Hello Martin,
Thank you for letting me know of another way.
Yes - using the content property within the file resource and
interpolate from hiera could be another option for what I want to do.
However, I want to change the content property each hostname. Which
means every host has individual content. In that context, I have to
create very long hiera like:
xxx::zzz:
host-1: >
ENC[...snip #
host-2: >
ENC[...snip #
...snip
...then lookup(xxx::zzz.%{facts.fqdn}). # this violates in puppet
Instead, using eyaml in the exec resource like below is a slightly
easy way to write:
exec { '/path/to/decrypted':
command => "eyaml decrypt --file=/path/to/$::facts['fqdn']/encrypted
> /path/to/decrypted'",
cwd => '/path/to/dir/to/keys',
...snip
}
Thank you very much for your help.
Kind regards,
Go
On Tue, Dec 1, 2020 at 3:44 AM Martin Alfke <[email protected]> wrote:
>
> Hi Go,
>
> > On 24. Nov 2020, at 00:06, Go Iwai <[email protected]> wrote:
> >
> > Hello Dirk,
> >
> > Thank you for replying to the mail. However, your code doesn't work for the
> > resource of exec like below:
> >
> > exec { '/path/to/decrypted-file':
> > command => 'eyaml decrypt --file=/path/to/encrypted-file >
> > /path/to/decrypted-file',
> > # ...snip
> > }
>
> You want to create a file based on eyaml encrypted content.
> That means that you must ensure that eyaml is installed on any system which
> receives the exec resource.
>
> A better solution is to use class parameters:
>
> class xxx::zzz (
> String $content,
> ){
> file { '/path/to/decrypted-file':
> ensure => file,
> content => $content,
> }
> }
>
> And then have the encrypted file content in hiera:
>
> xxx::zzz::content: >
> ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> DQYJKoZIhvcNAQEBBQAEggEAmporEXibvTRjR+81UCj7xHmSLk9bQw91jETE
> PXcdlpvs6g4YqJUy+D8H0F2puVeVDFcpXBKSzv29NYzjZS7ZiJj/SezB+rRu
> 9Duk57tUW2Ly+ECuTwZCwkjKuDuY6XLQXayRGP39dxS+gCvJiNwxHN2i3XRG
> m+S/vqkQVJITT6Etra8XWgsVdF0XqBDDcqRnF60xr7vk4sQq/RujFyV9+/hr
> gw/qnKFfewdb27TkRCO9eHp00jEfTdHrg/GrhMkv/BfcodMuuqiSh/EfWPfG
> 8MPrPmSSAHktgKY81/lPHiz73OAaf7p7HSSclWpCUYUHiHGsi6gPLN9e3PoY
> Br4TmjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBxlWjEC2Ij08R/N7Vo
> 63EagBB6T4EMZSB/2E6dW8NFQP7o]
>
> hth,
> Martin
>
> >
> > This generates a notice like:
> >
> > Notice: /Stage[main]/xxx::zzz/Exec[/path/to/decrypted-file]/returns:
> > [hiera-eyaml-core] No such file or directory @ rb_sysopen -
> > ./keys/private_key.pkcs7.pem
> >
> > I can workaround this if I gave the directory, where keys are located, to
> > an attribbute of cwd like:
> >
> > cwd => /etc/puppetlabs/code,
> > # pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> > # pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
> >
> > I gratefully thank for any further advises.
> >
> > Kind regards,
> > Go
> >
> > 2020年11月24日火曜日 0:55:31 UTC+9 Dirk Heinrichs:
> > Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
> >
> >> It looks more natural if I could rewrite this line above like below:
> >>
> >> eyaml decrypt --file=encrypted-file
> >> --pkcs7-public-key=%{pkcs7_public_key}
> >> --pkcs7-private-key=%{pkcs7_private_key}
> >
> > I don't think you need to specify these options at all if everything is
> > configured correctly. I have the following hiera.yaml in my Puppet
> > environments:
> >
> > ---
> > version: 5
> > defaults:
> > datadir: hiera
> > lookup_key: eyaml_lookup_key
> > hierarchy:
> > - name: Main
> > options:
> > pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
> > pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
> > paths:
> > - ...
> > - common.yaml
> >
> > With this in place I can simply type "eyaml edit common.yaml" or "eyaml
> > encrypt -s 'something'", w/o specifying the keys every time.
> >
> > HTH...
> >
> > Dirk
> > --
> > Dirk Heinrichs
> > Senior Systems Engineer, Delivery Pipeline
> > OpenText ™ Discovery | Recommind
> > Phone: +49 2226 15966 18
> > Email: [email protected]
> > Website: www.recommind.de
> > Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
> > Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan,
> > Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
> > This e-mail may contain confidential and/or privileged information. If you
> > are not the intended recipient (or have received this e-mail in error)
> > please notify the sender immediately and destroy this e-mail. Any
> > unauthorized copying, disclosure or distribution of the material in this
> > e-mail is strictly forbidden
> > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> > Weitergabe dieser Mail sind nicht gestattet.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/puppet-users/8e51cbb0-02bd-4999-b89b-ea656c139018n%40googlegroups.com.
>
> --
> You received this message because you are subscribed to a topic in the Google
> Groups "Puppet Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/puppet-users/Mvau4uw8XHY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/A4F93322-D105-4219-9436-9DDB152DC4B8%40gmail.com.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAAyfkv9S7GmOos1cPd%3DkwYM%2BOrWmn1AkS7eVj%3D5vYQ7_sFFemg%40mail.gmail.com.
