Linux/Unix>> puppet-hiera>> 返回
项目作者: voxpupuli

项目描述 :
Hiera hierarchy module for templating `hiera.yaml`
高级语言: Ruby
项目地址: git://github.com/voxpupuli/puppet-hiera.git
创建时间: 2012-08-14T18:47:18Z
项目社区:https://github.com/voxpupuli/puppet-hiera
开源协议:Apache License 2.0
下载


Hiera module for Puppet

Build Status
Code Coverage
Puppet Forge
Puppet Forge - downloads
Puppet Forge - endorsement
Puppet Forge - scores

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with hiera
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Module Description

This module configures Hiera for Puppet.

Setup

What hiera affects

  • Hiera yaml file
  • Hiera datadir
  • hiera-eyaml package
  • keys/ directory for eyaml
  • /etc/hiera.yaml for symlink

Setup requirements

To use the eyaml backend with the modern puppetserver, you will need the puppetlabs-puppetserver_gem module.

Beginning with hiera

Declaring the class with a given hierarchy is a pretty good starting point:

This class will write out a hiera.yaml file in either
/etc/puppetlabs/puppet/hiera.yaml or /etc/puppet/hiera.yaml (depending on if the
node is running Puppet Enterprise or not).

  1. class { 'hiera':
  2.   hierarchy => [
  3.     '%{environment}/%{calling_class}',
  4.     '%{environment}',
  5.     'common',
  6.   ],
  7. }

For Hiera version 5

  1. class { 'hiera':
  2.           hiera_version   =>  '5',
  3.           hiera5_defaults =>  {"datadir" => "data", "data_hash" => "yaml_data"},
  4.           hierarchy       =>  [
  5.                                 {"name" =>  "Virtual yaml", "path"  =>  "virtual/%{virtual}.yaml"},
  6.                                 {"name" =>  "Nodes yaml", "paths" =>  ['nodes/%{trusted.certname}.yaml', 'nodes/%{osfamily}.yaml']},
  7.                                 {"name" =>  "Default yaml file", "path" =>  "common.yaml"},
  8.                               ],
  9. }

Note: For Hiera version 5 when calling the class, please remember to pass ‘5’ to ‘hiera_version’ as in the example above.
Also please note that ‘hierarchy’ is an array of hash in version 5.

The resulting output in /etc/puppet/hiera.yaml:

  1. ---
  2. :backends:
  3.   - yaml
  4. :logger: console
  5. :hierarchy:
  6.   - "%{environment}/%{calling_class}"
  7.   - "%{environment}"
  8.   - common
  10. :yaml:
  11.    :datadir: /etc/puppet/hieradata

Resulting output for Hiera 5

  1. # hiera.yaml Managed by Puppet
  2. version: 5
  3. defaults:
  4.   datadir: data
  5.   data_hash: yaml_data
  6. hierarchy:
  8.   - name: "Virtual yaml"
  9.     path: "virtual/%{virtual}.yaml"
  11.   - name: "Nodes yaml"
  12.     paths:
  13.       - "nodes/%{trusted.certname}.yaml"
  14.       - "nodes/%{osfamily}.yaml"
  16.   - name: "Default yaml file"
  17.     path: "common.yaml"

Usage

Reference

This module will also allow you to configure different options for logger and
merge_behavior. The default behavior is to set logger to console and merge
behavior to native.

For details and valid options see Configuring Hiera.

  1. class { 'hiera':
  2.   hierarchy      => [
  3.     '%{environment}/%{calling_class}',
  4.     '%{environment}',
  5.     'common',
  6.   ],
  7.   logger         => 'console',
  8.   merge_behavior => 'deeper'
  9. }

For Hiera version 5 please see the example above in beginning with Hiera.

