Templating continued

In the previous tutorial we looked at how Puppet can pull configuration data from Hiera.

Some of that configuration data is secret, for example appserver::database_pass. In the previous example, we encoded that in plaintext, which potentially opens up the database to anyone with access to the repository.

Encryption

We can encode that password with eyaml encrypt -s '<plaintext password>' to produce an encrypted version:

ENC[PKCS7,MIIbiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAOdNlUw/ZeV9V5gV+C+hlq0Y56Z4RTL8HI2s+
5c2Ido2oNgL/XwGarrKLtRzmRm5a9B1Fsr90E9z5hfxsnneb9tqKq/mleEDh
+NBwbnSvElBdm9cQ5nwd2o/c/KYHYoL8xt/vBNzFbmhsSR7/dHjkwb3ub2vG
8zx6dDQo2k7faYN2H/RjbvG6jjtp8Un9waQJFRA+RsGxI6ddmXjNuryTDOiM
EjlxN23tsPwtET9WMc5cPH6bkeTKx+Ho5hepAOPOyDI6V3qxcJPN3740tCsU
Uj00Lebe/Va9JYw68pwwaQErm0Nt5yx1K5JqCLI5hIy7Wud8p09LgosGpaHs
JK26fzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAE32W9EkB7OUY6CHaY
QiICgCBeGUugpo8nsz/nhRjngbGHxfFh4yhv3ZJ2tsgin8MBeg==]

Setup

To facilitate this we need to install the eyaml gem, the command that allows us to encrypt or decrypt data from the command line.

gem install hiera-eyaml

If we’re using this on a Puppet master (with Puppetserver installed) there’s a handy shortcut that obviates the Ruby dependency:

puppetserver gem install hiera-eyaml

Full installation information can be found on the Hiera-eyaml project page on GitHub.

Keys

We also need to generate a public-private key pair to handle the encryption and decryption operations respectively:

eyaml createkeys

Puppet decryption

So far we’ve created a mechanism to put secrets into the repo and read them out. The really clever bit about using eyaml is the hiera-eyaml backend.

Once the gem and the decryption (private) keys are installed, the hiera-eyaml backend empowers Hiera to read encrypted data at puppet-time. This means that Puppet gets access to the secrets, without their being persisted anywhere in plaintext.

Set up Hiera to use the hiera-eyaml backend

We can extend hiera.yaml to hunt for a secrets.eyaml in the hierarchy:

hierarchy:
  - name: "Per-node data"
    path: "nodes/%{::hostname}.yaml"

  - name: "Common data"
    path: "common.yaml"

  - name: "Secret data"
    lookup_key: eyaml_lookup_key
    path: "secrets.eyaml"
    options:
        pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/puppet-azure-teaching-private-key-pkcs7.pem
        pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/puppet-azure-teaching-public-key-pkcs7.pem

Secrets.eyaml

When we embed the confidential data in secrets.eyaml, it’s treated as a normal multi-line variable. Take care of the indenting:

#
# Secrets
#
---
appserver::database_pass:
    ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw
    DQYJKoZIhvcNAQEBBQAEggEAWzdGsRd9E9kt2TkAiK19JyIu6drSpY/KXTnW
    Abg6Rp3MJHBx97NJeBc5ddcDvhN+N6akAdxbDLEVY0JbJrfsoWfy0crpl/U+
    xY8BwfpdCQxUnRJ3Ervb7hxsLXqsF9BnXpNyePbTBOC3w3XTKLBCVwmIZhuz
    g32m33j3zIBA3hHc6akFmdq+gSs9yFcjFTakoj33kGyoxCcv06XyqDXjWuB5
    ccVYwbForaERLAKnfbTJkRxrNcgyRlEXAFxaw3JdjfZhRb+R91PKcqOQ5G8M
    LhSd8xfQ/IouQXtx2NlOBZS3K6/dXJ3flndHvnN6clpuVbUYODS9c4VRGPfh
    6bmOtTBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDLyNXKQNLzIlhAUrcx
    /pJugCAMEMRjFxSFws1HaDA6y6395XWxfrGFxmpysOMRxggZzg==]
...

…Puppet

Finally the puppet apply run uses the exact same command as the previous example:

puppet apply -dvt ./manifests/site.pp --modulepath=./modules/ --hiera_config=./hiera.yaml

Open-source

All the code for these tutorials is available as part of DevOps-Workstream. The segments from this tutorial specifically make up puppet/tutorial/08-secret-templating-with-eyaml here on GitHub.

If you’d like to see all the previous and future installments of this tutorial, they’re available under the puppet tag.

Get your team coding

If you’d like to help your Operations team move to infrastructure-as-code, please get in touch to find out how Lightenna consulting could accelerate your Cloud journey.

Leave a Comment