Canmove, confirm
1,394
edits
Changes
Created page with "In PuppetAgain, secrets are stored in <tt>manifests/extlookup/secrets.csv</tt>, which is org-specific and based on <tt>secrets-template.csv</tt> in the same directory, == Usa..."
In PuppetAgain, secrets are stored in <tt>manifests/extlookup/secrets.csv</tt>, which is org-specific and based on <tt>secrets-template.csv</tt> in the same directory,
== Usage ==
To use a secret:
=== in manifests ===
class foo {
if (secret('builder_password') == "")
fail("missing password")
}
}
If you need to interpolate the value into a string, you'll need to use a class-local variable.
=== in templates ===
This is a little verbose:
<%= scope.function_secret(['signing_server_username']) %>
do ''not'' forget the [..] -- they are optional in puppet-2.7.x, but mandatory in 3.2.x.
== Secrets Have Aspects ==
The <tt>secret()</tt> function will look for aspect-specific passwords for each [[ReleaseEngineering/PuppetAgain/Aspects|aspect]] of the current host, using a suffix. For example, if a host has aspects "loaner" and "staging", then <tt>secret('root_password')</tt> will look for the following in the CSV file, using the first it finds:
root_password!loaner
root_password!staging
root_password
This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality.
== Variables ==
;'''root_pw_hash'''
:linux md5 password hash for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]])
;'''root_pw_pbkdf2'''
:Mac OS X 10.8 entropy for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_pbkdf2_salt'''
:Mac OS X 10.8 salt for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_pbkdf2_iterations'''
:Mac OS X 10.8 iterations for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_saltedsha512'''
:Mac OS X 10.7 password hash''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_hash'''
:linux md5 password hash for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]])
;'''builder_pw_pbkdf2'''
:Mac OS X 10.8 entropy for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_pbkdf2_salt'''
:Mac OS X 10.8 salt for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_pbkdf2_iterations'''
:Mac OS X 10.8 iterations for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_saltedsha512'''
:Mac OS X 10.7 password hash for the builder user''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_kcpassword_base64'''
:kcpassword-obfuscated cleartext of the builder user's password, for autologin on Darwin ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_vnc_base64'''
:base64-encoded version of the password that should appear in ''~/.vnc/passwd'' on Linux
;'''mozpool_inventory_url'''
: base URL for the Mozilla inventory
;'''mozpool_inventory_username'''
: LDAP username for the Mozilla inventory
;'''mozpool_inventory_password'''
: LDAP password for the Mozilla inventory
;'''mozpool_db_hostname'''
: DB hostname for the Mozilla inventory
;'''mozpool_db_database'''
: DB name for the Mozilla inventory
;'''mozpool_db_username'''
: DB username for the Mozilla inventory
;'''mozpool_db_password'''
: DB password for the Mozilla inventory
;'''balrog_password'''
: Balrog password (used in buildmaster)
;'''balrog_username'''
: Balrog username (used in buildmaster)
;buildbot_schedulerdb_database
: Scheduler database (used in buildmaster)
;buildbot_schedulerdb_hostname
: Scheduler database hostname (used in buildmaster)
;buildbot_schedulerdb_password
: Scheduler database password(used in buildmaster)
;buildbot_schedulerdb_username
: Scheduler database username (used in buildmaster)
;buildbot_statusdb_database
: Statusdb database (used in buildmaster)
;buildbot_statusdb_hostname
: Statusdb database hostname (used in buildmaster)
;buildbot_statusdb_password
: Statusdb database password (used in buildmaster)
;buildbot_statusdb_username
: Statusdb database username (used in buildmaster)
;jetperf_oauth_key
:jetperf oauth key (used in buildmaster)
;jetperf_oauth_secret
:jetperf oauth secret (used in buildmaster)
;linux_tests_password
:Buildbot slave password for linux test hosts (used in buildmaster)
;mac_tests_password
:Buildbot slave password for mac test hosts (used in buildmaster)
;prod_bulid_password
:Buildbot slave password for production build hosts (used in buildmaster)
;pulse_exchange
:pulse exchange (used in buildmaster)
;pulse_password
:pulse password (used in buildmaster)
;pulse_username
:pulse username (used in buildmaster)
;signing_server_dep_password
;signing_server_nightly_password
;signing_server_release_password
;signing_server_username
:credentials for signing servers (used in buildmaster)
;talos_oauth_key
:talos oauth key (used in buildmaster)
;talos_oauth_secret
:talos oauth secret (used in buildmaster)
;try_build_password
:Buildbot slave password for try build hosts (used in buildmaster)
;tuxedo_password
;tuxedo_username
:tuxedo credentials (used in buildmaster)
== Usage ==
To use a secret:
=== in manifests ===
class foo {
if (secret('builder_password') == "")
fail("missing password")
}
}
If you need to interpolate the value into a string, you'll need to use a class-local variable.
