I am having a bit of difficulty implementing hiera-gpg; particularly with accomplishing the deencryption in my manifests. Can anyone either provide a simple example or point me to a good resource? I have searched alot and am still struggling. Any help would be very appreciated! Thanks! Bee -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote:> I am having a bit of difficulty implementing hiera-gpg; particularly with > accomplishing the deencryption in my manifests. Can anyone either provide > a simple example or point me to a good resource? I have searched alot and > am still struggling. > > Any help would be very appreciated! > > Thanks! > BeeYou just need to have the hiera-gpg gem installed, make sure that gpg is listed in the backends array in hiera.yaml, then the puppet user needs to have the private key configured within it''s $HOME/.gnupg -where $HOME is usually /var/lib/puppet. By default pgp keys are encrypted with a passphrase, which would need to be supplied and held in a running keyring for that user, so was previously working around this by using a non-passphrase protected subkey. I''ve now however moved away from hiera-gpg due to performance overhead on large catalogs and moved to a git post-commit hook that decrypts any .gpg files to .yaml within a dedicated hierarchy for decrypted files, using that same insecure private subkey. Cheers, -- Richard Clark richard@fohnet.co.uk
I am looking for some manifest examples, if anyone has any to share! On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark <richard@fohnet.co.uk> wrote:> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote: > > I am having a bit of difficulty implementing hiera-gpg; particularly with > > accomplishing the deencryption in my manifests. Can anyone either > provide > > a simple example or point me to a good resource? I have searched alot > and > > am still struggling. > > > > Any help would be very appreciated! > > > > Thanks! > > Bee > > You just need to have the hiera-gpg gem installed, make sure that gpg is > listed in the backends array in hiera.yaml, then the puppet user needs > to have the private key configured within it''s $HOME/.gnupg -where $HOME > is usually /var/lib/puppet. > > By default pgp keys are encrypted with a passphrase, which would need to > be supplied and held in a running keyring for that user, so was > previously working around this by using a non-passphrase protected > subkey. > > I''ve now however moved away from hiera-gpg due to performance overhead > on large catalogs and moved to a git post-commit hook that decrypts any > .gpg files to .yaml within a dedicated hierarchy for decrypted files, > using that same insecure private subkey. > > > Cheers, > -- > Richard Clark > richard@fohnet.co.uk >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
did you read this; http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Your manifests look the same. You do a hiera lookup just as you would if you weren''t using the GPG integration. It''s just another data store for hiera. You do need to set that up, as other people have mentioned. But it''s no different in the manifests. On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee <beeworker08@gmail.com> wrote:> I am looking for some manifest examples, if anyone has any to share! > > > On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark <richard@fohnet.co.uk>wrote: > >> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote: >> > I am having a bit of difficulty implementing hiera-gpg; particularly >> with >> > accomplishing the deencryption in my manifests. Can anyone either >> provide >> > a simple example or point me to a good resource? I have searched alot >> and >> > am still struggling. >> > >> > Any help would be very appreciated! >> > >> > Thanks! >> > Bee >> >> You just need to have the hiera-gpg gem installed, make sure that gpg is >> listed in the backends array in hiera.yaml, then the puppet user needs >> to have the private key configured within it''s $HOME/.gnupg -where $HOME >> is usually /var/lib/puppet. >> >> By default pgp keys are encrypted with a passphrase, which would need to >> be supplied and held in a running keyring for that user, so was >> previously working around this by using a non-passphrase protected >> subkey. >> >> I''ve now however moved away from hiera-gpg due to performance overhead >> on large catalogs and moved to a git post-commit hook that decrypts any >> .gpg files to .yaml within a dedicated hierarchy for decrypted files, >> using that same insecure private subkey. >> >> >> Cheers, >> -- >> Richard Clark >> richard@fohnet.co.uk >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Hi Guys; I really appreciate your help and apologize for the continued questions... however, apaprently, I am missing something here. I cannot get this working. I have set hiera-gpg up as per the docs I can find but, I still cannot seem to get my manifests correct. If someone would kindly provide a smaple manifest, I would be grateful! Also, per Craig Dunn''s blog, he