Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
cdcc025dbd4c2f4288505ffec4e2bfcffe7cc9af
gitea-pages/admin-guide/puppet/hiera.md
T

117 lines
4.6 KiB
Markdown
Raw Blame History

# Hiera
Please refer to `here <https://docs.puppet.com/hiera/>`_ for a general Hiera
introduction.
Our current hierarchy has seven levels (first will be considered first
during value lookup):
- nodes (FQDN)
- subgroup (optional, ``puppet_subgroup`` attribute in sysdb)
- group (``puppet_group`` attribute in sysdb)
- sysdb environments
- Puppet server specific
- global
- common
The first four layers can be edited by the admin in the respective hiera git repository. The common layer (default values) and the server specific layer (differences between test and prod) are part of the Puppet code repository. Finally the global layer contains a few configurations which are managed by the Core Linux Group outside of the normal Puppet release process, eg. for license management.
The values can be stored as classical YAML values or with [encrypted yaml](https://github.com/TomPoulton/hiera-eyaml) for secrets.
The filesystem structure is as follows (the last 3 cannot be controlled by a common admin):
1. ``%{::sysdb_env}/%{::group}/%{::fqdn}.yaml`` or ``%{::sysdb_env}/%{::group}/%{::subgroup}/%{::fqdn}.yaml``
2. ``%{::sysdb_env}/%{::group}/%{::subgroup}.yaml``
3. ``%{::sysdb_env}/%{::group}.yaml``
4. ``%{::sysdb_env}/%{::sysdb_env}.yaml``
5. ``%{::environment}/data/server_%{server_facts.servername}.yaml``
6. ``/srv/puppet/data/global/global.yaml``
7. ``%{::environment}/data/common.yaml``
Depending if a subgroup is defined, the node specific YAML is at a different level in the filesysystem hierarchy.
The ``%{variable}`` notation is hiera specific.
## Repositories
Hiera data are organized in different repositories. These repositories are located at: https://git.psi.ch/linux-infra/hiera
Each __sysdb environment__ has a dedicated hiera repository, called ``data-<sydbenv>``, eg. [data-hpc]( https://git.psi.ch/linux-infra/hiera/data-hpc).
The first 4 levels of the filesystem structure shown before are actually the files inside this kind of repositories.
Any change to the repo will automatically trigger a redeployment of the new version of its content on the puppet master within a few seconds from the push.
## Configuration
### Secrets
Secrets and clear-text values can be mixed inside the same yaml file, eg.::
```yaml
ntp_client::servers:
- pstime1.psi.ch
- pstime2.psi.ch
- pstime3.psi.ch
secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNA...AMA==]
```
The encrypted values can be decrypted transparently from Hiera (on a host having the proper hiera key):
```bash
[root]# hiera secret_key
this is a secret value
```
You can edit secure data inside any yaml file with the command `/opt/puppetlabs/puppet/bin/eyaml edit common.yaml`. In this case secure data will appear in clear-text inside the editor.
### Encrypt Data
To encrypting data you have to use the public key from your Hiera (`data-*`) git repository named `eyaml_public_key.pem`
For the lower layers (global, server or data) it is on the Puppet server at [`/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/instcode/puppet/puppet_server/files/crypto/public_key.pkcs7.pem).
Beside this key you also need to have `hiera-eyaml` tool installed on your system.
```bash
eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -s secret_string
```
While a complete file can be encrypted with:
```bash
eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -f secret_file
```
#### Example
To encrypting password for a system you can go about like this:
```bash
# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem --stdin
Password:
Verifying - Password:
string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx]
OR
block: >
ENC[PKCS7,MIIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
#
```
and place either the string or the block at the required place in your Hiera YAML.
# Hiera Variable Interpolation
Within Hiera also variable interpolation might be use to include other Hiera keys or facts, etc. into the values.
For details check out the [Puppet documentation](https://www.puppet.com/docs/puppet/7/hiera_merging.html#interpolation_functions)
As such an interpolation starts with `%{`, some key or file content (especially in Apache configuration) might be interpreted as variable interpolation and result in some part of the text disappear.
Or it might simply the puppet run with `Syntax error in string` if Puppet fails to parse what it considers an interpolation.
To escape a `%` you can write `%{literal('%')}` instead.
View Git Blame Copy Permalink