Re: [Puppet Users] Encrypt Passwords in Manifests

Wed, 03 Apr 2013 15:43:43 -0700 

Hello!

On 03.04.2013 17:18, jim wrote:

Hello all
I mainly use Puppet for managing windows hosts, and what to know they best way to either encrypt passwords in manifests or where to store them so they are encrypted and reference them as in a variable etc ? (if that makes sense) 

e.g.

class roles::base::users {
user { 'Administrator':
ensure                 => present,
password               => 'Please_hide_me;01',
}
I'm using extlookup [1] mechanism to store global constants (such as URL's or usernames) and passwords in CSV files on Puppet master. It allows to specify set of files from which configuration should be read and allows to store in version control system template file for passwords and actual passwords store only on production server. Example of extlookup usage you can find here: https://github.com/catlee/puppet 

In site.pp they specify CSV files from which constants should be read [2]:

  $extlookup_datadir = "$settings::manifestdir/extlookup"
$extlookup_precedence = ["local-config", "default-config", "secrets", "secrets-template"] 

In version control system the store only template file for passwords [3]:

  root_pw_hash,""
  root_pw_pbkdf2,""
  root_pw_pbkdf2_salt,""
  root_pw_pbkdf2_iterations,""
  ...

Actual secrets file is secrets.csv, which is not in version control system.

[1] http://www.devco.net/archives/2009/08/31/complex_data_and_puppet.php
[2] https://github.com/catlee/puppet/blob/master/manifests/site.pp
[3] https://github.com/catlee/puppet/blob/master/manifests/extlookup/secrets-template.csv 



regards

James
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. 
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.




--
Vladimir Rutsky

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to