1
votes

I installed dsc module and added AD user to Domain controller using puppet. Code below works fine when hard-coding password as plain text. Is it possible somehow to encrypt those passwords.

I read that hiera-eyaml is solution for this so i encrypted password

[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]

Then stored that encrypted pass in /etc/common.eyaml file (specified in hiera config file)

/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml

I can decrypt the file successfully:

 /opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml

Then i specified encrypted pass to manifest file

/etc/puppetlabs/code/environments/production/manifests/site.pp:

 dsc_xADUser {'FirstUser':

            dsc_ensure => 'present',
            dsc_domainname => 'ad.contoso.com',
            dsc_username   => 'tfl',
            dsc_userprincipalname => '[email protected]',
            dsc_password   => {
            'user' => '[email protected]',
            'password' => Sensitive('pass')
            },
            dsc_passwordneverexpires => true,
            dsc_domainadministratorcredential => {
            'user'  => '[email protected]',
            'password' => Sensitive(lookup('password'))
            },



        }

On windows node i got error

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com

Hiera config file:

cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file

---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
       - "/etc/common.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

cat /etc/common.eyaml

 password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]

I'm new to Puppet and this hiera is confusing me

2
What are the contents of your common.eyaml?Matt Schuchard
just added at the end of questionuser10205566

2 Answers

1
votes

For starters, there is a typo in your Hiera config file. The path to the data should be:

paths:
  - "/etc/common.eyaml"

After fixing that, you need to retrieve the value from Hiera. This is performed with the puppet lookup function. Since you have a single key value pair here in a single data file, this can be performed with a minimal number of arguments.

dsc_xADUser {'FirstUser':
  dsc_ensure            => 'present',
  dsc_domainname        => 'ad.contoso.com',
  dsc_username          => 'tfl',
  dsc_userprincipalname => '[email protected]',
  dsc_password   => {
    'user'     => '[email protected]',
    'password' => Sensitive('pass')
  },
  dsc_passwordneverexpires => true,
  dsc_domainadministratorcredential => {
    'user'     => '[email protected]',
    'password' => lookup('string'),
  },
}

However, you also really want to redact that password from your logs and reports. You would want to wrap that password String in a Sensitive data type.

'password' => Sensitive(lookup('string')),

You seem to already be doing that for your other password that is being passed in as a String pass.

A side note to all of this is that Puppet has intrinsic support for lookup retrievals from Vault and Conjur in version 6, so that will become best practices instead of hiera-eyaml soon.

0
votes

Ufff, after much struggling finally got it working:

 cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
      - "nodes/%{trusted.certname}.yaml"
      - "windowspass.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem

Created password:

/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

Added it to /etc/puppetlabs/puppet/data/windowspass.eyaml file:

/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem



cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]

Tested decryption:

/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem

As Matt suggested, mapped content of windowspass.eyaml to manifest file

'password' => Sensitive(lookup('password'))

Debugging command helped me a lot:

puppet master --debug --compile windows.example.com --environment=production

Thanks everyone, especially to Matt