如何使用Hiera在Puppet5中创建安全文件?

如何使用Hiera在Puppet5中创建安全文件?,puppet,hiera,Puppet,Hiera,我想创建SSL证书并尝试保护此操作。 我正在使用Puppet 5.5.2和gem hiera eyaml 创建简单清单 cat /etc/puppetlabs/code/environments/production/manifests/site.pp package { 'tree': ensure => installed, } package { 'httpd': ensure => installed, } $filecrt = lookup('files') cr

我想创建SSL证书并尝试保护此操作。 我正在使用Puppet 5.5.2和gem hiera eyaml

创建简单清单

cat /etc/puppetlabs/code/environments/production/manifests/site.pp

package { 'tree':
  ensure => installed,
}
package { 'httpd':
  ensure => installed,
}
$filecrt = lookup('files')
create_resources( 'file', $filecrt )
希拉形态

---
version: 5
defaults:
  # The default value for "datadir" is "data" under the same directory as the hiera.yaml
  # file (this file)
  # When specifying a datadir, make sure the directory exists.
  # See https://puppet.com/docs/puppet/latest/environments_about.html for further details on environments.
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Secret data: per-node, per-datacenter, common"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
      - "nodes/%{facts.fqdn}.eyaml"
      - "nodes/%{trusted.certname}.eyaml"  # Include explicit file extension
      - "location/%{facts.whereami}.eyaml"
      - "common.eyaml"
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem
  - name: "YAML hierarchy levels"
    paths:
      - "common.yaml"
      - "nodes/%{facts.fqdn}.yaml"
      - "nodes/%{::trusted.certname}.yaml"
和普通的yaml

---
files:
'/etc/httpd/conf/server.crt':
ensure: present
mode: '0600'
owner: 'root'
group: 'root'
content: 'ENC[PKCS7,{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'
但在应用清单时出现错误

Error: Evaluation Error: Error while evaluating a Function Call, create_resources(): second argument must be a hash (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 12, column: 1) on node test1.com

我真的不知道该怎么办)找到了另一个解决办法

这是一个查找和哈希的问题。当我在hiera哈希中有多行时,我必须指定它们

所以我决定只使用“content”变量进行查找

cat site.pp
$filecrt = lookup('files')

file { 'server.crt':
  ensure  => present,
  path    => '/etc/httpd/conf/server.crt',
  content => $filecrt,
  owner   => 'root',
  group   => 'root',
  mode    => '0600',
}
还有希拉

---
files:'ENC[PKCS7{LOT_OF_STRING_SKIPPED}+uaCmcHgDAzsPD51soM+AIkIlv0ANpUXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'

问题似乎是
common.yaml
中的缩进不正确-当前,
文件
将是
null
而不是散列,这解释了错误消息。此外,该文件应被称为
common.eyaml
,否则
ENC
字符串将不会被解密。试一试

---
files:
  '/etc/httpd/conf/server.crt':
    ensure: present
    mode: '0600'
    owner: 'root'
    group: 'root'
    content: 'ENC[PKCS7{LOTS_OF_STRING_SKIPPED}UXzBpwM3tqQ3ysFtz81S0xuVbKvslK]'

如果您想了解缩进所产生的差异,可以使用在线YAML解析器。

您的加密数据需要位于扩展名为eyaml的文件中,并且您使用的是普通文件。