canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Secrets: Difference between revisions
Jump to navigation
Jump to search
ReleaseEngineering/PuppetAgain/Secrets (view source)
Revision as of 19:45, 6 August 2013
, 6 August 2013→Variables
| Line 26: | Line 26: | ||
This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality. | This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality. | ||
== | == Using EYAML == | ||
(This is pending completion of bug 891853) | |||
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves. | |||
To encrypt a new password, as root on a puppetmaster, give the name of the variable: | |||
eyaml -e -o block -p -n 'root_pw_hash!loaner' | |||
then copy/paste the result into `/etc/hiera/secrets.yaml` or into your own `/etc/hiera/environments/<username>_secrets.yaml`. | |||
To check the value of a secret, use 'hiera': | |||
hiera -c /etc/puppet//hiera.yaml root_pw_saltedsha512 | |||
== Secrets == | |||
;'''root_pw_hash''' | ;'''root_pw_hash''' | ||
:linux md5 password hash for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]]) | :linux md5 password hash for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]]) | ||