Puppet Encription

There are two different parts:

  • install and configure the eyaml gem
  • install and configure hiera to use the eyaml

https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
http://www.olindata.com/blog/2015/02/eyaml-hiera-data-encryption

eyaml gem

Install offline

if you don't have the internet connection

gem fetch namegemtodownload
gem install --local your.gem

for example

gem fetch highline -v 1.6.19

you need also to resolve the dependencies manually here the list of gems necessary:

  • hiera-eyaml-2.0.8.gem
  • highline-1.6.19.gem (don't use other version , I have tried on Red Hat 6 the version highline-1.7.8.gem and didn't work, )
  • trollop-2.1.2.gem

Install with internet connection and configure the gem

Red Hat 6

yum install rubygems
gem install hiera-eyaml

Verify if the gem is installed

if you have this

gem list hiera-eyaml

*** LOCAL GEMS ***

hiera-eyaml (2.0.8)

uninstall gems

You have requested to uninstall the gem:
        highline-1.6.19
hiera-eyaml-2.0.8 depends on [highline (~> 1.6.19)]
If you remove this gems, one or more dependencies will not be met.
Continue with Uninstall? [Yn]  n

/opt/puppet/bin # ./puppetserver gem install --local ~/gems/highline-1.6.20.gem
Successfully installed highline-1.6.20
1 gem installed
root@bsrpprd2009:/opt/puppet/bin # ./puppetserver gem list highline

*** LOCAL GEMS ***

highline (1.6.20, 1.6.19)
root@bsrpprd2009:/opt/puppet/bin # ./puppetserver gem uninstall highline

Select gem to uninstall:
1. highline-1.6.19
2. highline-1.6.20
3. All versions
> 1
Successfully uninstalled highline-1.6.19
root@bsrpprd2009:/opt/puppet/bin # ./puppetserver gem list

*** LOCAL GEMS ***

ffi (1.9.3 java)
hiera-eyaml (2.0.8)
highline (1.6.20)
jar-dependencies (0.0.9)
jruby-openssl (0.9.5 java)
json (1.8.0 java)
krypt (0.0.2)
krypt-core (0.0.2 universal-java)
krypt-provider-jdk (0.0.2)
rake (10.1.0)
rdoc (4.0.1)
trollop (2.1.2)
root@bsrpprd2009:/opt/puppet/bin # ./puppetserver gem list highline

*** LOCAL GEMS ***

highline (1.6.20)

Configure eyaml

cd /etc/puppetlabs/puppet

creates 2 keys in a ./keys directory
eyaml createkeys

if you want run the command eyaml from a different directory of .keys you need to configure.
Config files will be read first from /etc/eyaml/config.yaml, then from ~/.eyaml/config.yaml and finally by anything referenced in the EYAML_CONFIG environment variable
The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
---
pkcs7_private_key: '~/keys/eyaml/private_key.pkcs7.pem'
pkcs7_public_key: '~/keys/eyaml/public_key.pkcs7.pem'

set up the permission for the private key

chmod 500 /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
chown pe-puppet:pe-puppet /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem

the user pe-puppet is the user that run the process /etc/init.d/pe-puppetserver in the puppet enterprise version

encrypt/decrypt the password

generate a password

eyaml encrypt -s supersicurapassword

#using the block version , you can edit the file /opt/info.eyaml

mysql::server::root_password: >
    ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
    DQYJKoZIhvcNAQEBBQAEggEAPOFboh/WW6bI3sZ7/sE75GqUdZpxxhA8Ylrs
    u4DptxyN8jXxota0raEHqWuRhA7hEKg6WoMnwI+G6mHkh7QdWcYMDQhmdGE2
    /Y5PhiflqZ73bUVDB5HZ/iExhEzeei4g/MqfoquanclEpOsVZeP/5ww/Tlao
    Y7bo3z2adZXkLOB2qqu2iA0kVKjZJnCr+aKXOrPBgT1uhJ6QG2sK5WxzgSrq
    cK0rVPxPr7AGGBQvtlGSfksXicRm1EVPD4dcAOK1kceF2nzq+6+1tkupzckF
    6SEw7eINgzkfEA07MB6/fYV1+Zfa3K1sYNWp28BYHIDzP7t8snALNEdnbK98
    rHgQBzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAHcJL9vWd1MZCNsXvo
    q+MtgBCH1ximM7cQ3nT37YdTX7lg]

edit the password, and you see in clear text

eyaml edit /opt/info.eyaml

decrypt the key and print in clear text

eyaml decrypt -f /opt/info.eyaml

To encrypt something, you only need the public_key, so distribute that to people creating hiera properties.

