I have been using hiera to store information in
./modulename/data
using a hiera.yaml file under ./modulename/hiera.yaml
one looks like this:
#
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "source file"
path: "source.yaml"
I would like to use eyaml to encrypt the file, but doing something like this gives me errors in the hiera.yaml...
#
---
version: 5
defaults:
datadir: data
data_hash: eyaml_data
hierarchy:
- name: "authorized_keys"
path: "auth_keys.eyaml"
eyaml:
pkcs7_private_key: data/keys/private_key.pkcs7.pem
pkcs7_public_key: data/keys/public_key.pkcs7.pem
I figure there is some setup to the module specific hiera.yaml that I can use to decrypte the file or specific lines in the file, but I'm unable to find a lot on eyaml beyond how to set it up for use in /etc/puppet/puppet/keys
I've created the pkcs7 keys in ./modulename/data/keys/
the pkcs7_public and private keys do not have to be the ones under data/keys in the module directory, they could be the global ones in /etc/puppet/puppet/keys
I believe I found my answer, it was in some of the docs for hiera-eyaml:
https://github.com/voxpupuli/hiera-eyaml
Hopefully if anyone else has this question my findings can help :)
you can use the hiera.yaml config described in the doc under ./ModuleName/hiera.yaml
Here is my test example, I modified an existing test module to test this working. I think it requires:
Here is my module:
$ tree master_cron/
master_cron/
├── data
│ └── secrets.eyaml
├── hiera.yaml
└── manifests
└── init.pp
$ ll /etc/puppetlabs/puppet/keys/
total 8.0K
drwxr-xr-x. 2 pe-puppet pe-puppet 63 Mar 18 16:51 .
drwxr-xr-x. 4 root root 207 Mar 18 17:03 ..
-rw-------. 1 pe-puppet pe-puppet 1.7K Mar 18 16:51 private_key.pkcs7.pem
-rw-r--r--. 1 pe-puppet pe-puppet 1.1K Mar 18 16:51 public_key.pkcs7.pem
$ cat hiera.yaml
---
version: 5
defaults:
datadir: data
hierarchy:
- name: "secret data"
lookup_key: eyaml_lookup_key
path: "secrets.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
...
You could specific a key for the module itself, and put in in data/keys...
$ cat data/secrets.eyaml
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACTtCuqFaS+5YS0DN/lLL6oV78W0lB55eQtZYIGug2SNFhLSA2h1FK/NmcsRE/YmVRJXqCeWTgFIxHch2mcWEYSLbdsWmq9WO45giUNt/MQp9hEMHmO27L63Vxl5GsvECP8yfWW6uinroOG6O95swag+W68nTrrLpV26KqP1mq+aoNw8ognNsm6IqG/FBMCgpWtGMmipBeSMXaXoUxS6wFANjMm0Ak0ykaGmwIYK1dHTosnNw8VX7d8u1oAzpgeWEkET0g8U+Q4z0W4ZNeWUIatJY1Lq30r3LOUswg+xIGmZAEro+KfQlOI1ENDx+/4ZG3IokMB9GJ1hzWlGWgbCh7zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQcMG9nWTZaCaqLuO5+m6fBIBg7G+pRWPy77yvbpvKXUb2sjkxXlDkLauSXE7KX5YOhFrBtb8pZ7MN9Rz0/qHmefToZbkhWPRMtWJ+QyVET+v2YaIh+7orEdqgo585Z+fjefIGFChkDstMj3d6Hl4s/DCW]
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBuQYJKoZIhvcNAQcDoIIBqjCCAaYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKK4R/j3pD+s4cyzcH8H4PSK7j/uCaaSvOBqG8b1MsLQClKU49DxJQ+rZLYkUJEaEq30gyCRy9uZMwFri5EJGL455flXABiM/7A9NTUNJ0DoXdiWvxgWR0py/WmiLVUnql3wVZUfojqak1MOZeRYLeCnHyVLgdz+ouyPwg0nsAuXJewk5aJa5CSj7xkS4TQKvruRaqfFGsCMBEZM7lPDae9+YZZBgfPM9rqZNO5hoUu9Q3vizzpdRcD5+5U5mqCryEzmG51fvzVO0nK45aW6SiJm58nlumxhXJoWmv12OWT+3t67QJvOV3eciLM4F722UnMrJ7SIA3ttdW2UFHuP+eTB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAfCd5FJnsOoJqU71XSwos2gFDSY3b+apqgrcOZ3lTT8zRKd3Z5JdgIptbYSluzw42scZslHHMR3kcaYIH/D9EJQmG54VKwwFVQODUfFV8N7kyky9LvFA+xpJUWqP6Lijx3bw==]
This is just a test module I made that creates some cron jobs, I encrypted the commands as a test, not really a practical use for eyaml though ;) here's what this looks like decrypted:
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chown -R pe-puppet:pe-puppet /etc/puppetlabs/code/environments/production/modules
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chmod -R 755 /etc/puppetlabs/code/environments/production/modules
And I use the hiera data in the module as you could without it encrypted:
class master_cron ($jobs) {
create_resources(cron, $jobs)
}