voxpupuli/puppet-hiera

Name: puppet-hiera

Owner: Vox Pupuli

Description: Hiera hierarchy module for templating `hiera.yaml`

Created: 2012-08-14 18:47:18.0

Updated: 2017-12-19 11:05:15.0

Pushed: 2018-01-04 10:50:16.0

Homepage: https://forge.puppet.com/puppet/hiera

Size: 322

Language: Ruby

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Hiera module for Puppet

Table of Contents

1. Overview
2. Module Description - What the module does and why it is useful
3. Setup - The basics of getting started with hiera
   • What hiera affects
   • Setup requirements
   • Beginning with hiera
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

Module Description

This module configures Hiera for Puppet.

Setup

What hiera affects

• Hiera yaml file
• Hiera datadir
• hiera-eyaml package
• keys/ directory for eyaml
• /etc/hiera.yaml for symlink

Setup requirements

If you are using the eyaml backend on:

• Puppet Enterprise 3.3 or earlier then you will need the puppetlabs-pe_gem module to install the eyaml gem using PE's gem command.
• Puppet Enterprise 3.7 or 3.8 then you will need the puppetlabs-pe_puppetserver_gem module.
• Puppet Enterprise 201x.y (ex: 2017.3) or FOSS puppetserver then you will need the puppetlabs-puppetserver_gem module.

Beginning with hiera

Declaring the class with a given hierarchy is a pretty good starting point:

This class will write out a hiera.yaml file in either /etc/puppetlabs/puppet/hiera.yaml or /etc/puppet/hiera.yaml (depending on if the node is running Puppet Enterprise or not).

s { 'hiera':
erarchy => [
'%{environment}/%{calling_class}',
'%{environment}',
'common',

For Hiera version 5

s { 'hiera':
      hiera_version   =>  '5',
      hiera5_defaults =>  {"datadir" => "data", "data_hash" => "yaml_data"},
      hierarchy       =>  [
                            {"name" =>  "Virtual yaml", "path"  =>  "virtual/%{::virtual}.yaml"},
                            {"name" =>  "Nodes yaml", "paths" =>  ['nodes/%{::trusted.certname}.yaml', 'nodes/%{::osfamily}.yaml']},
                            {"name" =>  "Default yaml file", "path" =>  "common.yaml"},
                          ],

Note: For Hiera version 5 when calling the class, please remember to pass '5' to 'hiera_version' as in the example above. Also please note that 'hierarchy' is an array of hash in version 5.

The resulting output in /etc/puppet/hiera.yaml:

kends:
yaml
ger: console
rarchy:
"%{environment}/%{calling_class}"
"%{environment}"
common

l:
datadir: /etc/puppet/hieradata

Resulting output for Hiera 5

era.yaml Managed by Puppet
ion: 5
ults:
tadir: data
ta_hash: yaml_data
archy:

name: "Virtual yaml"
path: "virtual/%{::virtual}.yaml"

name: "Nodes yaml"
paths:
  - "nodes/%{::trusted.certname}.yaml"
  - "nodes/%{::osfamily}.yaml"

name: "Default yaml file"
path: "common.yaml"

Usage

Reference

This module will also allow you to configure different options for logger and merge_behavior. The default behavior is to set logger to console and merge behavior to native.

For details and valid options see Configuring Hiera.

s { 'hiera':
erarchy      => [
'%{environment}/%{calling_class}',
'%{environment}',
'common',

gger         => 'console',
rge_behavior => 'deeper'

For Hiera version 5 please see the example above in beginning with Hiera.

The resulting output in /etc/puppet/hiera.yaml:

kends:
yaml
ger: console
rarchy:
"%{environment}/%{calling_class}"
"%{environment}"
common

l:
datadir: /etc/puppet/hieradata

ge_behavior: deeper

Hiera-Eyaml-GPG

The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only simple encryption and decryption is needed.

However, if you are in a sizable team it helps to encrypt and decrypt data with multiple keys. This means that each team member can hold their own private key and so can the puppetmaster. Equally, each puppet master can have their own key if desired and when you need to rotate keys for either users or puppet masters, re-encrypting your files and changing the key everywhere does not need to be done in lockstep.

Requirements

Note: This module will create a /gpg sub-directory in the `$keysdir`.