Hiera

Installation

you need to install the gem inside the puppetserver in this way

cd /opt/puppet/bin
./puppetserver gem install hiera-eyaml

Configuration

hiera.yaml

cat hiera-eyaml.yaml
---
:backends:
  - yaml
  - eyaml

:logger: console

:eyaml:
  :extension: 'eyaml'
  :datadir: /data/puppet/environments/mine/hiera
  :pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
  :pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem

:hierarchy:
  - "custom_nodes/%{::hostname}"
  - "nodes/%{::hostname}"
  - "location/%{::location}"
  - common
  - password

:yaml:
  :datadir: /data/puppet/environments/mine/hiera

password.eyaml file, I have tested and the if I change the file with .yaml and also the value :extension: 'yaml' don't work

clear: segretaaaa

crypted: >
    ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
    DQYJKoZIhvcNAQEBBQAEggEAJF9ZHFZI6J0uNkA+bQs9zY8xWOpGTfImp8O7
    1G5UcOhrd8zJIYwriFIWu2OiQDl39txZgrJSUJJ0Kz37MrPg4T5ppzZvxpKF
    mKrXk6CKTZGF+3fW1KhztkSPZv6/WZgRAT8uQL28R/mzvhmpI/24XU1QZf7p
    g1Kv4Idm+o/Plw5cCHMQMFmwsph3bnlpo3IwyI5EZ0ROdg7v6zyfRDSWfmrD
    0W7A0CsobnnEMbB2l4PJ4Qi9ZG2FSQdkkIITOx++/Uj8OiAkAD6yLr0qSdHb
    IAZjCynfHJKFM2E+7LsibGzfkwQqthhQiKtPT5hlf/TEoHgrEpIFoK70dbZz
    mPkMRjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDbaOKWK9rnRoPtwrUJ
    lugigBDDRa4khYGgJkViZ08AjmLI]

you can see a password crypted and in clear text

Test if works

before push in production it is convenient test using the puppet apply

unsucessful test with hiera using the debug option and the the configuration file option

hiera -c hiera-eyaml.yaml -d criptata environment=puppet_dev

test of show the clear text password

puppet apply --hiera_config ./hiera-eyaml.yaml  -e '$somevar = hiera(pwd) notify { $somevar: }'
Notice: Compiled catalog for puppetmaster01.bcloud.b-source.net in environment production in 0.65 seconds
Notice: segretaaaa
Notice: /Stage[main]/Main/Notify[segretaaaa]/message: defined 'message' as 'segretaaaa'
Notice: Finished catalog run in 0.45 seconds

unsuccessful test with an error , in this test the password file has extension .yaml

root@bsrpprd2009:~/yaml-test # puppet apply --hiera_config ./hiera-eyaml.yaml  -e '$somevar = hiera(crypted) notify { $somevar: }'
Notice: Compiled catalog for puppetmaster01.bcloud.b-source.net in environment production in 0.59 seconds
Notice: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAJF9ZHFZI6J0uNkA+bQs9zY8xWOpGTfImp8O7 1G5UcOhrd                                            8zJIYwriFIWu2OiQDl39txZgrJSUJJ0Kz37MrPg4T5ppzZvxpKF mKrXk6CKTZGF+3fW1KhztkSPZv6/WZgRAT8uQL28R/mzvhmpI/24XU1QZf7p g1Kv4Idm+o/Plw5cCHMQMFmwsph3bnlpo3Iw                                            yI5EZ0ROdg7v6zyfRDSWfmrD 0W7A0CsobnnEMbB2l4PJ4Qi9ZG2FSQdkkIITOx++/Uj8OiAkAD6yLr0qSdHb IAZjCynfHJKFM2E+7LsibGzfkwQqthhQiKtPT5hlf/TEoHgrEpIFoK70dbZz mP                                            kMRjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDbaOKWK9rnRoPtwrUJ lugigBDDRa4khYGgJkViZ08AjmLI]

