On 19/03/14 17:11, Spencer Krum wrote: > > so far about 99% of our use cases have > been taken care of by exported resources and PuppetDB > > > > Where controlling a system that is well modeled by puppet resources, > host entries in /etc/hosts for example, exported resources work well. > I find myself often wanting to just pick up strings and use them in > templates. The only way I know how to do this in PuppetDB is to export > a concat fragment resource.
Templates - yeah that's where it gets really hard using exported resources. > > Your hiera_insert function looks to be the sort of thing we'd be > able to > make good use of, even if we do have to change backend. > > > Of the 'dynamic' backends, redis, postgres, etc which backend would > you be most likely to use? we love postgres here, so I guess that would be it (plus it's already on our puppetmaster for puppetdb). Others are an option, just more effort. > > Would love to see the ability to incorporate encryption as well - then > we can hiera_insert an encrypted password/key/etc with some greater > confidence. > > > Can you expand a bit more on this? Do you mean a transparent > encryption layer? Right now you could put an encrypted password into a > redis key. We could also write a function to encrypt a plaintext > string to the puppet master's public gpg key. That would enable hostA > to have the plaintext and export only the encrypted version into > redis, then hostB would receive the cleartext as well. I'm not sure > how 'encrypted' hiera really works, since it always seems pointless to me. > sorry - wasn't very clear. We use eyaml for passwords and one or two ssl certs. The private key to decrypt the content of that yaml is located on the puppetmaster (not on the client) and the client receives the cleartext as the puppetmaster does the decryption as part of the eyaml backend. It's not ideal, but suits our needs and was really easy to set up. I've not explored the code to figure out how it works (yet). Encrypting a string using the puppetmaster's public gpg key sounds like a better way to go, I'm not sure how the backend might trigger the decryption before sending the cleartext to hostB - but I'm sure we can work that one out. It's a function of the hiera backend, and wouldn't fit into hiera_insert anyway. Thanks Xav -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5329221F.1050902%40gmail.com. For more options, visit https://groups.google.com/d/optout.