1. The GPG keyring must be passphraseless on the on the PuppetServer(Master).

2. The GPG keyring must live in the /gpg sub-directory in the `$keysdir`.

3. The GPG keyring must be owned by the Puppet user. ex: pe-puppet

GPG Keyring Creation Tips RNG-TOOLS

When generating a GPG keyring the system requires a good amount of entropy. To help generate entropy to speed up the process then rng-tools package on RHEL based systems or equivilent can be used. Note: Update the `/etc/sysconfig/rngd` or equivilent file to set the EXTRAOPTIONS to

# Keyring Generation

w is a sample GPG answers file that will assist in generating a
phraseless key

cat « EOF » /tmp/gpg_answers %echo Generating a Puppet Hiera GPG Key Key-Type: RSA Key-Length: 4096 Subkey-Type: ELG-E Subkey-Length: 4096 Name-Real: Hiera Data Name-Comment: Hiera Data Encryption Name-Email: puppet@$(hostname -d) Expire-Date: 0 %no-ask-passphrase

Do a commit here, so that we can later print “done” :-)

%commit

%echo done

EOF

can then use the GPG answer file to generate your keyring within the
 sub-directory in the ```$keysdir```

gpg –batch –homedir /etc/puppetlabs/code-staging/keys/gpg –gen-key /tmp/gpg_answers

 Usage

class { 'hiera': hierarchy => [

'nodes/%{::clientcert}',
'locations/%{::location}',
'environments/%{::applicationtier}',
'common',

], eyaml => true, eyaml_gpg => true, eyaml_gpg_recipients => 'sihil@example.com,gtmtech@example.com,tpoulton@example.com', }

resulting output in /etc/puppet/hiera.yaml:

---

:backends:

• eyaml
• yaml :logger: console :hierarchy:
• “nodes/%{::clientcert}”
• “locations/%{::location}”
• “environments/%{::applicationtier}”
• common

:yaml: :datadir: /etc/puppet/hieradata

:eyaml: :datadir: /etc/puppet/hieradata :pkcs7_private_key: /etc/puppet/keys/private_key.pkcs7.pem :pkcs7_public_key: /etc/puppet/keys/public_key.pkcs7.pem :encrypt_method: “gpg” :gpg_gnupghome: “/etc/puppet/keys/gpg” :gpg_recipients: “sihil@example.com,gtmtech@example.com,tpoulton@example.com”

Classes

 Public Classes

era: Main class to configure hiera

 Private Classes

era::params: Handles variable conditionals
era::eyaml: Handles eyaml configuration

Parameters

following parameters are available for the hiera class:

ierarchy`
e hiera hierarchy.
fault: `[]`
r Hiera verison 5.
fault: `[{}]`
iera5_defaults`
 set hiera 5 defaults. e.g. datadir, data_hash
fault: `{}`
iera_version`
rsion format to layout hiera.yaml.
ould be a string.
fault: `3`
ackends`
e list of backends.
fault: `['yaml']`
 you supply a additional backend you must also supply the backend data in
e `backend_options` hash.
ackend_options`
 optional hash of backend data for **any** backend.
ch key in the hash should be the name of the backend as listed in
e `backends` array.  You can also supply additional settings for the backend
 passing in a hash.  By default the `yaml` and `eyaml` backend data will be added
 you enable them via their respective parameters.  Any options you supply
r `yaml` and `eyaml` backend types will always override other parameters supplied
 the hiera class for that backend.

ample hiera data for the backend_options hash:

backend_options:

json:
  datadir: '/etc/puppetlabs/puppet/%{::environment}/jsondata'
redis:
  password: clearp@ssw0rd        # if your Redis server requires authentication
  port: 6380                     # unless present, defaults to 6379
  db: 1                          # unless present, defaults to 0
  host: db.example.com           # unless present, defaults to localhost
  path: /tmp/redis.sock          # overrides port if unixsocket exists
  soft_connection_failure: true  # bypass exception if Redis server is unavailable; default is false
  separator: /                   # unless present, defaults to :
  deserialize: :json             # Try to deserialize; both :yaml and :json are supported

