On Monday, November 4, 2013 10:36:01 AM UTC-6, tujwww wrote: > > puppetdb also expose facts etc. details via api calls too, you might want > to check that out. > > take a look at hiera-gpg puppet module to store hiera variables in > encrypted form, it will provide enough security on hiera/git side. > >
I would strongly recommend securing access to PuppetDB's REST API. I think by default it is accessible only from the host machine, and that may be good enough, but check that I'm right. Certainly your master should run on a machine that is secured to only personnel authorized to have the information that it serves. I cannot recommend using hiera-gpg with Puppet 3 if you make heavy use of parameterized classes (which is typical these days). Hiera-gpg will decrypt its data file not only for each datum stored therein, but also for every hiera lookup miss (to verify that it is indeed a miss). Puppet 3 performs a hiera lookup for at least each class parameter that is not assigned in a class declaration, and that can exact an excruciating performance penalty when many of those lookups fall through to hiera-gpg. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/525bbd6f-bea0-4751-b1a1-f4a00ba98b05%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
