Managing sensitive strings with puppet

758 views
Skip to first unread message

Ryan Stewart

unread,
Dec 22, 2011, 3:00:36 PM12/22/11
to Puppet Users
I'm new to Puppet, and I'm a software developer, not a sysadmin, so be
gentle. I have puppet managing some files via templates, and one of
the template variables that needs to be plugged in is a password of
sorts that shouldn't be generally available. In particular, it can't
be stored in the manifest, as that's stored in version control, and
the password shouldn't be available there. Basically, the only place
it's okay for this password to be stored is on the systems that will
be using it.

What would be the "Puppet way" of getting this string into the
configuration?

Nigel Kersten

unread,
Dec 23, 2011, 12:33:53 PM12/23/11
to puppet...@googlegroups.com

Does that help? 

I've done this in the past without hiera, where you have a function that runs on the master to decrypt the content out of version control, but the above makes it pretty simple.

--
Nigel Kersten
Product Manager, Puppet Labs


Ryan Stewart

unread,
Dec 27, 2011, 12:11:54 PM12/27/11
to Puppet Users
On Dec 23, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Thu, Dec 22, 2011 at 12:00 PM, Ryan Stewart <zzant...@gmail.com> wrote:
> > I'm new to Puppet, and I'm a software developer, not a sysadmin, so be
> > gentle. I have puppet managing some files via templates, and one of
> > the template variables that needs to be plugged in is a password of
> > sorts that shouldn't be generally available. In particular, it can't
> > be stored in the manifest, as that's stored in version control, and
> > the password shouldn't be available there. Basically, the only place
> > it's okay for this password to be stored is on the systems that will
> > be using it.
>
> > What would be the "Puppet way" of getting this string into the
> > configuration?
>
> http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hier...
>
> Does that help?
>
> I've done this in the past without hiera, where you have a function that
> runs on the master to decrypt the content out of version control, but the
> above makes it pretty simple.
>
That helps a lot, though I had no idea what hiera was before you said
it. Thanks for pointing me in the right direction.

Ryan Stewart

unread,
Dec 27, 2011, 6:00:49 PM12/27/11
to Puppet Users
On Dec 23, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
> http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hier...
>
> Does that help?
>
> I've done this in the past without hiera, where you have a function that
> runs on the master to decrypt the content out of version control, but the
> above makes it pretty simple.
>
Before jumping into hiera, I was trying to get a feel for extlookup()
with CSV files because it looked pretty simple, but I can't seem to
make it work. I see two different version of how to configure
extlookup(), so I've tried both this (in my manifest):

$extlookup_datadir = "/etc/puppet/extdata"
$extlookup_precedence = ["common"]

and this (in /etc/puppet/extlookup.yaml):

---
:parser: CSV
:precedence:
- common
:csv:
:datadir: /etc/puppet/extdata

The file /etc/puppet/extdata/common.csv contains a single line:
"some_var,some_value". But whatever I try, the following fails:
$some_var = extlookup("some_var")
if $some_var == undef {
fail("Didn't find var with extlookup")
}

With "--debug --verbose", I don't get any kind of output related to
the lookup. Can someone guide me here? I think I'm missing something
very obvious.

Ryan Stewart

unread,
Dec 28, 2011, 12:06:11 PM12/28/11
to Puppet Users
On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote:
> Before jumping into hiera, I was trying to get a feel for extlookup()
> with CSV files because it looked pretty simple, but I can't seem to
> make it work.

nm. I figured out what I was doing wrong.

Nigel Kersten

unread,
Dec 28, 2011, 12:33:26 PM12/28/11
to puppet...@googlegroups.com
What was it Ryan? Is there something we could do to improve the docs here?

Dan White

unread,
Dec 28, 2011, 1:04:53 PM12/28/11
to puppet...@googlegroups.com
Please consider sharing your successful configuration with others that might be trying to do the same thing.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

Ryan Stewart

unread,
Dec 28, 2011, 2:05:33 PM12/28/11
to Puppet Users
On Dec 28, 11:33 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Dec 28, 2011 at 9:06 AM, Ryan Stewart <zzant...@gmail.com> wrote:
> > On Dec 27, 5:00 pm, Ryan Stewart <zzant...@gmail.com> wrote:
> > > Before jumping into hiera, I was trying to get a feel for extlookup()
> > > with CSV files because it looked pretty simple, but I can't seem to
> > > make it work.
>
> > nm. I figured out what I was doing wrong.
>
> What was it Ryan? Is there something we could do to improve the docs here?
>
I believe the problem was that I was doing the extlookup() outside of
any class, and I recently converted my puppet project to a module,
which I'm running with "puppet apply -e 'include ...'", which, I
assume, would only run things inside of classes and not other stuff in
the manifests where the classes are. Therefore the lookup was never
being done in the first place, explaining the complete lack of any
debugging information. I'm still trying to feel my way around how
things should be organized, and this had to roll around in my head a
while before I made the connection.

Nigel Kersten

unread,
Dec 28, 2011, 8:26:40 PM12/28/11
to puppet...@googlegroups.com
ahah. Yeah, I've actually been thinking about this usability problem recently.

If you have DSL code outside a class within a .pp file, if you use puppet apply /path/to/my.pp you only evaluate the code outside the class. If you use puppet apply -e 'include myclass' you only evaluate the code inside the class.
Reply all
Reply to author
Forward
0 new messages