Puppet Uesrs, How do you deal with sensitive data in your puppet config that does not belong in revision control? Think about things like SSL keys or passwords. i.e. /etc/ldap.conf ... binddn cn=foo,dc=example,dc=com bindpw mysocratesnote ... As of now we store the bindpw as a variable then reference that in a template. But this means that bindpw exists in our node definitions since there are different pws for different groups of hosts. Regards, -Alan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Have a look at hiera. -- Bruno On 11-10-03 06:02 PM, Alan Evans wrote:> Puppet Uesrs, > > How do you deal with sensitive data in your puppet config that does > not belong in revision control? Think about things like SSL keys or > passwords. > > i.e. > > /etc/ldap.conf > ... > binddn cn=foo,dc=example,dc=com > bindpw mysocratesnote > ... > > As of now we store the bindpw as a variable then reference that in a > template. But this means that bindpw exists in our node definitions > since there are different pws for different groups of hosts. > > Regards, > -Alan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sure, but that doesn''t really address the issue (at least not out-of-box). Hiera puts your data outside your manifests, but at least in our case it''s still in revision control. Are you putting your Hiera data elsewhere? If so, how do you control access to it? This came up recently for us as well so I''ve been poking around. I see there''s a project for this sort of thing: https://github.com/duritong/trocla It looks interesting, but I haven''t tried it. On Mon, Oct 3, 2011 at 3:03 PM, Bruno Leon <nonolemono@gmail.com> wrote:> Have a look at hiera. > > -- > Bruno > > > On 11-10-03 06:02 PM, Alan Evans wrote: > >> Puppet Uesrs, >> >> How do you deal with sensitive data in your puppet config that does >> not belong in revision control? Think about things like SSL keys or >> passwords. >> >> i.e. >> >> /etc/ldap.conf >> ... >> binddn cn=foo,dc=example,dc=com >> bindpw mysocratesnote >> ... >> >> As of now we store the bindpw as a variable then reference that in a >> template. But this means that bindpw exists in our node definitions >> since there are different pws for different groups of hosts. >> >> Regards, >> -Alan >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@** > googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at http://groups.google.com/** > group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> > . > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
----- Original Message -----> Sure, but that doesn''t really address the issue (at least not > out-of-box). Hiera puts your data outside your manifests, but at > least in our case it''s still in revision control. Are you putting > your Hiera data elsewhere? If so, how do you control access to it?it would be pretty trivial to create an encrypted hiera backend that can only be decrypted by machines that have a key stored on their disks. You''d check into SCM the encrypted file and on your masters store the decrypt key -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Now that sounds cool. On Mon, Oct 3, 2011 at 3:42 PM, R.I.Pienaar <rip@devco.net> wrote:> > > it would be pretty trivial to create an encrypted hiera backend that > can only be decrypted by machines that have a key stored on their disks. > > You''d check into SCM the encrypted file and on your masters store the > decrypt > key > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In both cases for hiera and trocla doesn''t the password end up in the catalog and don''t other things like the dashboard consume the catalog? Does that mean the passwords are available in dashboard? Is there a way to cause the client to pull down the password without including it in the catalog? I missed it in my first search of the list but here''s one that seems promising. http://www.mailinglistarchive.com/html/puppet-users@googlegroups.com/2010-01/msg00507.html> $password = file("/config/user-passwords/$name")Would the value of $password still end up in the catalog? Regards, -Alan On Mon, Oct 3, 2011 at 6:42 PM, R.I.Pienaar <rip@devco.net> wrote:> > > ----- Original Message ----- >> Sure, but that doesn''t really address the issue (at least not >> out-of-box). Hiera puts your data outside your manifests, but at >> least in our case it''s still in revision control. Are you putting >> your Hiera data elsewhere? If so, how do you control access to it? > > it would be pretty trivial to create an encrypted hiera backend that > can only be decrypted by machines that have a key stored on their disks. > > You''d check into SCM the encrypted file and on your masters store the decrypt > key > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.