stackoom
  简体   繁体   中英

How to create secured files in Puppet5 with Hiera?

 原文  2018-06-15 11:29:58       puppet/ hiera

Question

I want to create SSL certificate and try to secure this operation. I am using Puppet 5.5.2 and gem hiera-eyaml.

Created simple manifest 

cat /etc/puppetlabs/code/environments/production/manifests/site.pp

package { 'tree':
  ensure => installed,
}
package { 'httpd':
  ensure => installed,
}
$filecrt = lookup('files')
create_resources( 'file', $filecrt )

Hiera config 

---
version: 5
defaults:
  # The default value for "datadir" is "data" under the same directory as the hiera.yaml
  # file (this file)
  # When specifying a datadir, make sure the directory exists.
  # See https://puppet.com/docs/puppet/latest/environments_about.html for further details on environments.
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Secret data: per-node, per-datacenter, common"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
      - "nodes/%{facts.fqdn}.eyaml"
      - "nodes/%{trusted.certname}.eyaml"  # Include explicit file extension
      - "location/%{facts.whereami}.eyaml"
      - "common.eyaml"
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem
  - name: "YAML hierarchy levels"
    paths:
      - "common.yaml"
      - "nodes/%{facts.fqdn}.yaml"
      - "nodes/%{::trusted.certname}.yaml"

And common.yaml 

---
files:
'/etc/httpd/conf/server.crt':
ensure: present
mode: '0600'
owner: 'root'
group: 'root'
content: 'ENC[PKCS7,{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'

But have en error while applying manifest 

Error: Evaluation Error: Error while evaluating a Function Call, create_resources(): second argument must be a hash (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 12, column: 1) on node test1.com

I really dont know what to do )

2 answers

solution1
 1  2018-06-22 13:50:49

The problem appears to be that the indentation in common.yaml isn't right - currently, file will be null rather than a hash, which explains the error message. Also, the file should be called common.eyaml , otherwise the ENC string won't be decrypted. Try 

---
files:
  '/etc/httpd/conf/server.crt':
    ensure: present
    mode: '0600'
    owner: 'root'
    group: 'root'
    content: 'ENC[PKCS7{LOTS_OF_STRING_SKIPPED}UXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'

There is an online YAML parser at http://yaml-online-parser.appspot.com/ if you want to see the difference the indentation makes.

solution2
 0  2018-06-15 13:06:58

Found another solution.

Its was a problem with lookup and hashes. When I have multiply lines in hiera hash, I must specify them https://docs.puppet.com/puppet/4.5/function.html#lookup

So i decided use only 'content' variable to lookup 

cat site.pp
$filecrt = lookup('files')

file { 'server.crt':
  ensure  => present,
  path    => '/etc/httpd/conf/server.crt',
  content => $filecrt,
  owner   => 'root',
  group   => 'root',
  mode    => '0600',
}

and Hiera 

---
files:'ENC[PKCS7{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Where to put hiera files in puppet hiera setup Installing a group of files with puppet and hiera Puppet and hiera,how to apply changes? Puppet create variable names using hiera using multiple hiera.yaml files with puppet Puppet hiera and create_resource issue How to config timezone with Vagrant, Puppet and Hiera? Puppet - How to use variables defined in manifests with hiera Lookup same keys in multiple hiera files in puppet using lookup command puppet use hiera with module
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM