Confirm
142
edits
Changes
no edit summary
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.
To encrypt a new *password*, as root on an [https://wiki.mozilla.org/ReleaseEngineering/Puppet#Masters authoritative puppetmaster], use:
eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \
where 'foo' is the name of the variable to set. Then copy/paste whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. Double-check your work before saving -- if this file can't be parsed as valid yaml, all puppet runs will fail.
To encrypt a new *file* (e.g. a private key) rather than a password, pipe the contents of the file to the above command, and replace --password with --stdin, e.g.
cat secret_file | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \
--output examples --stdin -l 'foo'
and update `/etc/hiera/secrets.eyaml` accordingly as per instructions above.
To check the value of a secret, use 'hiera':
