======================================================================
Eyaml Configuration
The purpose of this document is to encrypt variables in transent between the Puppet Master and the client. Hiera is the tool for taking the values at rest on the Puppet Master disk and sending them to the client.
Log onto the Puppet Master
#root$ puppet --version
4.10.4 # This is just the version I used. I don't know about other versions, but I suspect they'll work too.
# Install the gem
# Creates /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml and /opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/
sudo /opt/puppetlabs/bin/puppetserver gem install hiera-eyaml
#root$ mkdir /etc/puppetlabs/puppet/eyaml # This seems to be a defacto standard place for keys
#root$ cd /etc/puppetlabs/puppet/eyaml # I'm going to stop using the prompt for root for the rest of the document. Run everything as user root.
puppet module install jlbfalcao-jruby --version 1.7.11 #Creates /etc/puppetlabs/code/environments/production/modules/jruby
puppetserver gem install hiera-eyaml
yum install wget -y # Problably should put this in site.pp at a minimum
wget get https://s3.amazonaws.com/jruby.org/downloads/9.1.13.0/jruby-bin-9.1.13.0.tar.gz # (Ref: http://jruby.org/download via https://github.com/jruby/jruby)
cd /etc/puppetlabs/puppet/eyaml/ # This probably isn't the best directory, but it works
tar -pxvf jruby-bin-9.1.13.0.tar.gz
cd jruby-9.1.13.0
ln -sf $PWD/bin/jruby /usr/local/bin
4.10.4 # This is just the version I used. I don't know about other versions, but I suspect they'll work too.
# Install the gem
# Creates /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml and /opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/
sudo /opt/puppetlabs/bin/puppetserver gem install hiera-eyaml
#root$ mkdir /etc/puppetlabs/puppet/eyaml # This seems to be a defacto standard place for keys
#root$ cd /etc/puppetlabs/puppet/eyaml # I'm going to stop using the prompt for root for the rest of the document. Run everything as user root.
puppet module install jlbfalcao-jruby --version 1.7.11 #Creates /etc/puppetlabs/code/environments/production/modules/jruby
puppetserver gem install hiera-eyaml
yum install wget -y # Problably should put this in site.pp at a minimum
wget get https://s3.amazonaws.com/jruby.org/downloads/9.1.13.0/jruby-bin-9.1.13.0.tar.gz # (Ref: http://jruby.org/download via https://github.com/jruby/jruby)
cd /etc/puppetlabs/puppet/eyaml/ # This probably isn't the best directory, but it works
tar -pxvf jruby-bin-9.1.13.0.tar.gz
cd jruby-9.1.13.0
ln -sf $PWD/bin/jruby /usr/local/bin
puppet module install biemond-jdk7 --version 1.0.0 --environment production --modulepath=/etc/puppetlabs/code/modules
# Download jdk-8u144-linux-x64.tar.gz from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
mv /tmp/jdk-8u144-linux-x64.tar.gz /etc/puppetlabs/code/modules/jdk7/files
vim /etc/puppetlabs/code/environments/production/manifests/site.pp
node li426-253 { # "li426-253" is the node name of the Puppet Master
# Beimond's
jdk7::install7{ 'jdk1.8.0_144':
version => "8u144" ,
full_version => "jdk1.8.0_144",
#java_homes => '/usr/java/',
alternatives_priority => 18000,
x64 => true,
download_dir => "/install",
urandom_java_fix => false,
source_path => "puppet:///modules/jdk7/",
default_links => true,
install_alternatives => true,
}
}
puppet agent -t
This command shows where the ruby-gems are. It's needed in $GEM_PATH for running the eyaml tool locally.
find /etc /opt -type d | grep jruby-gems
export GEM_PATH=/opt/puppetlabs/server/data/puppetserver/jruby-gems
cd /etc/puppetlabs/puppet/eyaml
/opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml createkeys
This error occurs when GEM_PATH isn't pointing to the hiera-eymal gem, which we already solved:
Gem::MissingSpecError: Gem::MissingSpecError
to_specs at /etc/puppetlabs/puppet/eyaml/jruby-9.1.13.0/lib/ruby/stdlib/rubygems/dependency.rb:310
to_spec at /etc/puppetlabs/puppet/eyaml/jruby-9.1.13.0/lib/ruby/stdlib/rubygems/dependency.rb:322
gem at /etc/puppetlabs/puppet/eyaml/jruby-9.1.13.0/lib/ruby/stdlib/rubygems/core_ext/kernel_gem.rb:65
<main> at /opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml:22
/opt/puppetlabs/server/data/puppetserver/jruby-gems/bin/eyaml encrypt -s 'hello there' #Smoke test
cd /etc/puppetlabs/puppet/eyaml
chown -R pe-puppet.pe-puppet . # Let the real process owner own these keys
chmod -R 0500 .
chmod u+w .
chmod 0400 keys/*.pem
# Put the value of 'hello there' in encrypted for into the node's hiera file
cat /etc/puppetlabs/code/environments/orardbms/hieradata/nodes/li1059-248.jim.com.eyaml
---
#jim_message: hello there
jim_message: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAHMAIxAAIBATALBgkqhkiG9w0BAQEEggEAoKG3to4IRKAI4xUa7wZNZYb4OC9Rkj3okDtcekB/JW6vnBRXACpwPvoE3Mjx2XpGXaWiWm+KkKr/gVGdhuoQuPex5VKAxGX7MKip43afKWZvjA6RSmPxmGRGXN04fZOfwjPoV7TS76/uMv+tcNVsKgyXfC7VTdyf9FovdFaFb4N3BppLgyHB30DyWEnUj0e84uWVfZBDddwfkzZaj3a3DkFd6dX4TQJrBL525okOg17bUT5TJ/GkbRyN/PP5aE+YFx4TULN62DVWtbXumgSdhVn4ukDbSky/luWBMMEMbyDaR/kpHm30NEF2vSIkMgn/K9jus1VT6y+615m5R0etXzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDCSIViwU/cqLfL88yape2rgBDs49UF6r+gj2S06kB/q1Gj]
# Edit the class that the client node uses to use the encrypted value
/etc/puppetlabs/code/environments/orardbms/modules/jimode3/manifests/init.pp
class jimode3 {
$jim_message = hiera('jim_message')
notify{ "HERE_1 $ jim_message == $jim_message":}
}
$jim_message = hiera('jim_message')
notify{ "HERE_1 $ jim_message == $jim_message":}
}
# Run this on the client as opposed to the master
#root$ puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node environment 'orardbms', switching agent to 'orardbms'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for li1059-248
Info: Applying configuration version '1505934417'
Notice: HERE_1 $ jim_message == hello there
Notice: /Stage[main]/jimode3/Notify[HERE_1 $ jim_message == hello there]/message: defined 'message' as 'HERE_1 $ jim_message == hello there'
Notice: Applied catalog in 0.69 seconds
Q.E.D
No comments:
Post a Comment