is placing hieradata files in /etc/puppet/hieradata/live. Is the "live" subdir required? Is there some sort of environment limitation that requires the files live in this subdir? Thank you very much! Bee On Fri, Aug 30, 2013 at 1:31 PM, Rich Burroughs <rich@richburroughs.com>wrote:> Your manifests look the same. You do a hiera lookup just as you would if > you weren''t using the GPG integration. It''s just another data store for > hiera. > > You do need to set that up, as other people have mentioned. But it''s no > different in the manifests. > > > On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee <beeworker08@gmail.com> wrote: > >> I am looking for some manifest examples, if anyone has any to share! >> >> >> On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark <richard@fohnet.co.uk>wrote: >> >>> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote: >>> > I am having a bit of difficulty implementing hiera-gpg; particularly >>> with >>> > accomplishing the deencryption in my manifests. Can anyone either >>> provide >>> > a simple example or point me to a good resource? I have searched alot >>> and >>> > am still struggling. >>> > >>> > Any help would be very appreciated! >>> > >>> > Thanks! >>> > Bee >>> >>> You just need to have the hiera-gpg gem installed, make sure that gpg is >>> listed in the backends array in hiera.yaml, then the puppet user needs >>> to have the private key configured within it''s $HOME/.gnupg -where $HOME >>> is usually /var/lib/puppet. >>> >>> By default pgp keys are encrypted with a passphrase, which would need to >>> be supplied and held in a running keyring for that user, so was >>> previously working around this by using a non-passphrase protected >>> subkey. >>> >>> I''ve now however moved away from hiera-gpg due to performance overhead >>> on large catalogs and moved to a git post-commit hook that decrypts any >>> .gpg files to .yaml within a dedicated hierarchy for decrypted files, >>> using that same insecure private subkey. >>> >>> >>> Cheers, >>> -- >>> Richard Clark >>> richard@fohnet.co.uk >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscribe@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
I am pretty sure I still have something wrong with my set up but, I just
cannot seem to see what it is...
Notice if I attempt to decrypt vi the command line and do not indicate
"env=live", it fails..
[root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd
calling_module=motd
nil
[root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd
calling_module=motd env=live
rootpass
________________________________________________________________________________
[root@me puppet]# more hiera.yaml
---
:backends: - yaml
- gpg
:logger: console
:hierarchy: - %{env}/%{location}/%{calling_module}
- %{env}/%{calling_module}
- common
:yaml:
:datadir: /etc/puppet/hieradata
:gpg:
:datadir: /etc/puppet/hieradata
_________________________________________________
my encrypted files are in /etc/puppet/hieradata/live
Thanks in advance for any help!
Bee
On Tue, Sep 3, 2013 at 11:38 AM, Worker Bee <beeworker08@gmail.com> wrote:
> Hi Guys;
>
> I really appreciate your help and apologize for the continued questions...
> however, apaprently, I am missing something here. I cannot get this
> working.
>
> I have set hiera-gpg up as per the docs I can find but, I still cannot
> seem to get my manifests correct. If someone would kindly provide a smaple
> manifest, I would be grateful!
>
> Also, per Craig Dunn''s blog, he is placing hieradata files in
> /etc/puppet/hieradata/live. Is the "live" subdir required? Is
there some
> sort of environment limitation that requires the files live in this subdir?
>
> Thank you very much!
> Bee
>
> On Fri, Aug 30, 2013 at 1:31 PM, Rich Burroughs
<rich@richburroughs.com>wrote:
>
>> Your manifests look the same. You do a hiera lookup just as you would
>> if you weren''t using the GPG integration. It''s just
another data store for
>> hiera.
>>
>> You do need to set that up, as other people have mentioned. But
it''s no
>> different in the manifests.
>>
>>
>> On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee
<beeworker08@gmail.com>wrote:
>>
>>> I am looking for some manifest examples, if anyone has any to
share!
>>>
>>>
>>> On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark
<richard@fohnet.co.uk>wrote:
>>>
>>>> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote:
>>>> > I am having a bit of difficulty implementing hiera-gpg;
particularly
>>>> with
>>>> > accomplishing the deencryption in my manifests. Can
anyone either
>>>> provide
>>>> > a simple example or point me to a good resource? I have
searched
>>>> alot and
>>>> > am still struggling.
>>>> >
>>>> > Any help would be very appreciated!
>>>> >
>>>> > Thanks!
>>>> > Bee
>>>>
>>>> You just need to have the hiera-gpg gem installed, make sure
that gpg is
>>>> listed in the backends array in hiera.yaml, then the puppet
user needs
>>>> to have the private key configured within it''s
$HOME/.gnupg -where $HOME
>>>> is usually /var/lib/puppet.
