Changes

ReleaseEngineering/PuppetAgain/Secrets

227 bytes added, 19:02, 17 December 2013

→‎Using EYAML

Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.

To encrypt a new password, as root on a puppetmaster, ~~give the name of the variable~~use:

eyaml encrypt -e -~~o block~~ pkcs7-p private-~~n 'root_pw_hash!loaner~~key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ --output examples --password -l 'foo

~~then~~ where 'foo' is the name of the variable to set. Then copy/paste ~~the~~ whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. ~~However this doesn't work right now - see {{bug|918070}}. Instead:~~

NOTE: This doesn't work right now - see {{bug|918070}}. Instead, use <tt>echo -n 'your password here' | eyaml -e -o block -n 'root_pw_hash!loaner'</tt>

To check the value of a secret, use 'hiera':

hiera -c /etc/puppet/hiera.yaml root_pw_saltedsha512

Once {{bug|918070}} is closed, you can omit the `-c`.

== User Environments ==

Djmitche

Canmove, confirm

1,394

edits

Changes

ReleaseEngineering/PuppetAgain/Secrets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools