我一直在使用hiera来存储信息
./ MODULENAME /数据
使用./modulename/hiera.yaml下的hiera.yaml文件
一个看起来像这样:
#
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "source file"
path: "source.yaml"
我想使用eyaml加密文件,但是这样做会让我在hiera.yaml中出错......
#
---
version: 5
defaults:
datadir: data
data_hash: eyaml_data
hierarchy:
- name: "authorized_keys"
path: "auth_keys.eyaml"
eyaml:
pkcs7_private_key: data/keys/private_key.pkcs7.pem
pkcs7_public_key: data/keys/public_key.pkcs7.pem
我认为模块特定的hiera.yaml有一些设置我可以用来解密文件或文件中的特定行,但我无法在eyaml上找到很多,除了如何设置使用在/ etc / puppet / puppet / keys
中我在./modulename/data/keys /
中创建了pkcs7键pkcs7_public和私钥不一定是模块目录中数据/键下的那些,它们可以是/ etc / puppet / puppet / keys中的全局键
答案 0 :(得分:1)
我相信我找到了答案,这是在hiera-eyaml的一些文档中:
https://github.com/voxpupuli/hiera-eyaml
希望如果其他人有这个问题我的发现可以帮助:)
您可以使用./ModuleName/hiera.yaml
下的文档中描述的hiera.yaml配置这是我的测试示例,我修改了现有的测试模块来测试这个工作。我认为这需要:
这是我的模块:
$ tree master_cron/
master_cron/
├── data
│ └── secrets.eyaml
├── hiera.yaml
└── manifests
└── init.pp
$ ll /etc/puppetlabs/puppet/keys/
total 8.0K
drwxr-xr-x. 2 pe-puppet pe-puppet 63 Mar 18 16:51 .
drwxr-xr-x. 4 root root 207 Mar 18 17:03 ..
-rw-------. 1 pe-puppet pe-puppet 1.7K Mar 18 16:51 private_key.pkcs7.pem
-rw-r--r--. 1 pe-puppet pe-puppet 1.1K Mar 18 16:51 public_key.pkcs7.pem
$ cat hiera.yaml
---
version: 5
defaults:
datadir: data
hierarchy:
- name: "secret data"
lookup_key: eyaml_lookup_key
path: "secrets.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
...
您可以为模块本身指定一个密钥,并输入数据/密钥......
$ cat data/secrets.eyaml
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACTtCuqFaS+5YS0DN/lLL6oV78W0lB55eQtZYIGug2SNFhLSA2h1FK/NmcsRE/YmVRJXqCeWTgFIxHch2mcWEYSLbdsWmq9WO45giUNt/MQp9hEMHmO27L63Vxl5GsvECP8yfWW6uinroOG6O95swag+W68nTrrLpV26KqP1mq+aoNw8ognNsm6IqG/FBMCgpWtGMmipBeSMXaXoUxS6wFANjMm0Ak0ykaGmwIYK1dHTosnNw8VX7d8u1oAzpgeWEkET0g8U+Q4z0W4ZNeWUIatJY1Lq30r3LOUswg+xIGmZAEro+KfQlOI1ENDx+/4ZG3IokMB9GJ1hzWlGWgbCh7zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQcMG9nWTZaCaqLuO5+m6fBIBg7G+pRWPy77yvbpvKXUb2sjkxXlDkLauSXE7KX5YOhFrBtb8pZ7MN9Rz0/qHmefToZbkhWPRMtWJ+QyVET+v2YaIh+7orEdqgo585Z+fjefIGFChkDstMj3d6Hl4s/DCW]
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBuQYJKoZIhvcNAQcDoIIBqjCCAaYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKK4R/j3pD+s4cyzcH8H4PSK7j/uCaaSvOBqG8b1MsLQClKU49DxJQ+rZLYkUJEaEq30gyCRy9uZMwFri5EJGL455flXABiM/7A9NTUNJ0DoXdiWvxgWR0py/WmiLVUnql3wVZUfojqak1MOZeRYLeCnHyVLgdz+ouyPwg0nsAuXJewk5aJa5CSj7xkS4TQKvruRaqfFGsCMBEZM7lPDae9+YZZBgfPM9rqZNO5hoUu9Q3vizzpdRcD5+5U5mqCryEzmG51fvzVO0nK45aW6SiJm58nlumxhXJoWmv12OWT+3t67QJvOV3eciLM4F722UnMrJ7SIA3ttdW2UFHuP+eTB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAfCd5FJnsOoJqU71XSwos2gFDSY3b+apqgrcOZ3lTT8zRKd3Z5JdgIptbYSluzw42scZslHHMR3kcaYIH/D9EJQmG54VKwwFVQODUfFV8N7kyky9LvFA+xpJUWqP6Lijx3bw==]
这只是我创建的一个测试模块,它创建了一些cron作业,我将命令加密为测试,但实际上并不是eyaml的实际用途;) 这看起来像是解密的:
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chown -R pe-puppet:pe-puppet /etc/puppetlabs/code/environments/production/modules
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chmod -R 755 /etc/puppetlabs/code/environments/production/modules
我在没有加密的情况下使用模块中的hiera数据:
class master_cron ($jobs) {
create_resources(cron, $jobs)
}