>>>>
>>>> By default pgp keys are encrypted with a passphrase, which
would need to
>>>> be supplied and held in a running keyring for that user, so was
>>>> previously working around this by using a non-passphrase
protected
>>>> subkey.
>>>>
>>>> I''ve now however moved away from hiera-gpg due to
performance overhead
>>>> on large catalogs and moved to a git post-commit hook that
decrypts any
>>>> .gpg files to .yaml within a dedicated hierarchy for decrypted
files,
>>>> using that same insecure private subkey.
>>>>
>>>>
>>>> Cheers,
>>>> --
>>>> Richard Clark
>>>> richard@fohnet.co.uk
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to puppet-users+unsubscribe@googlegroups.com.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/puppet-users.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to puppet-users+unsubscribe@googlegroups.com.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
I just started a big reply to your last email and it looks like you''ve figured most of it out. At least your not still thinking "manifests" your problem is in hiera.yaml ;-) On Tuesday, September 3, 2013 5:04:19 PM UTC+1, Worker Bee wrote:> > I am pretty sure I still have something wrong with my set up but, I just > cannot seem to see what it is... > > Notice if I attempt to decrypt vi the command line and do not indicate > "env=live", it fails.. > [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd > calling_module=motd > nil > [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd > calling_module=motd env=live > rootpass > >The reason that works is written in your hiera.yaml config below. You''ve told Hiera that your Hierarchy contains the variable %{env}. Now while that works fine on the command line, when the Hiera function is called during catalog compilation in a manifest I''m betting that the ''env'' variable does not exist, which is why your key is not found. What is %{env}? Did you copy it straight from Craig''s blog or do you actually use it in your Hierarchy? From the way you''ve got your Hierarchy specified now, if I ran a find across your hieradata directory, this is what I''d expect to find: /etc/puppet/hieradata/some_env/some_location/some_calling_module.yaml /etc/puppet/hieradata/some_env/some_location/some_calling_module.gpg /etc/puppet/hieradata/some_env/some_calling_module.yaml /etc/puppet/hieradata/some_env/some_calling_module.gpg /etc/puppet/hieradata/common.yaml /etc/puppet/hieradata/common.gpg The hierarchy you''ve got must match the path of the Hiera data files in that directory. When run from the command line, the %{env}, %{location} and %{calling_module} variables are passed on the command line. When the hiera function call is made during a Puppet catalog compilation then those variables must be defined for that node ($env, $location, but $calling_module is implicit), either as Facter Facts or as normal variables in a Puppet manifest. ... That''s not explained very well but I can''t think of a better way to phrase it yet. Does that help so far?> > ________________________________________________________________________________ > [root@me puppet]# more hiera.yaml > --- > :backends: - yaml > - gpg > > :logger: console > > :hierarchy: - %{env}/%{location}/%{calling_module} > - %{env}/%{calling_module} > - common > > > :yaml: > :datadir: /etc/puppet/hieradata > > :gpg: > :datadir: /etc/puppet/hieradata > > _________________________________________________ > my encrypted files are in /etc/puppet/hieradata/live > > > > Thanks in advance for any help! > Bee > > > On Tue, Sep 3, 2013 at 11:38 AM, Worker Bee <beewo...@gmail.com<javascript:> > > wrote: > >> Hi Guys; >> >> I really appreciate your help and apologize for the continued >> questions... however, apaprently, I am missing something here. I cannot >> get this working. >> >> I have set hiera-gpg up as per the docs I can find but, I still cannot >> seem to get my manifests correct. If someone would kindly provide a smaple >> manifest, I would be grateful! >> >> Also, per Craig Dunn''s blog, he is placing hieradata files in >> /etc/puppet/hieradata/live. Is the "live" subdir required? Is there some >> sort of environment limitation that requires the files live in this subdir? >> >> Thank you very much! >> Bee >> >> On Fri, Aug 30, 2013 at 1:31 PM, Rich Burroughs <ri...@richburroughs.com<javascript:> >> > wrote: >> >>> Your manifests look the same. You do a hiera lookup just as you would >>> if you weren''t using the GPG integration. It''s just another data store for >>> hiera. >>> >>> You do need to set that up, as other people have mentioned. But it''s no >>> different in the manifests. >>> >>> >>> On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee <beewo...