Zee, <opinion>
There is no need to read the password from the catalog, since the password for your DB is stored on some XML, in the application server. The point is that in the real world most developers don't have access to production servers and they only need to access the code in the versioning (puppet, hiera and so on). Only few devops/administrators have access to puppet server and production servers. hiera-vault is nice, but it's convoluted and might be overkilled for the easy task of encrypting few keys. You might not need any API and any cumbersome that Hashicorp often has in his head. You just need to encrypt some stuff on your hiera, in a way that you can share the code with everyone, without revealing all the secrets. Vault might offer other features that I am not aware, but you really need to know these features and understand if you're really gonna use them Massimiliano Il giorno venerdì 15 luglio 2016 04:04:07 UTC+2, Zee Alexander ha scritto: > > <opinion> > > I'll just add...yes hiera-eyaml is the generally accepted "puppet > community" way of encrypting data in hiera. BUT, puppet in general is not > ideal for secret storage at this time. E.g. the benefit of hiera eyaml is > that people can contribute encrypted values via the public key, to a git > repo, without having the private key to decrypt. It doesn't offer you any > particularly special security on the puppet master, since by definition the > master is going to have a copy of the private key so that it can decrypt > data, and it's going to be plaintext in the catalog regardless (which ends > up cached on the agent node...) > > Not to mention storing credentials in YAML is inherently a duplication of > that information (vs whatever spreadsheet/lastpass/1pass type thing you > use), and if you do enough of it, things are going to get out of sync > between hiera and reality no matter how hard you try. > > Ideally you'd use some sort of API-based credential storage so that nodes > can retrieve their credentials ad-hoc. > > Hashicorp Vault is one example: https://www.vaultproject.io/ > Conveniently, there's a hiera backend for it: > https://github.com/jsok/hiera-vault > Ideally there'd be some sort of node-side retrieval so that the > credentials don't end up in the catalog, but that's an exercise left to the > reader. > </opinion> > > On Friday, July 8, 2016 at 6:29:31 AM UTC-7, dkoleary wrote: >> >> Hey; >> >> I've come to the point where I need to encrypt a password in hiera data. >> After trying (and failing) the recipe in the puppet cookbook, I hit the >> google searches and very quickly came across hiera eyaml. >> >> So, short question: is hiera.eyaml the generally accepted method of >> encrypting data for use in modules? >> >> Just trying to avoid going down the wrong path again... >> >> Thanks >> >> Doug O'Leary >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5afc7095-6e13-4334-a257-134fcd0488f9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
