CIDuty/How To/Add new secrets to Puppet Hiera
Contents
Task Overview
If a developer ask for some credentials to be added to Puppet, PuppetAgain and/or Hiera, such as in this bug 1402371 it requires you to access a puppet master, open a file which (at the date of writing this guide) has over 4300 lines, encrypt passwords, backups files, create some string names, verify everything then share the name of the string(s).
Connect to puppet master
After you got the credentials which you need to add to Puppet, please connect as yourself to:
~$ ssh LDAP-USERNAME@releng-puppet2.srv.releng.mdc1.mozilla.com
After you are connected to the master, make yourself root:
~$ sudo su -
Now changes directory to:
~$ cd /etc/hiera
Backup existing secrets file
This is very important! if anything goes wrong with the next steps, you will have a "safe spot" to come back too.
~$ cp /etc/hiera/secrets.eyaml /etc/hiera/screts.eyaml.LDAP-YYYYMMDD
Example:
~$ cp /etc/hiera/secrets.eyaml /etc/hiera/screts.eyaml.dlabici-20180322
Encrypt and add new credentials
Check if name is available
Before we do anything we need to check the "secrets vault" if the name we want to use for our string is not used already so to do that we can check it with the following command. As an added example, I have to add 2 passwords, so I will be listing the commands that I used to make sure the string name is free to be taken. Keep in mind: Names should be all lowercase with underlines like_this_for_example.
~$ hiera NAME_OF_STRING
Example for task which needs us to add AWS IAM credentials:
~$ hiera cloud_watcher_access_key_id ~$ hiera cloud_watcher_secret_access_key
If the command above returns "nil" then we can use the name!
Encrypt the password/credential
Now that we verified if the string name is usable we can encrypt everything and prepare to add it to secrets.eyaml. Simple run this command in the terminal:
~$: eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \
--output examples --password -l 'NAME_OF_STRING_THAT_YOU_VERIFIED_LAST_STEP'
When you execute the command, you will be asked to "Enter Password:" this is where you put the credential that you want to securely store! After you enter the password, you will receive 2 outputs. Copy the second one as we will need it later. Output should look something like this:
cloudwatcher_access_key_id: >
XXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Add the encrypted credentials to secrets.eyaml
Now with everything ready, we have to add the credentials at the very end of the file. Open the file with your favorite editor and paste it there with 1 empty line above it! Save the file then quickly run the next step. TIP: If you use nano to edit the file press CTRL+SHIFT+_ (underline) and when asked for which Line Number you want to jump to, press CTRL+V. Those 2 commands together will jump you to the very end of the file.
Validate the new secrets
Okay, now that we added and saved everything that we need to, please run the following command:
~$: python -c "import yaml; f=open('secrets.eyaml','r'); yaml.load(f)" && echo "pass" || echo "FAIL"
We are looking for the output to be "pass" and nothing else! If it says anything else, please backup the file you made at step 3!
Okay so the output is pass, is there a way to verify everything worked?
Yeah! Simple run hiera name_of_your_string and if you get an output that is not "nil", you are done! You have added new secrets to Puppet!