@gmail.com<javascript:> >>> > wrote: >>> >>>> I am looking for some manifest examples, if anyone has any to share! >>>> >>>> >>>> On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark <ric...@fohnet.co.uk<javascript:> >>>> > wrote: >>>> >>>>> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote: >>>>> > I am having a bit of difficulty implementing hiera-gpg; particularly >>>>> with >>>>> > accomplishing the deencryption in my manifests. Can anyone either >>>>> provide >>>>> > a simple example or point me to a good resource? I have searched >>>>> alot and >>>>> > am still struggling. >>>>> > >>>>> > Any help would be very appreciated! >>>>> > >>>>> > Thanks! >>>>> > Bee >>>>> >>>>> You just need to have the hiera-gpg gem installed, make sure that gpg >>>>> is >>>>> listed in the backends array in hiera.yaml, then the puppet user needs >>>>> to have the private key configured within it''s $HOME/.gnupg -where >>>>> $HOME >>>>> is usually /var/lib/puppet. >>>>> >>>>> By default pgp keys are encrypted with a passphrase, which would need >>>>> to >>>>> be supplied and held in a running keyring for that user, so was >>>>> previously working around this by using a non-passphrase protected >>>>> subkey. >>>>> >>>>> I''ve now however moved away from hiera-gpg due to performance overhead >>>>> on large catalogs and moved to a git post-commit hook that decrypts any >>>>> .gpg files to .yaml within a dedicated hierarchy for decrypted files, >>>>> using that same insecure private subkey. >>>>> >>>>> >>>>> Cheers, >>>>> -- >>>>> Richard Clark >>>>> ric...@fohnet.co.uk <javascript:> >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Puppet Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to puppet-users...@googlegroups.com <javascript:>. >>>> To post to this group, send email to puppet...@googlegroups.com<javascript:> >>>> . >>>> Visit this group at http://groups.google.com/group/puppet-users. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet-users...@googlegroups.com <javascript:>. >>> To post to this group, send email to puppet...@googlegroups.com<javascript:> >>> . >>> Visit this group at http://groups.google.com/group/puppet-users. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
> > > ... That''s not explained very well but I can''t think of a better way to > phrase it yet. Does that help so far? >Perhaps I can show you what I mean. Run these commands and look at the debug output in what files Hiera is trying to open, see how it''s interpreting each variable you add on the command line as new sub directories of your hieradata directory, based on how you use the %{env} %{location} and %{calling_module} variables in hiera.yaml. hiera -c /etc/puppet/hiera.yaml rootpwd calling_module=motd --debug hiera -c /etc/puppet/hiera.yaml rootpwd calling_module=motd env=live --debug hiera -c /etc/puppet/hiera.yaml rootpwd calling_module=motd env=live location=woofwoof --debug Once you understand that, you''ve got to get those variables into your Puppet manifest before the hiera() function call. This is a very very very bad example, but it shows how you need to have those variables present in the manifest for Hiera to use them in a lookup: class motd { $env = ''live'' #$calling_module --- should be an automatic variable given to you by Puppet''s hiera() function call $location = '''' rootpwd = hiera(''rootpwd'') } -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Hi Luke;
So, what you said does make sense and, I did make the changes you explained
to my manifest and it worked! :)
I am confused though and I am so sorry to be so ignorant.... but, what
does %{location} refer to?
Thank you VERY, VERY much!
bee
On Tue, Sep 3, 2013 at 12:18 PM, Luke Bigum <Luke.Bigum@lmax.com> wrote:
> I just started a big reply to your last email and it looks like
you''ve
> figured most of it out. At least your not still thinking
"manifests" your
> problem is in hiera.yaml ;-)
>
>
> On Tuesday, September 3, 2013 5:04:19 PM UTC+1, Worker Bee wrote:
>>
>> I am pretty sure I still have something wrong with my set up but, I
just
>> cannot seem to see what it is...
>>
>> Notice if I attempt to decrypt vi the command line and do not indicate
>> "env=live", it fails..
>> [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd
>> calling_module=motd
>> nil
>> [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd
>> calling_module=motd env=live
>> rootpass
>>
>>
> The reason that works is written in your hiera.yaml config below.
You''ve
> told Hiera that your Hierarchy contains the variable %{env}. Now while that
> works fine on the command line, when the Hiera function is called during
> catalog compilation in a manifest I''m betting that the
''env'' variable does
> not exist, which is why your key is not found. What is %{env}? Did you copy
> it straight from Craig''s blog or do you actually use it in your
Hierarchy?
>
> From the way you''ve got your Hierarchy specified now, if I ran a
find
> across your hieradata directory, this is what I''d expect to find:
>
> /etc/puppet/hieradata/some_env/some_location/some_calling_module.yaml
> /etc/puppet/hieradata/some_env/some_location/some_calling_module.gpg
> /etc/puppet/hieradata/some_env/some_calling_module.yaml
> /etc/puppet/hieradata/some_env/some_calling_module.gpg
> /etc/puppet/hieradata/common.yaml
> /etc/puppet/hieradata/common.gpg
>
> The hierarchy you''ve got must match the path of the Hiera data
files in
> that directory.
>
> When run from the command line, the %{env}, %{location} and
> %{calling_module} variables are passed on the command line. When the hiera
> function call is made during a Puppet catalog compilation then those
> variables must be defined for that node ($env, $location, but
> $calling_module is implicit), either as Facter Facts or as normal variables
> in a Puppet manifest.
>
> ... That''s not explained very well but I can''t think of a
better way to
> phrase it yet. Does that help so far?
>
>
>> ______________________________**______________________________**
>> ____________________
>> [root@me puppet]# more hiera.yaml
>> ---
>> :backends: - yaml
>> - gpg
>>
>> :logger: console
>>
>> :hierarchy: - %{env}/%{location}/%{calling_**module}
>> - %{env}/%{calling_module}
>> - common
>>
>>
>> :yaml:
>> :datadir: /etc/puppet/hieradata
>>
>> :gpg:
>> :datadir: /etc/puppet/hieradata
>>
>> ______________________________**___________________
>> my encrypted files are in /etc/puppet/hieradata/live
>>
>>
>>
>> Thanks in advance for any help!
>> Bee
>>
>>
>> On Tue, Sep 3, 2013 at 11:38 AM, Worker Bee <beewo...@gmail.com>
wrote:
>>
>>> Hi Guys;
>>>
>>> I really appreciate your help and apologize for the continued
>>> questions... however, apaprently, I am missing something here. I
cannot
>>> get this working.
>>>
>>> I have set hiera-gpg up as per the docs I can find but, I still
cannot
>>> seem to get my manifests correct. If someone would kindly provide
a smaple
>>> manifest, I would be grateful!
>>>
>>> Also, per Craig Dunn''s blog, he is placing hieradata files
in
>>> /etc/puppet/hieradata/live. Is the "live" subdir
required? Is there some
>>> sort of environment limitation that requires the files live in this
subdir?
>>>
>>> Thank you very much!
>>> Bee
>>>
>>> On Fri, Aug 30, 2013 at 1:31 PM, Rich Burroughs
<ri...@richburroughs.com
>>> > wrote:
>>>
>>>> Your manifests look the same. You do a hiera lookup just as
you would
>>>> if you weren''t using the GPG integration.
It''s just another data store for
>>>> hiera.
>>>>
>>>> You do need to set that up, as other people have mentioned. But
it''s no
>>>> different in the manifests.
>>>>
>>>>
>>>> On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee
<beewo...@gmail.com> wrote:
>>>>
>>>>> I am looking for some manifest examples, if anyone has any
to share!
>>>>>
>>>>>
>>>>> On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark
<ric...@fohnet.co.uk>wrote:
>>>>>
>>>>>> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee
wrote:
>>>>>> > I am having a bit of difficulty implementing
hiera-gpg;
>>>>>> particularly with
>>>>>> > accomplishing the deencryption in my manifests.
Can anyone either
>>>>>> provide
>>>>>> > a simple example or point me to a good resource?
I have searched
>>>>>> alot and
>>>>>> > am still struggling.
>>>>>> >
>>>>>> > Any help would be very appreciated!
>>>>>> >
>>>>>> > Thanks!
>>>>>> > Bee
>>>>>>
>>>>>> You just need to have the hiera-gpg gem installed, make
sure that gpg
>>>>>> is
>>>>>> listed in the backends array in hiera.yaml, then the
puppet user needs
>>>>>> to have the private key configured within it''s
$HOME/.gnupg -where
>>>>>> $HOME
>>>>>> is usually /var/lib/puppet.
>>>>>>
>>>>>> By default pgp keys are encrypted with a passphrase,
which would need
>>>>>> to
>>>>>> be supplied and held in a running keyring for that
user, so was
>>>>>> previously working around this by using a
non-passphrase protected
>>>>>> subkey.
