Confirmed users
198
edits
ReleaseEngineering/PuppetAgain/Secrets: Difference between revisions
ReleaseEngineering/PuppetAgain/Secrets (view source)
Revision as of 17:02, 5 October 2016
, 5 October 2016Move checks in their own section. Added a help subsection related to secret() and non-decrypted values
(→Using EYAML: Add subsections to highlight strings vs files) |
(Move checks in their own section. Added a help subsection related to secret() and non-decrypted values) |
||
| Line 37: | Line 37: | ||
--output examples --password -l 'foo' | --output examples --password -l 'foo' | ||
where 'foo' is the name of the variable to set. It will prompt for the password to encrypt. The output will go to stdout, in 2 formats (all one line, multiline). Copy/paste whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. | where 'foo' is the name of the variable to set. It will prompt for the password to encrypt. The output will go to stdout, in 2 formats (all one line, multiline). Copy/paste whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. | ||
=== Encrypt files (e.g. private keys) === | === Encrypt files (e.g. private keys) === | ||
| Line 49: | Line 47: | ||
and update `/etc/hiera/secrets.eyaml` accordingly as per instructions above. | and update `/etc/hiera/secrets.eyaml` accordingly as per instructions above. | ||
=== Check your YAML files === | |||
==== YAML Syntax ==== | |||
Double-check your work before saving -- if this file can't be parsed as valid yaml, all puppet runs will fail. A python one line syntax checker is: | |||
python -c "import yaml; f=open('secrets.eyaml','r'); yaml.load(f)" && echo "pass" || echo "FAIL" | |||
When in doubt, run `eyaml --help` or `eyaml encrpyt --help`. | When in doubt, run `eyaml --help` or `eyaml encrpyt --help`. | ||
==== Secret values ==== | |||
To check the value of a secret, use 'hiera': | To check the value of a secret, use 'hiera': | ||
| Line 59: | Line 65: | ||
hiera root_pw_saltedsha512 environment='<username>' | hiera root_pw_saltedsha512 environment='<username>' | ||
==== Help! secret() does not interpret my secret ==== | |||
Sometimes, secret() (or function_secret()) may return the raw value, instead of the decrypted one. This is very likely because of a bad copy and paste. In order to verify this, run the hiera command detailed in the section above. If the non-decrypted value is still returned, paste the encrypted value again. Some characters (like the closing ]) may be missing. | |||
== User Environments == | == User Environments == | ||