ReleaseEngineering/PuppetAgain/Secrets

From MozillaWiki
< ReleaseEngineering‎ | PuppetAgain
Revision as of 17:09, 9 May 2013 by Djmitche (talk | contribs) (Created page with "In PuppetAgain, secrets are stored in <tt>manifests/extlookup/secrets.csv</tt>, which is org-specific and based on <tt>secrets-template.csv</tt> in the same directory, == Usa...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

In PuppetAgain, secrets are stored in manifests/extlookup/secrets.csv, which is org-specific and based on secrets-template.csv in the same directory,

Usage

To use a secret:

in manifests

class foo {
  if (secret('builder_password') == "")
     fail("missing password")
  }
}

If you need to interpolate the value into a string, you'll need to use a class-local variable.

in templates

This is a little verbose: 

 <%= scope.function_secret(['signing_server_username']) %>

do not forget the [..] -- they are optional in puppet-2.7.x, but mandatory in 3.2.x.

Secrets Have Aspects

The secret() function will look for aspect-specific passwords for each aspect of the current host, using a suffix. For example, if a host has aspects "loaner" and "staging", then secret('root_password') will look for the following in the CSV file, using the first it finds: 

 root_password!loaner
 root_password!staging
 root_password

This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality.

Variables

root_pw_hash
linux md5 password hash for the root password (No Default) (where to find)
root_pw_pbkdf2
Mac OS X 10.8 entropy for the root password (No Default) (where to find)
root_pw_pbkdf2_salt
Mac OS X 10.8 salt for the root password (No Default) (where to find)
root_pw_pbkdf2_iterations
Mac OS X 10.8 iterations for the root password (No Default) (where to find)
root_pw_saltedsha512
Mac OS X 10.7 password hash(No Default) (where to find)
builder_pw_hash
linux md5 password hash for the builder user's password (No Default) (where to find)
builder_pw_pbkdf2
Mac OS X 10.8 entropy for the builder user's password (No Default) (where to find)
builder_pw_pbkdf2_salt
Mac OS X 10.8 salt for the builder user's password (No Default) (where to find)
builder_pw_pbkdf2_iterations
Mac OS X 10.8 iterations for the builder user's password (No Default) (where to find)
builder_pw_saltedsha512
Mac OS X 10.7 password hash for the builder user(No Default) (where to find)
builder_pw_kcpassword_base64
kcpassword-obfuscated cleartext of the builder user's password, for autologin on Darwin (No Default) (where to find)
builder_pw_vnc_base64
base64-encoded version of the password that should appear in ~/.vnc/passwd on Linux
mozpool_inventory_url
base URL for the Mozilla inventory
mozpool_inventory_username
LDAP username for the Mozilla inventory
mozpool_inventory_password
LDAP password for the Mozilla inventory
mozpool_db_hostname
DB hostname for the Mozilla inventory
mozpool_db_database
DB name for the Mozilla inventory
mozpool_db_username
DB username for the Mozilla inventory
mozpool_db_password
DB password for the Mozilla inventory
balrog_password
Balrog password (used in buildmaster)
balrog_username
Balrog username (used in buildmaster)
buildbot_schedulerdb_database
Scheduler database (used in buildmaster)
buildbot_schedulerdb_hostname
Scheduler database hostname (used in buildmaster)
buildbot_schedulerdb_password
Scheduler database password(used in buildmaster)
buildbot_schedulerdb_username
Scheduler database username (used in buildmaster)
buildbot_statusdb_database
Statusdb database (used in buildmaster)
buildbot_statusdb_hostname
Statusdb database hostname (used in buildmaster)
buildbot_statusdb_password
Statusdb database password (used in buildmaster)
buildbot_statusdb_username
Statusdb database username (used in buildmaster)
jetperf_oauth_key
jetperf oauth key (used in buildmaster)
jetperf_oauth_secret
jetperf oauth secret (used in buildmaster)
linux_tests_password
Buildbot slave password for linux test hosts (used in buildmaster)
mac_tests_password
Buildbot slave password for mac test hosts (used in buildmaster)
prod_bulid_password
Buildbot slave password for production build hosts (used in buildmaster)
pulse_exchange
pulse exchange (used in buildmaster)
pulse_password
pulse password (used in buildmaster)
pulse_username
pulse username (used in buildmaster)
signing_server_dep_password
signing_server_nightly_password
signing_server_release_password
signing_server_username
credentials for signing servers (used in buildmaster)
talos_oauth_key
talos oauth key (used in buildmaster)
talos_oauth_secret
talos oauth secret (used in buildmaster)
try_build_password
Buildbot slave password for try build hosts (used in buildmaster)
tuxedo_password
tuxedo_username
tuxedo credentials (used in buildmaster)
Retrieved from "https://wiki.mozilla.org/index.php?title=ReleaseEngineering/PuppetAgain/Secrets&oldid=654036"