=== in templates ===
This is a little verbose:
<%= scope.function_secret(['signing_server_username']) %>
do ''not'' forget the [..] -- they are optional in puppet-2.7.x, but mandatory in 3.2.x.
== Secrets Have Aspects ==
The <tt>secret()</tt> function will look for aspect-specific passwords for each [[ReleaseEngineering/PuppetAgain/Aspects|aspect]] of the current host, using a suffix. For example, if a host has aspects "loaner" and "staging", then <tt>secret('root_password')</tt> will look for the following in the CSV file, using the first it finds:
root_password!loaner
root_password!staging
root_password
This is most useful around the 'staging' aspect, as it means that passwords for staging instances can be specified easily, with no conditionals in the module implementing the functionality.
== Variables ==
;'''root_pw_hash'''
:linux md5 password hash for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]])
;'''root_pw_pbkdf2'''
:Mac OS X 10.8 entropy for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_pbkdf2_salt'''
:Mac OS X 10.8 salt for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_pbkdf2_iterations'''
:Mac OS X 10.8 iterations for the root password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''root_pw_saltedsha512'''
:Mac OS X 10.7 password hash''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_hash'''
:linux md5 password hash for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Linux|where to find]])
;'''builder_pw_pbkdf2'''
:Mac OS X 10.8 entropy for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_pbkdf2_salt'''
:Mac OS X 10.8 salt for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_pbkdf2_iterations'''
:Mac OS X 10.8 iterations for the builder user's password ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_saltedsha512'''
:Mac OS X 10.7 password hash for the builder user''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_kcpassword_base64'''
:kcpassword-obfuscated cleartext of the builder user's password, for autologin on Darwin ''(No Default)'' ([[ReleaseEngineering/PuppetAgain/Modules/users#Darwin|where to find]])
;'''builder_pw_vnc_base64'''
:base64-encoded version of the password that should appear in ''~/.vnc/passwd'' on Linux
;'''mozpool_inventory_url'''
: base URL for the Mozilla inventory
;'''mozpool_inventory_username'''
: LDAP username for the Mozilla inventory
;'''mozpool_inventory_password'''
: LDAP password for the Mozilla inventory
;'''mozpool_db_hostname'''
: DB hostname for the Mozilla inventory
;'''mozpool_db_database'''
: DB name for the Mozilla inventory
;'''mozpool_db_username'''
: DB username for the Mozilla inventory
;'''mozpool_db_password'''
: DB password for the Mozilla inventory
;'''balrog_password'''
: Balrog password (used in buildmaster)
;'''balrog_username'''
: Balrog username (used in buildmaster)
;buildbot_schedulerdb_database
: Scheduler database (used in buildmaster)
;buildbot_schedulerdb_hostname
: Scheduler database hostname (used in buildmaster)
;buildbot_schedulerdb_password
: Scheduler database password(used in buildmaster)
;buildbot_schedulerdb_username
: Scheduler database username (used in buildmaster)
;buildbot_statusdb_database
: Statusdb database (used in buildmaster)
;buildbot_statusdb_hostname
: Statusdb database hostname (used in buildmaster)
;buildbot_statusdb_password
: Statusdb database password (used in buildmaster)
;buildbot_statusdb_username
: Statusdb database username (used in buildmaster)
;jetperf_oauth_key
:jetperf oauth key (used in buildmaster)
;jetperf_oauth_secret
:jetperf oauth secret (used in buildmaster)
;linux_tests_password
:Buildbot slave password for linux test hosts (used in buildmaster)
;mac_tests_password
:Buildbot slave password for mac test hosts (used in buildmaster)
;prod_bulid_password
:Buildbot slave password for production build hosts (used in buildmaster)
;pulse_exchange
:pulse exchange (used in buildmaster)
;pulse_password
:pulse password (used in buildmaster)
;pulse_username
:pulse username (used in buildmaster)
;signing_server_dep_password
;signing_server_nightly_password
;signing_server_release_password
;signing_server_username
:credentials for signing servers (used in buildmaster)
;talos_oauth_key
:talos oauth key (used in buildmaster)
;talos_oauth_secret
:talos oauth secret (used in buildmaster)
;try_build_password
:Buildbot slave password for try build hosts (used in buildmaster)
;tuxedo_password
;tuxedo_username
:tuxedo credentials (used in buildmaster)