NOTE:** The backend_options must **not** contain symbols as keys ie `:json:`
spite the hiera config needing symbols. The template will perform all the
nversions to symbols in order for hiera to be happy.  Because puppet does
t use symbols there are minor annoyances when converting back and forth and
rge data together.
iera_yaml`
e path to the hiera config file.
Note**: Due to a bug, hiera.yaml is not placed in the codedir. Your
ppet.conf `hiera_config` setting must match the configured value; see also
iera::puppet_conf_manage`
fault:
* `'/etc/puppet/hiera.yaml'` for Puppet Open Source
* `'/etc/puppetlabs/puppet/hiera.yaml'` for Puppet Enterprise
reate_symlink`
ether to create the symlink `/etc/hiera.yaml`
fault: true
atadir`
e path to the directory where hiera will look for databases.
fault:
* `'/etc/puppet/hieradata'` for Puppet Open Source
* `'/etc/puppetlabs/puppet/hieradata'` for PE Puppet < 4
* `'/etc/puppetlabs/code/environments/%{::environment}/hieradata'` for Puppet >= 4
atadir_manage`
ether to create and manage the datadir as a file resource.
fault: `true`
wner`
e owner of managed files and directories.
fault:
* `'puppet'` for Puppet Open Source
* `'pe-puppet'` for Puppet Enterprise
roup`
e group owner of managed files and directories.
fault:
* `'puppet'` for Puppet Open Source
* `'pe-puppet'` for Puppet Enterprise
yaml`
ether to install, configure, and enable [the eyaml backend][eyaml]. Also see
e provider and master_service parameters.
fault: `false`
yaml_name`
e name of the eyaml gem.
fault: 'hiera-eyaml'
yaml_version`
e version of hiera-eyaml to install. Accepts 'installed', 'latest', '2.0.7',
c
fault: `undef`
yaml_source`
 alternate gem source for installing hiera-eyaml.
fault: `undef`, uses gem backend default
yaml_datadir`
e path to the directory where hiera will look for databases with the eyaml backend.
fault: same as `datadir`
yaml_extension`
e file extension for the eyaml backend.
fault: `undef`, backend defaults to `'.eyaml'`
eep_merge_name`
e name of the deep_merge gem.
fault: 'deep\_merge'
eep_merge_version`
e version of deep\_merge to install. Accepts 'installed', 'latest', '2.0.7',
c.
fault: `undef`
eep_merge_source`
 alternate gem source for installing deep_merge.
fault: `undef`, uses gem backend default
eep_merge_options`
hash of options to set in hiera.yaml for the deep merge behavior.
fault: `{}`
anage_package`
boolean for wether the hiera package should be managed. Defaults to `true` on
SS 3 but `false` otherwise.
ackage_name`
ecifies the name of the hiera package. Default: 'hiera'
ackage_ensure`
ecifies the ensure value of the hiera package. Default: 'present'
onfdir`
e path to Puppet's confdir.
fault: `$::settings::confdir` which should be the following:
* `'/etc/puppet'` for Puppet Open Source
* `'/etc/puppetlabs/puppet'` for Puppet Enterprise
ogger`
ich hiera logger to use.
Note**: You need to manage any package/gem dependencies yourself.
fault: `undef`, hiera defaults to `'console'`
mdpath`
arch paths for command binaries, like the `eyaml` command.
e default should cover most cases.
fault: `['/opt/puppet/bin', '/usr/bin', '/usr/local/bin']`
reate_keys`
ether to create pkcs7 keys and manage key files for hiera-eyaml.
is is useful if you need to distribute a pkcs7 key pair.
fault: `true`
erge_behavior`
ich hiera merge behavior to use. Valid values are 'native', 'deep', and
eeper'. Deep and deeper values will install the deep\_merge gem into the
ppet runtime.
fault: `undef`, hiera defaults to `'native'`
xtra_config`
bitrary YAML content to append to the end of the hiera.yaml config file.
is is useful for configuring backend-specific parameters.
fault: `''`
eysdir`
rectory for hiera to manage for eyaml keys.
fault: `$confdir/keys`
Note:** If using PE 2013.x+ and code-manager set the keysdir under the

keys to all PuppetServers Example: `/etc/puppetlabs/code-staging/keys`

• puppet_conf_manage Whether to manage the puppet.conf hiera_config value or not. Default: true
• provider Which provider to use to install hiera-eyaml. Can be:
• puppetserver_gem (PE 2015.x or FOSS using puppetserver)
• pe_puppetserver_gem (PE 3.7 or 3.8)
• pe_gem (PE pre-3.7)
• puppet_gem (agent-only gem)
• gem (FOSS using system ruby (ie puppetmaster)) Note: this module cannot detect FOSS puppetserver and you must pass provider => 'puppetserver_gem' for that to work. See also master_service. Default: Depends on puppet version detected as specified above.
• master_service The service name of the master to restart after package installation or hiera.yaml changes. Note: You must pass master_service => 'puppetserver' for FOSS puppetserver Default: 'pe-puppetserver' for PE 2015.x, otherwise 'puppetmaster'
• gem_install_options An array of install options to pass to the gem package resources. Typically, this parameter is used to specify a proxy server. eg gem_install_options => ['--http-proxy', 'http://proxy.example.com:3128']

Limitations

The eyaml_version parameter does not currently modify the eyaml version of the command-line gem on pe-puppetserver.

Development

Pull requests on github! If someone wrote spec tests, that would be awesome.