Re: [Puppet Users] Looking up the value defined in the hiera.yaml
Hello Martin,
Thank you for letting me know of another way.
Yes - using the content property within the file resource and
interpolate from hiera could be another option for what I want to do.
However, I want to change the content property each hostname. Which
means every host has individual content. In that context, I have to
create very long hiera like:
xxx::zzz:
host-1: >
ENC[...snip #
host-2: >
ENC[...snip #
...snip
...then lookup(xxx::zzz.%{facts.fqdn}). # this violates in puppet
Instead, using eyaml in the exec resource like below is a slightly
easy way to write:
exec { '/path/to/decrypted':
command => "eyaml decrypt --file=/path/to/$::facts['fqdn']/encrypted
> /path/to/decrypted'",
cwd => '/path/to/dir/to/keys',
...snip
}
Thank you very much for your help.
Kind regards,
Go
On Tue, Dec 1, 2020 at 3:44 AM Martin Alfke wrote:
>
> Hi Go,
>
> > On 24. Nov 2020, at 00:06, Go Iwai wrote:
> >
> > Hello Dirk,
> >
> > Thank you for replying to the mail. However, your code doesn't work for the
> > resource of exec like below:
> >
> > exec { '/path/to/decrypted-file':
> > command => 'eyaml decrypt --file=/path/to/encrypted-file >
> > /path/to/decrypted-file',
> > # ...snip
> > }
>
> You want to create a file based on eyaml encrypted content.
> That means that you must ensure that eyaml is installed on any system which
> receives the exec resource.
>
> A better solution is to use class parameters:
>
> class xxx::zzz (
> String $content,
> ){
> file { '/path/to/decrypted-file':
> ensure => file,
> content => $content,
> }
> }
>
> And then have the encrypted file content in hiera:
>
> xxx::zzz::content: >
> ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> DQYJKoZIhvcNAQEBBQAEggEAmporEXibvTRjR+81UCj7xHmSLk9bQw91jETE
> PXcdlpvs6g4YqJUy+D8H0F2puVeVDFcpXBKSzv29NYzjZS7ZiJj/SezB+rRu
> 9Duk57tUW2Ly+ECuTwZCwkjKuDuY6XLQXayRGP39dxS+gCvJiNwxHN2i3XRG
> m+S/vqkQVJITT6Etra8XWgsVdF0XqBDDcqRnF60xr7vk4sQq/RujFyV9+/hr
> gw/qnKFfewdb27TkRCO9eHp00jEfTdHrg/GrhMkv/BfcodMuuqiSh/EfWPfG
> 8MPrPmSSAHktgKY81/lPHiz73OAaf7p7HSSclWpCUYUHiHGsi6gPLN9e3PoY
> Br4TmjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBxlWjEC2Ij08R/N7Vo
> 63EagBB6T4EMZSB/2E6dW8NFQP7o]
>
> hth,
> Martin
>
> >
> > This generates a notice like:
> >
> > Notice: /Stage[main]/xxx::zzz/Exec[/path/to/decrypted-file]/returns:
> > [hiera-eyaml-core] No such file or directory @ rb_sysopen -
> > ./keys/private_key.pkcs7.pem
> >
> > I can workaround this if I gave the directory, where keys are located, to
> > an attribbute of cwd like:
> >
> > cwd => /etc/puppetlabs/code,
> > # pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> > # pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
> >
> > I gratefully thank for any further advises.
> >
> > Kind regards,
> > Go
> >
> > 2020年11月24日火曜日 0:55:31 UTC+9 Dirk Heinrichs:
> > Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
> >
> >> It looks more natural if I could rewrite this line above like below:
> >>
> >> eyaml decrypt --file=encrypted-file
> >> --pkcs7-public-key=%{pkcs7_public_key}
> >> --pkcs7-private-key=%{pkcs7_private_key}
> >
> > I don't think you need to specify these options at all if everything is
> > configured correctly. I have the following hiera.yaml in my Puppet
> > environments:
> >
> > ---
> > version: 5
> > defaults:
> > datadir: hiera
> > lookup_key: eyaml_lookup_key
> > hierarchy:
> > - name: Main
> >options:
> > pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> > pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
> >paths:
> > - ...
> > - common.yaml
> >
> > With this in place I can simply type "eyaml edit common.yaml" or "eyaml
> > encrypt -s 'something'", w/o specifying the keys every time.
> >
> > HTH...
