github.com/StackExchange/blackbox/v2@v2.0.1-0.20220331193400-d84e904973ab/docs/with-puppet.md (about) 1 How to use the secrets with Puppet? 2 =================================== 3 4 # Entire files: 5 6 Entire files, such as SSL certs and private keys, are treated just 7 like regular files. You decrypt them any time you push a new release 8 to the puppet master. 9 10 Example of an encrypted file named `secret_file.key.gpg` 11 12 * Plaintext file is: `modules/${module_name}/files/secret_file.key` 13 * Encrypted file is: `modules/${module_name}/files/secret_file.key.gpg` 14 * Puppet sees it as: `puppet:///modules/${module_name}/secret_file.key` 15 16 Puppet code that stores `secret_file.key` in `/etc/my_little_secret.key`: 17 18 ``` 19 file { '/etc/my_little_secret.key': 20 ensure => 'file', 21 owner => 'root', 22 group => 'puppet', 23 mode => '0760', 24 source => "puppet:///modules/${module_name}/secret_file.key", # No ".gpg" 25 } 26 ``` 27 28 # Small strings: 29 30 For small strings such as passwords and API keys, it makes sense 31 to store them in an (encrypted) YAML file which is then made 32 available via hiera. 33 34 For example, we use a file called `blackbox.yaml`. You can access the 35 data in it using the hiera() function. 36 37 *Setup:* 38 39 Edit `hiera.yaml` to include "blackbox" to the search hierarchy: 40 41 ``` 42 :hierarchy: 43 - ... 44 - blackbox 45 - ... 46 ``` 47 48 In blackbox.yaml specify: 49 50 ``` 51 --- 52 module::test_password: "my secret password" 53 ``` 54 55 In your Puppet Code, access the password as you would any hiera data: 56 57 ``` 58 $the_password = hiera('module::test_password', 'fail') 59 60 file {'/tmp/debug-blackbox.txt': 61 content => $the_password, 62 owner => 'root', 63 group => 'root', 64 mode => '0600', 65 } 66 ``` 67 68 The variable `$the_password` will contain "my secret password" and can be used anywhere strings are used.