>>>>>>
>>>>>> I''ve now however moved away from hiera-gpg due
to performance overhead
>>>>>> on large catalogs and moved to a git post-commit hook
that decrypts
>>>>>> any
>>>>>> .gpg files to .yaml within a dedicated hierarchy for
decrypted files,
>>>>>> using that same insecure private subkey.
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> --
>>>>>> Richard Clark
>>>>>> ric...@fohnet.co.uk
>>>>>>
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the
Google
>>>>> Groups "Puppet Users" group.
>>>>> To unsubscribe from this group and stop receiving emails
from it, send
>>>>> an email to puppet-users...@**googlegroups.com.
>>>>> To post to this group, send email to
puppet...@googlegroups.com.
>>>>>
>>>>> Visit this group at
http://groups.google.com/**group/puppet-users<http://groups.google.com/group/puppet-users>
>>>>> .
>>>>> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>>>> .
>>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the
Google
>>>> Groups "Puppet Users" group.
>>>> To unsubscribe from this group and stop receiving emails from
it, send
>>>> an email to puppet-users...@**googlegroups.com.
>>>> To post to this group, send email to
puppet...@googlegroups.com.
>>>>
>>>> Visit this group at
http://groups.google.com/**group/puppet-users<http://groups.google.com/group/puppet-users>
>>>> .
>>>> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>>> .
>>>>
>>>
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
Ughh; and I spoke too soon.... for some reason, it is not decrypting when running via puppet run/manifest (I had mistakenly left the unencrypted in the directory and it was failing back to reading the yaml...._ Thanks! On Tue, Sep 3, 2013 at 4:03 PM, Worker Bee <beeworker08@gmail.com> wrote:> Hi Luke; > > So, what you said does make sense and, I did make the changes you > explained to my manifest and it worked! :) > > I am confused though and I am so sorry to be so ignorant.... but, what > does %{location} refer to? > > Thank you VERY, VERY much! > > bee > > > On Tue, Sep 3, 2013 at 12:18 PM, Luke Bigum <Luke.Bigum@lmax.com> wrote: > >> I just started a big reply to your last email and it looks like you''ve >> figured most of it out. At least your not still thinking "manifests" your >> problem is in hiera.yaml ;-) >> >> >> On Tuesday, September 3, 2013 5:04:19 PM UTC+1, Worker Bee wrote: >>> >>> I am pretty sure I still have something wrong with my set up but, I just >>> cannot seem to see what it is... >>> >>> Notice if I attempt to decrypt vi the command line and do not indicate >>> "env=live", it fails.. >>> [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd >>> calling_module=motd >>> nil >>> [root@me puppet]# hiera -c /etc/puppet/hiera.yaml rootpwd >>> calling_module=motd env=live >>> rootpass >>> >>> >> The reason that works is written in your hiera.yaml config below. You''ve >> told Hiera that your Hierarchy contains the variable %{env}. Now while that >> works fine on the command line, when the Hiera function is called during >> catalog compilation in a manifest I''m betting that the ''env'' variable does >> not exist, which is why your key is not found. What is %{env}? Did you copy >> it straight from Craig''s blog or do you actually use it in your Hierarchy? >> >> From the way you''ve got your Hierarchy specified now, if I ran a find >> across your hieradata directory, this is what I''d expect to find: >> >> /etc/puppet/hieradata/some_env/some_location/some_calling_module.yaml >> /etc/puppet/hieradata/some_env/some_location/some_calling_module.gpg >> /etc/puppet/hieradata/some_env/some_calling_module.yaml >> /etc/puppet/hieradata/some_env/some_calling_module.gpg >> /etc/puppet/hieradata/common.yaml >> /etc/puppet/hieradata/common.gpg >> >> The hierarchy you''ve got must match the path of the Hiera data files in >> that directory. >> >> When run from the command line, the %{env}, %{location} and >> %{calling_module} variables are passed on the command line. When the hiera >> function call is made during a Puppet catalog compilation then those >> variables must be defined for that node ($env, $location, but >> $calling_module is implicit), either as Facter Facts or as normal variables >> in a Puppet manifest. >> >> ... That''s not explained very well but I can''t think of a better way to >> phrase it yet. Does that help so far? >> >> >>> ______________________________**______________________________** >>> ____________________ >>> [root@me puppet]# more hiera.yaml >>> --- >>> :backends: - yaml >>> - gpg >>> >>> :logger: console >>> >>> :hierarchy: - %{env}/%{location}/%{calling_**module} >>> - %{env}/%{calling_module} >>> - common >>> >>> >>> :yaml: >>> :datadir: /etc/puppet/hieradata >>> >>> :gpg: >>> :datadir: /etc/puppet/hieradata >>> >>> ______________________________**___________________ >>> my encrypted files are in /etc/puppet/hieradata/live >>> >>> >>> >>> Thanks in advance for any help! >>> Bee >>> >>> >>> On Tue, Sep 3, 2013 at 11:38 AM, Worker Bee <beewo...