Hi all, I'm pondering a design problem and would appreciate some advice:
A reason for externalising data in Hiera is often said to be so that configuration data can be stored in a version control system, e.g. http://puppetlabs.com/blog/first-look-installing-and-using-hiera Meanwhile, the reason for using an encrypted Hiera backend is so that sensitive configuration data can be stored in Hiera, e.g. http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ Thus, there is a catch: if data is too sensitive to be stored in an unencrypted Hiera backend, it is probably too sensitive to be stored in a version control system like git. I've seen people out there have considered encrypted version control systems, others have said sensitive configuration data shouldn't be stored at all, and so on - I can't find much discussion of the problem itself though. After thinking about it for a while, the best I could come up with was supposing there ought to be a way of partially encrypting the Hiera backend, and perhaps dealing with it using a separate level in the hierarchy. I note the Raziel project along these lines by Jens Bräuer: https://github.com/jbraeuer/raziel/ http://bit.ly/raziel-slides Is this more of an open problem or has the community come up with a best practice recommendation here? Kind regards, Alex -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c13c06e9-8370-4dea-8210-13774da934ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