> >
> > Dirk
> > --
> > Dirk Heinrichs
> > Senior Systems Engineer, Delivery Pipeline
> > OpenText ™ Discovery | Recommind
> > Phone: +49 2226 15966 18
> > Email: dhei...@opentext.com
> > Website: www.recommind.de
> > Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> > Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> > Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> > This e-mail may contain confidential and/or privileged information. If you
> > are not the intended recipient (or have received this e-mail in error)
> > please notify the sender immediately and destroy this e-mail. Any
> > unauthorized copying, disclosure or distribution of the material in this
> > e-mail is strictly forbidden
> > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> > Weitergabe dieser Mail sind nicht
Re: [Puppet Users] Looking up the value defined in the hiera.yaml
Hi Go,
> On 24. Nov 2020, at 00:06, Go Iwai wrote:
>
> Hello Dirk,
>
> Thank you for replying to the mail. However, your code doesn't work for the
> resource of exec like below:
>
> exec { '/path/to/decrypted-file':
> command => 'eyaml decrypt --file=/path/to/encrypted-file >
> /path/to/decrypted-file',
> # ...snip
> }
You want to create a file based on eyaml encrypted content.
That means that you must ensure that eyaml is installed on any system which
receives the exec resource.
A better solution is to use class parameters:
class xxx::zzz (
String $content,
){
file { '/path/to/decrypted-file':
ensure => file,
content => $content,
}
}
And then have the encrypted file content in hiera:
xxx::zzz::content: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAmporEXibvTRjR+81UCj7xHmSLk9bQw91jETE
PXcdlpvs6g4YqJUy+D8H0F2puVeVDFcpXBKSzv29NYzjZS7ZiJj/SezB+rRu
9Duk57tUW2Ly+ECuTwZCwkjKuDuY6XLQXayRGP39dxS+gCvJiNwxHN2i3XRG
m+S/vqkQVJITT6Etra8XWgsVdF0XqBDDcqRnF60xr7vk4sQq/RujFyV9+/hr
gw/qnKFfewdb27TkRCO9eHp00jEfTdHrg/GrhMkv/BfcodMuuqiSh/EfWPfG
8MPrPmSSAHktgKY81/lPHiz73OAaf7p7HSSclWpCUYUHiHGsi6gPLN9e3PoY
Br4TmjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBxlWjEC2Ij08R/N7Vo
63EagBB6T4EMZSB/2E6dW8NFQP7o]
hth,
Martin
>
> This generates a notice like:
>
> Notice: /Stage[main]/xxx::zzz/Exec[/path/to/decrypted-file]/returns:
> [hiera-eyaml-core] No such file or directory @ rb_sysopen -
> ./keys/private_key.pkcs7.pem
>
> I can workaround this if I gave the directory, where keys are located, to an
> attribbute of cwd like:
>
> cwd => /etc/puppetlabs/code,
> # pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> # pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
>
> I gratefully thank for any further advises.
>
> Kind regards,
> Go
>
> 2020年11月24日火曜日 0:55:31 UTC+9 Dirk Heinrichs:
> Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
>
>> It looks more natural if I could rewrite this line above like below:
>>
>> eyaml decrypt --file=encrypted-file
>> --pkcs7-public-key=%{pkcs7_public_key}
>> --pkcs7-private-key=%{pkcs7_private_key}
>
> I don't think you need to specify these options at all if everything is
> configured correctly. I have the following hiera.yaml in my Puppet
> environments:
>
> ---
> version: 5
> defaults:
> datadir: hiera
> lookup_key: eyaml_lookup_key
> hierarchy:
> - name: Main
>options:
> pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
>paths:
> - ...
> - common.yaml
>
> With this in place I can simply type "eyaml edit common.yaml" or "eyaml
> encrypt -s 'something'", w/o specifying the keys every time.
>
> HTH...
>
> Dirk
> --
> Dirk Heinrichs
> Senior Systems Engineer, Delivery Pipeline
> OpenText ™ Discovery | Recommind
> Phone: +49 2226 15966 18
> Email: dhei...@opentext.com
> Website: www.recommind.de
> Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error) please
> notify the sender immediately and destroy this e-mail. Any unauthorized
> copying, disclosure or distribution of the material in this e-mail is
> strictly forbidden
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail sind nicht gestattet.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/8e51cbb0-02bd-4999-b89b-ea656c139018n%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/A4F93322-D105-4219-9436-9DDB152DC4B8%40gmail.com.
