hiera-eyaml - masterless puppet
789 views
Skip to first unread message
Heinz Kalkhoff
Mar 10, 2015, 5:37:30 PM3/10/15
to puppet...@googlegroups.com
Is it possible to use hiera-eyaml with a masterless puppet setup (e.g. puppet apply)? I want to verify before going down this path as I have been unable to find examples using puppet masterless and hiera-eyaml.
Alessandro Franceschi
Mar 11, 2015, 9:30:29 AM3/11/15
to puppet...@googlegroups.com
Sure you can,
you have to pass the --hiera_config parameter to the puppet apply command (pointing to your hiera.yaml) and you will need the private key used to encrypt keys on every node (this is maybe the only issue with hiera-eyaml in masterless mode).
you have to pass the --hiera_config parameter to the puppet apply command (pointing to your hiera.yaml) and you will need the private key used to encrypt keys on every node (this is maybe the only issue with hiera-eyaml in masterless mode).
al
Jeff Adams
Mar 11, 2015, 9:43:02 AM3/11/15
to puppet...@googlegroups.com
We're using eyaml in our masterless setup as well. We've got our
hiera.yaml in /etc/puppet, so we don't need to specify the
--hiera_config with puppet apply.
True that distributing the private key(s) was an interesting issue to solve.
- Jeff
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
________________________________
This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
hiera.yaml in /etc/puppet, so we don't need to specify the
--hiera_config with puppet apply.
True that distributing the private key(s) was an interesting issue to solve.
- Jeff
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
________________________________
This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Heinz Kalkhoff
Mar 11, 2015, 4:05:17 PM3/11/15
to puppet...@googlegroups.com
Jeff,
I realize you may not want to share the details, but can you share your strategy on management of the private keys in a masterless setup?
Thanks for the reply.
Heinz
On Wednesday, March 11, 2015 at 9:43:02 AM UTC-4, jeff Adams wrote:
We're using eyaml in our masterless setup as well. We've got our
hiera.yaml in /etc/puppet, so we don't need to specify the
--hiera_config with puppet apply.
True that distributing the private key(s) was an interesting issue to solve.
- Jeff
On 03/11/2015 08:30 AM, Alessandro Franceschi wrote:
> Sure you can,
> you have to pass the --hiera_config parameter to the puppet apply
> command (pointing to your hiera.yaml) and you will need the private key
> used to encrypt keys on every node (this is maybe the only issue with
> hiera-eyaml in masterless mode).
> al
>
> On Tuesday, March 10, 2015 at 10:37:30 PM UTC+1, Heinz Kalkhoff wrote:
>
> Is it possible to use hiera-eyaml with a masterless puppet setup
> (e.g. puppet apply)? I want to verify before going down this path
> as I have been unable to find examples using puppet masterless and
> hiera-eyaml.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users+unsub...@googlegroups.com>.
Jeff Adams
Mar 11, 2015, 5:04:53 PM3/11/15
to puppet...@googlegroups.com
We're using a couple of techniques:
We bake them into our system images, and for ad-hoc we have a Rundeck
job that can push the keys onto a host.
Haven't had to rotate the keys yet, but I presume that we'd either use
the ad-hoc technique, or re-spin the system image and re-deploy the
hosts. Since we're moving towards ephemeral/immutable hosts, this works
for us.
Hope that helps.
- Jeff
> > an email to puppet-users...@googlegroups.com <javascript:>
> > <mailto:puppet-users...@googlegroups.com <javascript:>>.
> <https://groups.google.com/d/msgid/puppet-users/00971302-01db-475f-945e-9c08763b6b46%40googlegroups.com?utm_medium=email&utm_source=footer>.
We bake them into our system images, and for ad-hoc we have a Rundeck
job that can push the keys onto a host.
Haven't had to rotate the keys yet, but I presume that we'd either use
the ad-hoc technique, or re-spin the system image and re-deploy the
hosts. Since we're moving towards ephemeral/immutable hosts, this works
for us.
Hope that helps.
- Jeff
> > <mailto:puppet-users...@googlegroups.com <javascript:>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/puppet-users/f888b737-7789-4e4b-a72c-1b655a130c87%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> > For more options, visit https://groups.google.com/d/optout
>
> ________________________________
>
> This message and any attached files contain confidential information
> and is intended only for the individual named. If you are not the
> named addressee you should not disseminate, distribute or copy this
> e-mail. Please notify the sender immediately by e-mail if you have
> received this e-mail by mistake and delete this e-mail from your
> system. E-mail transmission cannot be guaranteed to be secure or
> without error as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. The sender
> therefore does not accept liability for any errors or omissions in
> the contents of this message, which arise as a result of e-mail
> transmission. If verification is required please request a hard-copy
> version.
>
> ________________________________
>
> This message and any attached files contain confidential information
> and is intended only for the individual named. If you are not the
> named addressee you should not disseminate, distribute or copy this
> e-mail. Please notify the sender immediately by e-mail if you have
> received this e-mail by mistake and delete this e-mail from your
> system. E-mail transmission cannot be guaranteed to be secure or
> without error as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. The sender
> therefore does not accept liability for any errors or omissions in
> the contents of this message, which arise as a result of e-mail
> transmission. If verification is required please request a hard-copy
> version.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/00971302-01db-475f-945e-9c08763b6b46%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/00971302-01db-475f-945e-9c08763b6b46%40googlegroups.com?utm_medium=email&utm_source=footer>.
Louis Mayorga
Oct 15, 2015, 1:51:15 PM10/15/15
to Puppet Users
Wondering if Windows 2015.2 supports it. Of course, in a masterless setup.
> > <mailto:puppet-users+unsub...@googlegroups.com <javascript:>>.
> <mailto:puppet-users+unsub...@googlegroups.com>.
Nathan Jones
Oct 4, 2016, 9:01:48 AM10/4/16
to Puppet Users
hiera-eyaml-kms is a good solution that uses AWS KMS to manage encryption keys. EC2 instances can be provisioned with an IAM instance profile that grants access to the required keys.
Reply all
Reply to author
Forward
0 new messages