@gmail.com> wrote: >>> >>>> Hi Guys; >>>> >>>> I really appreciate your help and apologize for the continued >>>> questions... however, apaprently, I am missing something here. I cannot >>>> get this working. >>>> >>>> I have set hiera-gpg up as per the docs I can find but, I still cannot >>>> seem to get my manifests correct. If someone would kindly provide a smaple >>>> manifest, I would be grateful! >>>> >>>> Also, per Craig Dunn''s blog, he is placing hieradata files in >>>> /etc/puppet/hieradata/live. Is the "live" subdir required? Is there some >>>> sort of environment limitation that requires the files live in this subdir? >>>> >>>> Thank you very much! >>>> Bee >>>> >>>> On Fri, Aug 30, 2013 at 1:31 PM, Rich Burroughs < >>>> ri...@richburroughs.com> wrote: >>>> >>>>> Your manifests look the same. You do a hiera lookup just as you >>>>> would if you weren''t using the GPG integration. It''s just another data >>>>> store for hiera. >>>>> >>>>> You do need to set that up, as other people have mentioned. But it''s >>>>> no different in the manifests. >>>>> >>>>> >>>>> On Fri, Aug 30, 2013 at 6:30 AM, Worker Bee <beewo...@gmail.com>wrote: >>>>> >>>>>> I am looking for some manifest examples, if anyone has any to share! >>>>>> >>>>>> >>>>>> On Fri, Aug 30, 2013 at 7:16 AM, Richard Clark <ric...@fohnet.co.uk>wrote: >>>>>> >>>>>>> On Thu, Aug 29, 2013 at 05:47:41PM -0400, Worker Bee wrote: >>>>>>> > I am having a bit of difficulty implementing hiera-gpg; >>>>>>> particularly with >>>>>>> > accomplishing the deencryption in my manifests. Can anyone either >>>>>>> provide >>>>>>> > a simple example or point me to a good resource? I have searched >>>>>>> alot and >>>>>>> > am still struggling. >>>>>>> > >>>>>>> > Any help would be very appreciated! >>>>>>> > >>>>>>> > Thanks! >>>>>>> > Bee >>>>>>> >>>>>>> You just need to have the hiera-gpg gem installed, make sure that >>>>>>> gpg is >>>>>>> listed in the backends array in hiera.yaml, then the puppet user >>>>>>> needs >>>>>>> to have the private key configured within it''s $HOME/.gnupg -where >>>>>>> $HOME >>>>>>> is usually /var/lib/puppet. >>>>>>> >>>>>>> By default pgp keys are encrypted with a passphrase, which would >>>>>>> need to >>>>>>> be supplied and held in a running keyring for that user, so was >>>>>>> previously working around this by using a non-passphrase protected >>>>>>> subkey. >>>>>>> >>>>>>> I''ve now however moved away from hiera-gpg due to performance >>>>>>> overhead >>>>>>> on large catalogs and moved to a git post-commit hook that decrypts >>>>>>> any >>>>>>> .gpg files to .yaml within a dedicated hierarchy for decrypted files, >>>>>>> using that same insecure private subkey. >>>>>>> >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> -- >>>>>>> Richard Clark >>>>>>> ric...@fohnet.co.uk >>>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Puppet Users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to puppet-users...@**googlegroups.com. >>>>>> To post to this group, send email to puppet...@googlegroups.com. >>>>>> >>>>>> Visit this group at http://groups.google.com/**group/puppet-users<http://groups.google.com/group/puppet-users> >>>>>> . >>>>>> For more options, visit https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>>>> . >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Puppet Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to puppet-users...@**googlegroups.com. >>>>> To post to this group, send email to puppet...@googlegroups.com. >>>>> >>>>> Visit this group at http://groups.google.com/**group/puppet-users<http://groups.google.com/group/puppet-users> >>>>> . >>>>> For more options, visit https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>>> . >>>>> >>>> >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscribe@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.