In both cases for hiera and trocla doesn't the password end up in the catalog and don't other things like the dashboard consume the catalog? Does that mean the passwords are available in dashboard?
Is there a way to cause the client to pull down the password without including it in the catalog? I missed it in my first search of the list but here's one that seems promising. http://www.mailinglistarchive.com/html/puppet-users@googlegroups.com/2010-01/msg00507.html > $password = file("/config/user-passwords/$name") Would the value of $password still end up in the catalog? Regards, -Alan On Mon, Oct 3, 2011 at 6:42 PM, R.I.Pienaar <r...@devco.net> wrote: > > > ----- Original Message ----- >> Sure, but that doesn't really address the issue (at least not >> out-of-box). Hiera puts your data outside your manifests, but at >> least in our case it's still in revision control. Are you putting >> your Hiera data elsewhere? If so, how do you control access to it? > > it would be pretty trivial to create an encrypted hiera backend that > can only be decrypted by machines that have a key stored on their disks. > > You'd check into SCM the encrypted file and on your masters store the decrypt > key > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
