我正在尝试在Hiera 5中的yaml中实现加密值,以通过自动查找将密码安全地注入Puppet(企业)5.3中。 Puppet blog和PUP-7284对于必要的设置有很好的指导。
但是,我似乎无法正确地lookup_options
来确保转换为敏感类型(以匹配类参数)。
使用puppet lookup命令进行声明失败,并显示以下信息:
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --type Sensitive[String]
Error: Could not run: Found value has wrong type, expects a Sensitive value, got String
似乎还发现了lookup_options,它们看起来很明智:
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --explain-options
Hierarchy entry "Passwords"
Path "/etc/puppetlabs/code/environments/test/modules/my_module/data/secrets.eyaml"
Original path: "secrets.eyaml"
Found key: "lookup_options" value: {
"^my_module::.*pass$" => {
"convert_to" => "Sensitive"
}
}
解密工作正常(不幸的是使用明文-不确定是否可以预期吗?)
[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test
Found key: "my_module::db_pass" value: "password_is_taco"
设置如下:
[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat hiera.eyaml
---
version: 5
defaults:
data_hash: yaml_data
datadir: data
hierarchy:
- name: "Passwords"
lookup_key: eyaml_lookup_key
paths:
- "secrets.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat ./data/secrets.eyaml
---
lookup_options:
'^my_module::.*pass$':
convert_to: "Sensitive"
my_module::db_pass: >
ENC[PKCS7,MIIBqQYJKoZ...snip]
使用不同的正则表达式和/或直接使用键也没有成功:
lookup_options:
my_module::db_pass:
convert_to: "Sensitive"
对于任何带有混淆代码的小复制粘贴问题,我们事先表示歉意:)
答案 0 :(得分:2)
我从来没有弄清楚为什么我尝试过的上述特定测试设置没有用,但是最终我实现了以下目的:
---
lookup_options:
"^my_module::.*(password|token)$":
convert_to: Sensitive
模式匹配将适当地将以下任何内容强制转换为Sensitive [String]:
my_module::password
my_module::service_password
my_module::api_token
my_module::any_number::of_subclasses::token_or_password
如果您正在考虑执行相同的过程,则可以考虑:
puppet lookup
实用程序,尤其是使用--explain-options
和type Sensitive[String]