Notice: /Stage[main]/Main/Notify[ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAJF9ZHFZI6J0uNkA+bQs9z                                            Y8xWOpGTfImp8O7 1G5UcOhrd8zJIYwriFIWu2OiQDl39txZgrJSUJJ0Kz37MrPg4T5ppzZvxpKF mKrXk6CKTZGF+3fW1KhztkSPZv6/WZgRAT8uQL28R/mzvhmpI/24XU1QZf7p g1Kv4Idm+o/                                            Plw5cCHMQMFmwsph3bnlpo3IwyI5EZ0ROdg7v6zyfRDSWfmrD 0W7A0CsobnnEMbB2l4PJ4Qi9ZG2FSQdkkIITOx++/Uj8OiAkAD6yLr0qSdHb IAZjCynfHJKFM2E+7LsibGzfkwQqthhQiKtPT5                                            hlf/TEoHgrEpIFoK70dbZz mPkMRjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDbaOKWK9rnRoPtwrUJ lugigBDDRa4khYGgJkViZ08AjmLI]
]/message: defined 'message' as 'ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAJF9ZHFZI6J0uNkA+bQs9z                                            Y8xWOpGTfImp8O7 1G5UcOhrd8zJIYwriFIWu2OiQDl39txZgrJSUJJ0Kz37MrPg4T5ppzZvxpKF mKrXk6CKTZGF+3fW1KhztkSPZv6/WZgRAT8uQL28R/mzvhmpI/24XU1QZf7p g1Kv4Idm+o/                                            Plw5cCHMQMFmwsph3bnlpo3IwyI5EZ0ROdg7v6zyfRDSWfmrD 0W7A0CsobnnEMbB2l4PJ4Qi9ZG2FSQdkkIITOx++/Uj8OiAkAD6yLr0qSdHb IAZjCynfHJKFM2E+7LsibGzfkwQqthhQiKtPT5                                            hlf/TEoHgrEpIFoK70dbZz mPkMRjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDbaOKWK9rnRoPtwrUJ lugigBDDRa4khYGgJkViZ08AjmLI]
'
Notice: Finished catalog run in 0.46 seconds

successful test in this case password has extension .eyaml

puppet apply --hiera_config ./hiera-eyaml.yaml  -e '$somevar = hiera(crypted) notify { $somevar: }'
Notice: Compiled catalog for puppetmaster01.bcloud.b-source.net in environment production in 0.79 seconds
Notice: segretaariptata
Notice: /Stage[main]/Main/Notify[segretaariptata]/message: defined 'message' as 'segretaariptata'
Notice: Finished catalog run in 0.45 seconds

Script to create web page using hiera data

MACHINES="/products/software/rundeck/html/all-machines.html"
update=$(date)
echo "<h2> last update: " $update"</h2>" > $MACHINES
echo "this is a static page press F5 to refresh your cache" >> $MACHINES
echo "<table border=\"4\">" >> $MACHINES
echo "<tr> <td>customer code</td> <td>hostname</td> <td>ipaddress</td> <td>int_dns_provider_fw</td> <td>location</td> <td>os</td> <td>domain</td> <td>domain name</td> </tr>" >> $MACHINES

cd /root/puppet-code/hiera/nodes
#cd /home/borg/test_node/

printhost () {
  node=$1   
  customer_infr_service=$(grep cmdb_customer_infr_service  $node | cut -f 2 -d ':')
  hostname=$(grep cmdb_hostname $node | cut -f 2 -d ':')
  ipaddres=$(grep cmdb_ipaddres $node | cut -f 2 -d ':')
  int_dns_provider_fw=$(grep cmdb_int_dns_provider_fw $node | cut -f 2 -d ':')
  location=$(grep cmdb_location $node | cut -f 2 -d ':')
  os=$(grep cmdb_os $node | cut -f 2 -d ':')

  domain=$(hiera cmdb_infrastructure environment=production ::hostname=$(echo $hostname) -c /products/data/puppet/environments/production/hiera.yaml)
  if [ $domain != 'nil' ] && [ $domain != 'NA' ] ; then
    domainname=$(grep "iaas_domain_membership::domain:" /root/puppet-code/hiera/infrastructure/$domain.eyaml | cut -f 4 -d ':')
  else
    domainname="not defined"
  fi;
  echo "<tr> <td>$customer_infr_service</td> <td>$hostname</td> <td>$ipaddres</td> <td>$int_dns_provider_fw</td> <td>$printlocation</td> <td>$os</td> <td>$domain</td> <td>$domainname</td> </tr>" >> $MACHINES
}

printallcode () {
  mycode=$1
  for node in $(grep $mycode * |  cut -f 1 -d ':');
  do
    printhost $node
  done
}

codes=$(grep cmdb_customer_infr_service * |  cut -f 3 -d ':' | sort | uniq);

# grep "cmdb_os: Windows " * | cut -f 1 -d '.'
for code in $(echo $codes);
do
  echo "the code" $code
  printallcode $code
done

echo "</table>" >> $MACHINES
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License