Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
2210e27cfded1bdb07674ca10c0ae394fcbff6e9
gitea-pages/admin-guide/puppet/hiera.md

4.6 KiB
Raw Blame History

Hiera

Please refer to here <https://docs.puppet.com/hiera/>_ for a general Hiera introduction.

Our current hierarchy has seven levels (first will be considered first during value lookup):

  • nodes (FQDN)
  • subgroup (optional, puppet_subgroup attribute in sysdb)
  • group (puppet_group attribute in sysdb)
  • sysdb environments
  • Puppet server specific
  • global
  • common

The first four layers can be edited by the admin in the respective hiera git repository. The common layer (default values) and the server specific layer (differences between test and prod) are part of the Puppet code repository. Finally the global layer contains a few configurations which are managed by the Core Linux Group outside of the normal Puppet release process, eg. for license management.

The values can be stored as classical YAML values or with encrypted yaml for secrets.

The filesystem structure is as follows (the last 3 cannot be controlled by a common admin):

  1. %{::sysdb_env}/%{::group}/%{::fqdn}.yaml or %{::sysdb_env}/%{::group}/%{::subgroup}/%{::fqdn}.yaml

  2. %{::sysdb_env}/%{::group}/%{::subgroup}.yaml

  3. %{::sysdb_env}/%{::group}.yaml

  4. %{::sysdb_env}/%{::sysdb_env}.yaml

  5. %{::environment}/data/server_%{server_facts.servername}.yaml

  6. /srv/puppet/data/global/global.yaml

  7. %{::environment}/data/common.yaml

Depending if a subgroup is defined, the node specific YAML is at a different level in the filesysystem hierarchy.

The %{variable} notation is hiera specific.

Repositories

Hiera data are organized in different repositories. These repositories are located at: https://git.psi.ch/linux-infra/hiera

Each sysdb environment has a dedicated hiera repository, called data-<sydbenv>, eg. data-hpc. The first 4 levels of the filesystem structure shown before are actually the files inside this kind of repositories.

Any change to the repo will automatically trigger a redeployment of the new version of its content on the puppet master within a few seconds from the push.

Configuration

Secrets

Secrets and clear-text values can be mixed inside the same yaml file, eg.::

ntp_client::servers:
  - pstime1.psi.ch
  - pstime2.psi.ch
  - pstime3.psi.ch

secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNA...AMA==]

The encrypted values can be decrypted transparently from Hiera (on a host having the proper hiera key):

[root]# hiera secret_key
this is a secret value

You can edit secure data inside any yaml file with the command /opt/puppetlabs/puppet/bin/eyaml edit common.yaml. In this case secure data will appear in clear-text inside the editor.

Encrypt Data

To encrypting data you have to use the public key from your Hiera (data-*) git repository named eyaml_public_key.pem

For the lower layers (global, server or data) it is on the Puppet server at /etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem.

Beside this key you also need to have hiera-eyaml tool installed on your system.

eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -s secret_string

While a complete file can be encrypted with:

eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -f secret_file

Example

To encrypting password for a system you can go about like this:

# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem --stdin
Password: 
Verifying - Password: 
string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx]

OR

block: >
  ENC[PKCS7,MIIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ...
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
#

and place either the string or the block at the required place in your Hiera YAML.

Hiera Variable Interpolation

Within Hiera also variable interpolation might be use to include other Hiera keys or facts, etc. into the values. For details check out the Puppet documentation

As such an interpolation starts with %{, some key or file content (especially in Apache configuration) might be interpreted as variable interpolation and result in some part of the text disappear. Or it might simply the puppet run with Syntax error in string if Puppet fails to parse what it considers an interpolation. To escape a % you can write %{literal('%')} instead.

View Git Blame Copy Permalink