This lesson walks through using Puppet Hiera for data separation.
Lab 7.3: Installing and Configure Hiera Eyaml
Lab 7.4: Encrypting Senstive Data with Hiera Eyaml
- Update the hiera.yaml file in the control repository with the following content.
---
version: 5
defaults:
datadir: data
hierarchy:
- name: "Normal data"
data_hash: yaml_data # Standard yaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "roles/%{trusted.extensions.pp_role}.yaml"
- "os/%{facts.os.family}.yaml"
- "common.yaml"- Create a data YAML file for the agent node
data/common.yamlin the control repository.
---
ntp::servers:
- 2.pool.ntp.org
- 3.pool.ntp.org- Add the changes to the git repository.
git add --all- Commit the changes to the git repository.
git commit -m 'Update NTP servers'- Push the changes to the git remote server.
git push origin- Deploy the hiera data on the Puppet server.
sudo /opt/puppetlabs/puppet/bin/r10k deployment environment -m- Verify that the hiera data file has been added to the Puppet server.
cat /etc/puppetlabs/puppet/code/environments/production/data/common.yaml- Trigger a Puppet run on the agent node
puppet agent -t- Install Hiera eyaml.
/opt/puppetlabs/server/bin/puppetserver gem install hiera-eyaml- Create a directory for the hiera eyaml keys.
mkdir -p /etc/puppetlabs/puppet/eyaml- Change the working directory to the newly created directory.
cd /etc/puppetlabs/puppet/eyaml- Generate a new key pair for encryption and decryption.
/opt/puppetlabs/puppet/bin/eyaml createkeys --pkcs7-public-key=public_key.pkcs7.pem --pkcs7-private-key=private_key.pkcs7.pem- Create a directory for the eyaml configuration
mkdir /etc/eyaml- Create the eyaml configuration file at /etc/eyaml/config.yaml
---
pkcs7_private_key: '/etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem'
pkcs7_public_key: '/etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem'- Update the file ownership on the generated keys.
chown -R puppet:puppet /etc/puppetlabs/puppet/eyaml/- Update the file permissions on the keys directory.
chmod -R 0500 /etc/puppetlabs/puppet/eyaml/- Update the file permissions on the eyaml public and private keys.
chmod 0400 /etc/puppetlabs/puppet/eyaml/*.pem- Update the hiera configuration by adding the following configuration to the hiera.yaml file in the control repository.
---
version: 5
defaults:
datadir: data
hierarchy:
- name: "Secret data: per-node, per-datacenter, common"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "common.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
- name: "Normal data"
data_hash: yaml_data # Standard yaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "roles/%{trusted.extensions.pp_role}.yaml"
- "os/%{facts.os.family}.yaml"
- "common.yaml"- Encrypt the secret data using eyaml on the Puppet server
/opt/puppetlabs/puppet/bin/eyaml encrypt -s 'super secret eyaml data'- Add the encrypted data to data/common.eyaml in the control repository
---
nginx::secretdata: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAFp3a0tgTvqZPF1mUI/xPrfh5AU
dOPh/AVgzOGcOnkc76N8Rxdn8h4dgVt42dlf99zNDVJcxWe4rsGRepg8UCqz
kmdzo54rk868hohZEPIA5uOhlURPGoHw+D22wp6zgCSTlIiXqVRTIzZjxGkB
FPUj33kFRbMIx34NLKarpK58R1oBlhDbQdvffG7820d08HFda0+9G8EL+obq
qpgmppRgn6olLnVWDq1HpGAcijgZna+EdzvXF5SR+tZXyH81mkloqj7Jtcum
IdYKFeLaUVTMgFQ4ZJn+hDxQfcW3KVhZEgxdq3+JxuVtUDiWwzR7xoOI9A1s
ZQTeTucgztE/uHlzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB7Jo3W7m
SMPRVPWKCuFD4KgCDl3T6hathWsHBZfwr00aXOBVDK9rx4r7zJQc/tId+5oQ
==]- Add the changes to the git repository
git add --all- Create a new git commit for the changes.
git commit -m 'Add eyaml data'- Push the code changes to the git repository.
git push origin- Deploy the code changes to the Puppet server
sudo /opt/puppetlabs/puppet/bin/r10k deployment environment -m- Trigger a Puppet agent run on the agent node
puppet agent -tIn this lab, you have:
- Configured Hiera
- Installed and configured Hiera eyaml
- Encrypted sensitive data with Hiera eyaml