Vaidas Jablonskis
2012-Oct-01 13:46 UTC
[Puppet Users] Where do you store sensitive files with puppet+git approach?
Hi People, I have a quick question, which hopefully you will have an answer to. I am slowly moving towards puppet and git with multiple branches for different environments. Things are going pretty well, but now I have a small issue. The question is where should I store sensitive files, for instance SSL private keys or some files which contain sensitive data? I am aware of hiera-gpg storage backend, but that is more suitable for storing plain text strings rather than actual files - correct me if I am wrong? I am looking forward to hear your opinion on this subject. Thanks in advance. -- Vaidas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Aaron Grewell
2012-Oct-01 17:40 UTC
Re: [Puppet Users] Where do you store sensitive files with puppet+git approach?
We use hiera-gpg for ours. Files containing sensitive information are converted into templates so that only the necessary strings are included in gpg. If we really needed to distribute full files I would probably build a separate directory tree backed by its own repository for this. It''s just never been necessary for us. On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis" <jablonskis@gmail.com> wrote:> > Hi People, > > I have a quick question, which hopefully you will have an answer to. > > I am slowly moving towards puppet and git with multiple branches fordifferent environments. Things are going pretty well, but now I have a small issue. The question is where should I store sensitive files, for instance SSL private keys or some files which contain sensitive data?> > I am aware of hiera-gpg storage backend, but that is more suitable forstoring plain text strings rather than actual files - correct me if I am wrong?> > I am looking forward to hear your opinion on this subject. > > Thanks in advance. > > > -- Vaidas > > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To view this discussion on the web visithttps://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.> To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email topuppet-users+unsubscribe@googlegroups.com.> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Derek Olsen
2012-Oct-01 19:33 UTC
[Puppet Users] Re: Where do you store sensitive files with puppet+git approach?
We use hiera-gpg for file type sensitive information as well. For
sensitive information which is actually a file (ssh private keys) we
moved that into hiera-gpg and just set the yaml markup accordingly so
the information could be used to populate the file in question in the
correct format.
For example this is what a private key looks like in yaml. The "|"
and leading indentation keeps the content in the same format as it
passes through the hands of the different villagers on the way to it''s
home in the id_dsa file.
professor_plumbs_private_key: |
-----BEGIN DSA PRIVATE KEY-----
GOODSTUFFHERE
THEGOODSTUFFCONTINUES
-----END DSA PRIVATE KEY-----
Then to create the key file. (Hiera call done as part of class param)
file { "/blah/blah/.ssh/id_dsa":
content => $professor_plumbs_private_key;
}
I''m sure the same approach could be taken for ssl keys. However we
have been wielding the hiera hammer pretty hard and had to stop short
of using it in place of DNS so you may not like this approach;)
HTH.
On Oct 1, 10:40 am, Aaron Grewell <aaron.grew...@gmail.com>
wrote:> We use hiera-gpg for ours. Files containing sensitive information are
> converted into templates so that only the necessary strings are included in
> gpg. If we really needed to distribute full files I would probably build a
> separate directory tree backed by its own repository for this.
It''s just
> never been necessary for us.
>
> On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis"
<jablons...@gmail.com> wrote:
>
> > Hi People,
>
> > I have a quick question, which hopefully you will have an answer to.
>
> > I am slowly moving towards puppet and git with multiple branches for
>
> different environments. Things are going pretty well, but now I have a
> small issue. The question is where should I store sensitive files, for
> instance SSL private keys or some files which contain sensitive data?
>
> > I am aware of hiera-gpg storage backend, but that is more suitable for
>
> storing plain text strings rather than actual files - correct me if I am
> wrong?
>
> > I am looking forward to hear your opinion on this subject.
>
> > Thanks in advance.
>
> > -- Vaidas
>
> > --
> > You received this message because you are subscribed to the Google
Groups
>
> "Puppet Users" group.> To view this discussion on the web
visit
>
> https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.> To post to
this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
>
> puppet-users+unsubscribe@googlegroups.com.> For more options, visit this
group at
>
> http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Vaidas Jablonskis
2012-Oct-01 20:23 UTC
[Puppet Users] Re: Where do you store sensitive files with puppet+git approach?
Great stuff. I have a better idea now. Thanks for that guys. On Monday, 1 October 2012 20:33:57 UTC+1, Derek Olsen wrote:> > We use hiera-gpg for file type sensitive information as well. For > sensitive information which is actually a file (ssh private keys) we > moved that into hiera-gpg and just set the yaml markup accordingly so > the information could be used to populate the file in question in the > correct format. > > For example this is what a private key looks like in yaml. The "|" > and leading indentation keeps the content in the same format as it > passes through the hands of the different villagers on the way to it''s > home in the id_dsa file. > > professor_plumbs_private_key: | > -----BEGIN DSA PRIVATE KEY----- > GOODSTUFFHERE > THEGOODSTUFFCONTINUES > -----END DSA PRIVATE KEY----- > > Then to create the key file. (Hiera call done as part of class param) > > file { "/blah/blah/.ssh/id_dsa": > content => $professor_plumbs_private_key; > } > > > I''m sure the same approach could be taken for ssl keys. However we > have been wielding the hiera hammer pretty hard and had to stop short > of using it in place of DNS so you may not like this approach;) > > HTH. > > > > On Oct 1, 10:40 am, Aaron Grewell <aaron.grew...@gmail.com> wrote: > > We use hiera-gpg for ours. Files containing sensitive information are > > converted into templates so that only the necessary strings are included > in > > gpg. If we really needed to distribute full files I would probably > build a > > separate directory tree backed by its own repository for this. It''s just > > never been necessary for us. > > > > On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis" <jablons...@gmail.com> > wrote: > > > > > Hi People, > > > > > I have a quick question, which hopefully you will have an answer to. > > > > > I am slowly moving towards puppet and git with multiple branches for > > > > different environments. Things are going pretty well, but now I have a > > small issue. The question is where should I store sensitive files, for > > instance SSL private keys or some files which contain sensitive data? > > > > > I am aware of hiera-gpg storage backend, but that is more suitable for > > > > storing plain text strings rather than actual files - correct me if I am > > wrong? > > > > > I am looking forward to hear your opinion on this subject. > > > > > Thanks in advance. > > > > > -- Vaidas > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > > "Puppet Users" group.> To view this discussion on the web visit > > > > https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.> To post > to this group, send email to puppet...@googlegroups.com <javascript:>. > > > To unsubscribe from this group, send email to > > > > puppet-users...@googlegroups.com <javascript:>.> For more options, > visit this group at > > > > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ID3-P5dinc4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.