Re: [Puppet Users] Looking up the value defined in the hiera.yaml
Hello Dirk,
Thank you for replying to the mail. However, your code doesn't work for the
resource of exec like below:
exec { '/path/to/decrypted-file':
command => 'eyaml decrypt --file=/path/to/encrypted-file >
/path/to/decrypted-file',
# ...snip
}
This generates a notice like:
Notice: /Stage[main]/xxx::zzz/Exec[/path/to/decrypted-file]/returns:
[hiera-eyaml-core] No such file or directory @ rb_sysopen -
./keys/private_key.pkcs7.pem
I can workaround this if I gave the directory, where keys are located, to
an attribbute of cwd like:
cwd => /etc/puppetlabs/code,
# pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
# pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
I gratefully thank for any further advises.
Kind regards,
Go
2020年11月24日火曜日 0:55:31 UTC+9 Dirk Heinrichs:
> Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
>
> It looks more natural if I could rewrite this line above like below:
>
> eyaml decrypt --file=encrypted-file
> --pkcs7-public-key=%{pkcs7_public_key}
> --pkcs7-private-key=%{pkcs7_private_key}
>
>
> I don't think you need to specify these options at all if everything is
> configured correctly. I have the following hiera.yaml in my Puppet
> environments:
>
> ---
> version: 5
> defaults:
> datadir: hiera
> lookup_key: eyaml_lookup_key
> hierarchy:
> - name: Main
>options:
> pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
>paths:
> - ...
> - common.yaml
>
> With this in place I can simply type "eyaml edit common.yaml" or "eyaml
> encrypt -s 'something'", w/o specifying the keys every time.
>
> HTH...
>
> Dirk
>
> --
>
> *Dirk Heinrichs*
> Senior Systems Engineer, Delivery Pipeline
> OpenText ™ Discovery | Recommind
> *Phone*: +49 2226 15966 18 <+49%202226%201596618>
> *Email*: dhei...@opentext.com
> *Website*: www.recommind.de
> Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail sind nicht gestattet.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/8e51cbb0-02bd-4999-b89b-ea656c139018n%40googlegroups.com.
Re: [Puppet Users] Looking up the value defined in the hiera.yaml
Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
> It looks more natural if I could rewrite this line above like below:
>
> eyaml decrypt --file=encrypted-file
> --pkcs7-public-key=%{pkcs7_public_key}
> --pkcs7-private-key=%{pkcs7_private_key}
I don't think you need to specify these options at all if everything is
configured correctly. I have the following hiera.yaml in my Puppet
environments:
- ...
- common.yaml
With this in place I can simply type "eyaml edit common.yaml" or "eyaml
encrypt -s 'something'", w/o specifying the keys every time.
HTH...
Dirk--
Dirk HeinrichsSenior Systems Engineer, Delivery PipelineOpenText ™
Discovery | RecommindPhone: +49 2226 15966 18Email:
dheinric@opentext.comWebsite: www.recommind.deRecommind GmbH, Von-
Liebig-Straße 1, 53359 RheinbachVertretungsberechtigte
Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida,
Registergericht Amtsgericht Bonn, Registernummer HRB 10646This e-mail
may contain confidential and/or privileged information. If you are not
the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbiddenDiese E-Mail enthält vertrauliche und/oder rechtlich
geschützte Informationen. Wenn Sie nicht der richtige Adressat sind
oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht
gestattet.
---
version: 5
defaults:
datadir: hiera
lookup_key: eyaml_lookup_key
hierarchy:
- name: Main
options:
pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
paths:
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e9c50caa8ec375fd11a7b439109617a09893304a.camel%40opentext.com.
signature.asc
Description: This is a digitally signed message part
[Puppet Users] Looking up the value defined in the hiera.yaml
Hello,
I am writing this to ask you if/how I can lookup values defined in the
hiera.yaml.
My hiera.yaml looks like:
hierarchy:
- name: "sensitive data"
lookup_key: eyaml_lookup_key
path: sensitive.eyaml
options:
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
I would like to lookup the location for the keys from the yaml file.
Because I need to decrypt some files like:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
--pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
It looks more natural if I could rewrite this line above like below:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=%{pkcs7_public_key}
--pkcs7-private-key=%{pkcs7_private_key}
Please let me know if there is any way to realise this. I would
appreciate so much if anybody could give me advice or suggestion.
Kind regards,
Go
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAAyfkv_UWyZ51uBZfVRt0AaKXdc3_wu1_ES5AcHgd%3Dfnvq7pwA%40mail.gmail.com.