The resulting output in /etc/puppet/hiera.yaml:

  1. ---
  2. :backends:
  3.   - yaml
  4. :logger: console
  5. :hierarchy:
  6.   - "%{environment}/%{calling_class}"
  7.   - "%{environment}"
  8.   - common
  10. :yaml:
  11.    :datadir: /etc/puppet/hieradata
  13. :merge_behavior: deeper

Hiera-Eyaml-GPG

The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only
simple encryption and decryption is needed.

However, if you are in a sizable team it helps to encrypt and decrypt data with
multiple keys. This means that each team member can hold their own private key
and so can the puppetmaster. Equally, each puppet master can have their own key
if desired and when you need to rotate keys for either users or puppet masters,
re-encrypting your files and changing the key everywhere does not need to be
done in lockstep.

Requirements

Note: This module will create a /gpg sub-directory in the $keysdir.

  1. The GPG keyring must be passphraseless on the on the PuppetServer(Master).
  2. The GPG keyring must live in the /gpg sub-directory in the $keysdir.
  3. The GPG keyring must be owned by the Puppet user. ex: pe-puppet

GPG Keyring Creation Tips

RNG-TOOLS

When generating a GPG keyring the system requires a good amount of entropy.
To help generate entropy to speed up the process then rng-tools package on RHEL
based systems or equivilent can be used. Note: Update the /etc/sysconfig/rngd
or equivilent file to set the EXTRAOPTIONS to
EXTRAOPTIONS="-r /dev/urandom -o /dev/random -t 5"

Keyring Generation

Below is a sample GPG answers file that will assist in generating a
passphraseless key

  1. cat << EOF >> /tmp/gpg_answers
  2. %echo Generating a Puppet Hiera GPG Key
  3. Key-Type: RSA
  4. Key-Length: 4096
  5. Subkey-Type: ELG-E
  6. Subkey-Length: 4096
  7. Name-Real: Hiera Data
  8. Name-Comment: Hiera Data Encryption
  9. Name-Email: puppet@$(hostname -d)
  10. Expire-Date: 0
  11. %no-ask-passphrase
  12. # Do a commit here, so that we can later print "done" :-)
  13. # %commit
  14. # %echo done
  15. EOF

You can then use the GPG answer file to generate your keyring within the
/gpg sub-directory in the $keysdir

  1. gpg --batch --homedir /etc/puppetlabs/puppet/keys/gpg --gen-key /tmp/gpg_answers

Usage

  1. class { 'hiera':
  2.   hierarchy            => [
  3.     'nodes/%{clientcert}',
  4.     'locations/%{location}',
  5.     'environments/%{applicationtier}',
  6.     'common',
  7.   ],
  8.   eyaml                => true,
  9.   eyaml_gpg            => true,
  10.   eyaml_gpg_recipients => 'sihil@example.com,gtmtech@example.com,tpoulton@example.com',
  11. }

The resulting output in /etc/puppet/hiera.yaml:

  1. ---
  2. :backends:
  3.   - eyaml
  4.   - yaml
  5. :logger: console
  6. :hierarchy:
  7.   - "nodes/%{clientcert}"
  8.   - "locations/%{location}"
  9.   - "environments/%{applicationtier}"
  10.   - common
  12. :yaml:
  13.    :datadir: /etc/puppet/hieradata
  16. :eyaml:
  17.    :datadir: /etc/puppet/hieradata
  18.    :pkcs7_private_key: /etc/puppet/keys/private_key.pkcs7.pem
  19.    :pkcs7_public_key:  /etc/puppet/keys/public_key.pkcs7.pem
  20.    :encrypt_method: "gpg"
  21.    :gpg_gnupghome: "/etc/puppet/keys/gpg"
  22.    :gpg_recipients: "sihil@example.com,gtmtech@example.com,tpoulton@example.com"

Classes

Public Classes

  • hiera: Main class to configure hiera

Private Classes

  • hiera::params: Handles variable conditionals
  • hiera::eyaml: Handles eyaml configuration

Limitations

The eyaml_version parameter does not currently modify the eyaml version of the
command-line gem on pe-puppetserver.

Development

Pull requests on github! If someone wrote spec tests, that would be awesome.