ReleaseEngineering/PuppetAgain/Secrets
In PuppetAgain, secrets are stored in Hiera.
Usage
To use a secret:
in manifests
class foo {
if (secret('builder_password') == "")
fail("missing password")
}
}
If you need to interpolate the value into a string, you'll need to use a class-local variable.
in templates
This is a little verbose:
<%= scope.function_secret(['signing_server_username']) %>
do not forget the [..] -- they are optional in puppet-2.7.x, but mandatory in 3.2.x.
Secrets Have Aspects
The secret() function will look for aspect-specific passwords for each aspect of the current host, using a suffix. For example, if a host has aspects "loaner" and "staging", then secret('root_password') will look for the following in hiera, using the first it finds:
root_password!loaner root_password!staging root_password
This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality.
Using EYAML
(This is pending completion of bug 891853)
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.
To encrypt a new password, as root on a puppetmaster, give the name of the variable:
eyaml -e -o block -p -n 'root_pw_hash!loaner'
then copy/paste the result into `/etc/hiera/secrets.yaml` or into your own `/etc/hiera/environments/<username>_secrets.yaml`.
To check the value of a secret, use 'hiera':
hiera -c /etc/puppet/hiera.yaml root_pw_saltedsha512
Secrets
- root_pw_hash
- linux md5 password hash for the root password (No Default) (where to find)
- root_pw_pbkdf2
- Mac OS X 10.8 entropy for the root password (No Default) (where to find)
- root_pw_pbkdf2_salt
- Mac OS X 10.8 salt for the root password (No Default) (where to find)
- root_pw_pbkdf2_iterations
- Mac OS X 10.8 iterations for the root password (No Default) (where to find)
- root_pw_paddedsha1
- Mac OS X 10.6 password hash(No Default) (where to find)
- root_pw_saltedsha512
- Mac OS X 10.7 password hash(No Default) (where to find)
- builder_pw_hash
- linux md5 password hash for the builder user's password (No Default) (where to find)
- builder_pw_pbkdf2
- Mac OS X 10.8 entropy for the builder user's password (No Default) (where to find)
- builder_pw_pbkdf2_salt
- Mac OS X 10.8 salt for the builder user's password (No Default) (where to find)
- builder_pw_pbkdf2_iterations
- Mac OS X 10.8 iterations for the builder user's password (No Default) (where to find)
- builder_pw_paddedsha1
- Mac OS X 10.6 password hash(No Default) (where to find)
- builder_pw_saltedsha512
- Mac OS X 10.7 password hash for the builder user(No Default) (where to find)
- builder_pw_kcpassword_base64
- kcpassword-obfuscated cleartext of the builder user's password, for autologin on Darwin (No Default) (where to find)
- builder_pw_vnc_base64
- base64-encoded version of the password that should appear in ~/.vnc/passwd on Linux
- signer_pw_hash
- linux md5 password hash for the signer user's password (No Default) (where to find)
- signer_pw_pbkdf2
- Mac OS X 10.8 entropy for the signer user's password (No Default) (where to find)
- signer_pw_pbkdf2_salt
- Mac OS X 10.8 salt for the signer user's password (No Default) (where to find)
- signer_pw_pbkdf2_iterations
- Mac OS X 10.8 iterations for the signer user's password (No Default) (where to find)
- signer_pw_paddedsha1
- Mac OS X 10.6 password hash(No Default) (where to find)
- signer_pw_saltedsha512
- Mac OS X 10.7 password hash for the signer user(No Default) (where to find)
- mozpool_inventory_url
- base URL for the Mozilla inventory
- mozpool_inventory_username
- LDAP username for the Mozilla inventory
- mozpool_inventory_password
- LDAP password for the Mozilla inventory
- mozpool_db_hostname
- DB hostname for the Mozilla inventory
- mozpool_db_database
- DB name for the Mozilla inventory
- mozpool_db_username
- DB username for the Mozilla inventory
- mozpool_db_password
- DB password for the Mozilla inventory
- balrog_password
- Balrog password (used in buildmaster)
- balrog_username
- Balrog username (used in buildmaster)
- buildbot_schedulerdb_database
- Scheduler database (used in buildmaster)
- buildbot_schedulerdb_hostname
- Scheduler database hostname (used in buildmaster)
- buildbot_schedulerdb_password
- Scheduler database password(used in buildmaster)
- buildbot_schedulerdb_username
- Scheduler database username (used in buildmaster)
- buildbot_statusdb_database
- Statusdb database (used in buildmaster)
- buildbot_statusdb_hostname
- Statusdb database hostname (used in buildmaster)
- buildbot_statusdb_password
- Statusdb database password (used in buildmaster)
- buildbot_statusdb_username
- Statusdb database username (used in buildmaster)
- jetperf_oauth_key
- jetperf oauth key (used in buildmaster)
- jetperf_oauth_secret
- jetperf oauth secret (used in buildmaster)
- linux_tests_password
- Buildbot slave password for linux test hosts (used in buildmaster)
- mac_tests_password
- Buildbot slave password for mac test hosts (used in buildmaster)
- prod_bulid_password
- Buildbot slave password for production build hosts (used in buildmaster)
- pulse_exchange
- pulse exchange (used in buildmaster)
- pulse_password
- pulse password (used in buildmaster)
- pulse_username
- pulse username (used in buildmaster)
- signing_server_dep_password
- signing_server_nightly_password
- signing_server_release_password
- signing_server_username
- credentials for signing servers (used in buildmaster)
- talos_oauth_key
- talos oauth key (used in buildmaster)
- talos_oauth_secret
- talos oauth secret (used in buildmaster)
- try_build_password
- Buildbot slave password for try build hosts (used in buildmaster)
- tuxedo_password
- tuxedo_username
- tuxedo credentials (used in buildmaster)
- puppetsync_pubkey
- the SSH public key for the puppetsync user, set up during the puppetmaster bootstrapping process
- puppetmaster_deploy_htpasswd
- the htpasswd-hashed password used to protect the puppetmaster deployment CGI. Generate with htpasswd -n - deploy and only include the portion after "deploy:" in the secrets file
- network_regexps
- a list of regular expressions representing the local network. This is used by the deployment CGI to limit access to known subnets.
- google_api_key
- API key used for google services (used by build slaves)