZG3IokMB9GJ1hzWlGWgbCh7zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQcMG9nWTZaCaqLuO5+m6fBIBg7G+pRWPy77yvbpvKXUb2sjkxXlDkLauSXE7KX5YOhFrBtb8pZ7MN9Rz0/qHmefToZbkhWPRMtWJ+QyVET+v2YaIh+7orEdqgo585Z+fjefIGFChkDstMj3d6Hl4s/DCW]
  "chmod_pe-puppet":
    environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
    minute: '*/5'
    user: root
    command: ENC[PKCS7,MIIBuQYJKoZIhvcNAQcDoIIBqjCCAaYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKK4R/j3pD+s4cyzcH8H4PSK7j/uCaaSvOBqG8b1MsLQClKU49DxJQ+rZLYkUJEaEq30gyCRy9uZMwFri5EJGL455flXABiM/7A9NTUNJ0DoXdiWvxgWR0py/WmiLVUnql3wVZUfojqak1MOZeRYLeCnHyVLgdz+ouyPwg0nsAuXJewk5aJa5CSj7xkS4TQKvruRaqfFGsCMBEZM7lPDae9+YZZBgfPM9rqZNO5hoUu9Q3vizzpdRcD5+5U5mqCryEzmG51fvzVO0nK45aW6SiJm58nlumxhXJoWmv12OWT+3t67QJvOV3eciLM4F722UnMrJ7SIA3ttdW2UFHuP+eTB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAfCd5FJnsOoJqU71XSwos2gFDSY3b+apqgrcOZ3lTT8zRKd3Z5JdgIptbYSluzw42scZslHHMR3kcaYIH/D9EJQmG54VKwwFVQODUfFV8N7kyky9LvFA+xpJUWqP6Lijx3bw==]

    This is just a test module I made that creates some cron jobs, I encrypted the commands as a test, not really a practical use for eyaml though ;) here's what this looks like decrypted:

    ---
master_cron::jobs:
  "chown_pe-puppet":
    environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
    minute: '*/5'
    user: root
    command: chown -R pe-puppet:pe-puppet /etc/puppetlabs/code/environments/production/modules
  "chmod_pe-puppet":
    environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
    minute: '*/5'
    user: root
    command: chmod -R 755 /etc/puppetlabs/code/environments/production/modules

    And I use the hiera data in the module as you could without it encrypted:

    class master_cron ($jobs) {

  create_resources(cron, $jobs)

}