I''m new to Puppet, and I''m a software developer, not a sysadmin, so be gentle. I have puppet managing some files via templates, and one of the template variables that needs to be plugged in is a password of sorts that shouldn''t be generally available. In particular, it can''t be stored in the manifest, as that''s stored in version control, and the password shouldn''t be available there. Basically, the only place it''s okay for this password to be stored is on the systems that will be using it. What would be the "Puppet way" of getting this string into the configuration? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Dec-23 17:33 UTC
Re: [Puppet Users] Managing sensitive strings with puppet
On Thu, Dec 22, 2011 at 12:00 PM, Ryan Stewart <zzantozz@gmail.com> wrote:> I''m new to Puppet, and I''m a software developer, not a sysadmin, so be > gentle. I have puppet managing some files via templates, and one of > the template variables that needs to be plugged in is a password of > sorts that shouldn''t be generally available. In particular, it can''t > be stored in the manifest, as that''s stored in version control, and > the password shouldn''t be available there. Basically, the only place > it''s okay for this password to be stored is on the systems that will > be using it. > > What would be the "Puppet way" of getting this string into the > configuration? >http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ Does that help? I''ve done this in the past without hiera, where you have a function that runs on the master to decrypt the content out of version control, but the above makes it pretty simple. -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ryan Stewart
2011-Dec-27 17:11 UTC
[Puppet Users] Re: Managing sensitive strings with puppet
On Dec 23, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:> On Thu, Dec 22, 2011 at 12:00 PM, Ryan Stewart <zzant...@gmail.com> wrote: > > I''m new to Puppet, and I''m a software developer, not a sysadmin, so be > > gentle. I have puppet managing some files via templates, and one of > > the template variables that needs to be plugged in is a password of > > sorts that shouldn''t be generally available. In particular, it can''t > > be stored in the manifest, as that''s stored in version control, and > > the password shouldn''t be available there. Basically, the only place > > it''s okay for this password to be stored is on the systems that will > > be using it. > > > What would be the "Puppet way" of getting this string into the > > configuration? > > http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hier... > > Does that help? > > I''ve done this in the past without hiera, where you have a function that > runs on the master to decrypt the content out of version control, but the > above makes it pretty simple. >That helps a lot, though I had no idea what hiera was before you said it. Thanks for pointing me in the right direction. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ryan Stewart
2011-Dec-27 23:00 UTC
[Puppet Users] Re: Managing sensitive strings with puppet
On Dec 23, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:> http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hier... > > Does that help? > > I''ve done this in the past without hiera, where you have a function that > runs on the master to decrypt the content out of version control, but the > above makes it pretty simple. >Before jumping into hiera, I was trying to get a feel for extlookup() with CSV files because it looked pretty simple, but I can''t seem to make it work. I see two different version of how to configure extlookup(), so I''ve tried both this (in my manifest): $extlookup_datadir = "/etc/puppet/extdata" $extlookup_precedence = ["common"] and this (in /etc/puppet/extlookup.yaml): --- :parser: CSV :precedence: - common :csv: :datadir: /etc/puppet/extdata The file /etc/puppet/extdata/common.csv contains a single line: "some_var,some_value". But whatever I try, the following fails: $some_var = extlookup("some_var") if $some_var == undef { fail("Didn''t find var with extlookup") } With "--debug --verbose", I don''t get any kind of output related to the lookup. Can someone guide me here? I think I''m missing something very obvious. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ryan Stewart
2011-Dec-28 17:06 UTC
[Puppet Users] Re: Managing sensitive strings with puppet
On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote:> Before jumping into hiera, I was trying to get a feel for extlookup() > with CSV files because it looked pretty simple, but I can''t seem to > make it work.nm. I figured out what I was doing wrong. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Dec-28 17:33 UTC
Re: [Puppet Users] Re: Managing sensitive strings with puppet
On Wed, Dec 28, 2011 at 9:06 AM, Ryan Stewart <zzantozz@gmail.com> wrote:> On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote: > > Before jumping into hiera, I was trying to get a feel for extlookup() > > with CSV files because it looked pretty simple, but I can''t seem to > > make it work. > > nm. I figured out what I was doing wrong.What was it Ryan? Is there something we could do to improve the docs here? -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2011-Dec-28 18:04 UTC
Re: [Puppet Users] Re: Managing sensitive strings with puppet
Please consider sharing your successful configuration with others that might be trying to do the same thing. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) ----- Ryan Stewart <zzantozz@gmail.com> wrote:> On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote: > > Before jumping into hiera, I was trying to get a feel for extlookup() > > with CSV files because it looked pretty simple, but I can''t seem to > > make it work. > > nm. I figured out what I was doing wrong. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ryan Stewart
2011-Dec-28 19:05 UTC
[Puppet Users] Re: Managing sensitive strings with puppet
On Dec 28, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:> On Wed, Dec 28, 2011 at 9:06 AM, Ryan Stewart <zzant...@gmail.com> wrote: > > On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote: > > > Before jumping into hiera, I was trying to get a feel for extlookup() > > > with CSV files because it looked pretty simple, but I can''t seem to > > > make it work. > > > nm. I figured out what I was doing wrong. > > What was it Ryan? Is there something we could do to improve the docs here? >I believe the problem was that I was doing the extlookup() outside of any class, and I recently converted my puppet project to a module, which I''m running with "puppet apply -e ''include ...''", which, I assume, would only run things inside of classes and not other stuff in the manifests where the classes are. Therefore the lookup was never being done in the first place, explaining the complete lack of any debugging information. I''m still trying to feel my way around how things should be organized, and this had to roll around in my head a while before I made the connection. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Dec-29 01:26 UTC
Re: [Puppet Users] Re: Managing sensitive strings with puppet
On Wed, Dec 28, 2011 at 11:05 AM, Ryan Stewart <zzantozz@gmail.com> wrote:> On Dec 28, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote: > > On Wed, Dec 28, 2011 at 9:06 AM, Ryan Stewart <zzant...@gmail.com> > wrote: > > > On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote: > > > > Before jumping into hiera, I was trying to get a feel for extlookup() > > > > with CSV files because it looked pretty simple, but I can''t seem to > > > > make it work. > > > > > nm. I figured out what I was doing wrong. > > > > What was it Ryan? Is there something we could do to improve the docs > here? > > > I believe the problem was that I was doing the extlookup() outside of > any class, and I recently converted my puppet project to a module, > which I''m running with "puppet apply -e ''include ...''", which, I > assume, would only run things inside of classes and not other stuff in > the manifests where the classes are. Therefore the lookup was never > being done in the first place, explaining the complete lack of any > debugging information. I''m still trying to feel my way around how > things should be organized, and this had to roll around in my head a > while before I made the connection. > >ahah. Yeah, I''ve actually been thinking about this usability problem recently. If you have DSL code outside a class within a .pp file, if you use puppet apply /path/to/my.pp you only evaluate the code outside the class. If you use puppet apply -e ''include myclass'' you only evaluate the code inside the class. -- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.