canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Secrets: Difference between revisions
Jump to navigation
Jump to search
ReleaseEngineering/PuppetAgain/Secrets (view source)
Revision as of 19:02, 17 December 2013
, 17 December 2013→Using EYAML
| Line 31: | Line 31: | ||
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves. | Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves. | ||
To encrypt a new password, as root on a puppetmaster, | To encrypt a new password, as root on a puppetmaster, use: | ||
eyaml - | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ | ||
--output examples --password -l 'foo | |||
where 'foo' is the name of the variable to set. Then copy/paste whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. | |||
NOTE: This doesn't work right now - see {{bug|918070}}. Instead, use <tt>echo -n 'your password here' | eyaml -e -o block -n 'root_pw_hash!loaner'</tt> | |||
To check the value of a secret, use 'hiera': | To check the value of a secret, use 'hiera': | ||
hiera -c /etc/puppet/hiera.yaml root_pw_saltedsha512 | hiera -c /etc/puppet/hiera.yaml root_pw_saltedsha512 | ||
Once {{bug|918070}} is closed, you can omit the `-c`. | |||
== User Environments == | == User Environments == | ||