PuppetDB / hiera and Sensitive() questions
34 views
Skip to first unread message
Denny Fuchs
May 5, 2017, 10:35:14 AM5/5/17
to Puppet Users
Hello,
I have some questions about the Sensitive() function:
I've rewritten my config to something like this:
The first question is: Is that correct ?
I found the password in cleartext in the PuppetDB, but I don't know, if I have to clear the database first, to get rid all of the sensitive values,or if PuppetDB removes the passwords automatically after some time.
The second question is: How looks like a plain hieradata line, to tell Puppet it is a sensitive value ?
For Example:
icinga2::feature::idomysql::password: "%{hiera('monitoring::icinga::mysql_password')}"
icinga2::feature::idomysql::database: "%{hiera('monitoring::icinga::mysql_db')}"
The password itself is stored in hiera-eyaml but I don't want to find it in the Puppetdb or logs.
Should I ask the module maintainer to support it, or is it possible to do it on my own?
cu denny
- Puppet: node: 3.7.2-4 / puppet server: 2.7.2-1puppetlabs1 / puppetdb: 4.4.0-1puppetlabs1
- Distribution: Debian Jessie
- Module version: latest
I have some questions about the Sensitive() function:
I've rewritten my config to something like this:
class profile::grafana::base (
...
$grafana_database_password = Sensitive(hiera('monitoring::grafana::database::password')),
...
)
{
...
$database_cfg = {
database => {
type => 'mysql',
host => "${database_server}:3306",
name => "$grafana_database",
user => "$grafana_database_user",
password => $grafana_database_password.unwrap,
}
}
....The first question is: Is that correct ?
I found the password in cleartext in the PuppetDB, but I don't know, if I have to clear the database first, to get rid all of the sensitive values,or if PuppetDB removes the passwords automatically after some time.
The second question is: How looks like a plain hieradata line, to tell Puppet it is a sensitive value ?
For Example:
icinga2::feature::idomysql::password: "%{hiera('monitoring::icinga::mysql_password')}"
icinga2::feature::idomysql::database: "%{hiera('monitoring::icinga::mysql_db')}"
The password itself is stored in hiera-eyaml but I don't want to find it in the Puppetdb or logs.
Should I ask the module maintainer to support it, or is it possible to do it on my own?
cu denny
Reply all
Reply to author
Forward
0 new messages