But that doesn't address the concern that you can't auto generate values and store them in Heira, as Arnaud mentioned. Is our understanding on this flawed? I see a Puppet source on http://docs.puppetlabs.com/hiera/1/data_sources.html#puppet, but that just says "Coming soon."
My solution thus far, for file based passwords like Bind keys and Bacula passwords, has been to generate passwords on the puppetmaster and then pull the values into templates via file reads. This relies on the filesystem security of the puppetmaster, but if that is gone you're pretty well hosed anyway. The generation script on the puppetmaster handles password aging and regeneration. Not the most graceful solution, but it works well for me. If there is a better way I'd love to hear it, however. On Mon, 4 Nov 2013 22:06:01 +0530 Virender Khatri <vir.kha...@gmail.com> wrote: > puppetdb also expose facts etc. details via api calls too, you might > want to check that out. > > take a look at hiera-gpg puppet module to store hiera variables in > encrypted form, it will provide enough security on hiera/git side. > > > On Mon, Nov 4, 2013 at 7:49 PM, Arnaud Gomes-do-Vale > <arnaud.go...@ircam.fr>wrote: > > > Chuck <cssc...@gmail.com> writes: > > > > > I wouldn't put any sensitive information in a fact, unless the > > > only > > people > > > with access to PuppetDB and your Servers are admins who already > > > have > > access > > > to this information. But even then I still wouldn't do it. > > > > That's more or less the conclusion I arrived at, except I can't > > find any real reason not to trust the Puppet ecosystem with my > > facts. I mean, my servers and PuppetDB are secure (well, they > > should be, unless I screwed things up), inventory service is turned > > off on my dashboard, so I should be safe, shouldn't I? > > > > > At this time I would say the best route would be something like > > > hiera. > > > > Except AFAIU Hiera doesn't allow me to generate values on the client > > node. The whole point of my fact-base approach is that I don't want > > to manage database passwords, they just have to be long-enough > > random strings. > > > > -- > > A > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to puppet-users+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/puppet-users/y9hzjpkfdw2.fsf%40licencieux.ircam.fr > > . > > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20131104185251.41e7c004%40vncBox.tjnii.com. For more options, visit https://groups.google.com/groups/opt_out.
