hiera-eyaml 2.1.0 → 3.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/workflows/release.yml +24 -0
- data/.github/workflows/test.yml +31 -0
- data/.gitignore +8 -0
- data/CHANGELOG.md +185 -0
- data/Gemfile +3 -4
- data/{CHANGES.md → HISTORY.md} +9 -15
- data/README.md +205 -29
- data/Rakefile +13 -0
- data/hiera-eyaml.gemspec +3 -3
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/CLI.rb +4 -8
- data/lib/hiera/backend/eyaml/encryptor.rb +3 -4
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +51 -10
- data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb +45 -7
- data/lib/hiera/backend/eyaml/subcommand.rb +15 -8
- data/lib/hiera/backend/eyaml/subcommands/decrypt.rb +10 -3
- data/lib/hiera/backend/eyaml/subcommands/edit.rb +23 -10
- data/lib/hiera/backend/eyaml/subcommands/encrypt.rb +6 -6
- data/lib/hiera/backend/eyaml/subcommands/recrypt.rb +9 -3
- data/lib/hiera/backend/eyaml/utils.rb +10 -1
- data/lib/hiera/backend/eyaml_backend.rb +27 -7
- data/tools/regem.sh +1 -1
- metadata +17 -16
- data/.travis.yml +0 -30
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 67081f4016df05d739c387a5565632e3af0afa51367b505f3552b6c008a47c93
|
4
|
+
data.tar.gz: 573dfd56dc711d1b4722a67fc42a558c50eb38f43d56d3fccb79fe0d21d2a766
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 40e0c1fa73fe82f1b563580d0b4cdf26f402e1c9ee4d7c0b023ed9ad1941ced96f60dbb6e26fbefe3dce99a0b1c0e2816efbec09263b57c9ff5589d727353434
|
7
|
+
data.tar.gz: 86313762de24804bde617a78f865f3686e1d5ef0f011b4e5e786f0ec7401c9caac0702fb67ca332ab107b6f81dc0c674bea9ff268bab7f985c582a8ad21c0ad9
|
@@ -0,0 +1,24 @@
|
|
1
|
+
name: Release
|
2
|
+
|
3
|
+
on:
|
4
|
+
create:
|
5
|
+
ref_type: tag
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
release:
|
9
|
+
runs-on: ubuntu-latest
|
10
|
+
if: github.repository == 'voxpupuli/hiera-eyaml'
|
11
|
+
env:
|
12
|
+
BUNDLE_WITHOUT: release
|
13
|
+
steps:
|
14
|
+
- uses: actions/checkout@v2
|
15
|
+
- name: Install Ruby 2.7
|
16
|
+
uses: ruby/setup-ruby@v1
|
17
|
+
with:
|
18
|
+
ruby-version: '2.7'
|
19
|
+
- name: Build gem
|
20
|
+
run: gem build *.gemspec
|
21
|
+
- name: Publish gem
|
22
|
+
run: gem push *.gem
|
23
|
+
env:
|
24
|
+
GEM_HOST_API_KEY: '${{ secrets.RUBYGEMS_AUTH_TOKEN }}'
|
@@ -0,0 +1,31 @@
|
|
1
|
+
name: Test
|
2
|
+
|
3
|
+
on:
|
4
|
+
- pull_request
|
5
|
+
- push
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
test:
|
9
|
+
runs-on: ubuntu-latest
|
10
|
+
strategy:
|
11
|
+
fail-fast: false
|
12
|
+
matrix:
|
13
|
+
ruby:
|
14
|
+
- "2.5"
|
15
|
+
- "2.6"
|
16
|
+
- "2.7"
|
17
|
+
env:
|
18
|
+
BUNDLE_WITHOUT: release
|
19
|
+
PUPPET_VERSION: "~> 6.0"
|
20
|
+
name: Ruby ${{ matrix.ruby }}
|
21
|
+
steps:
|
22
|
+
- uses: actions/checkout@v2
|
23
|
+
- name: Install expect
|
24
|
+
run: sudo apt-get install expect
|
25
|
+
- name: Install Ruby ${{ matrix.ruby }}
|
26
|
+
uses: ruby/setup-ruby@v1
|
27
|
+
with:
|
28
|
+
ruby-version: ${{ matrix.ruby }}
|
29
|
+
bundler-cache: true
|
30
|
+
- name: Run tests
|
31
|
+
run: bundle exec cucumber -f progress
|
data/.gitignore
CHANGED
data/CHANGELOG.md
ADDED
@@ -0,0 +1,185 @@
|
|
1
|
+
# Changelog
|
2
|
+
|
3
|
+
All notable changes to this project will be documented in this file.
|
4
|
+
|
5
|
+
## [v3.2.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.1) (2021-02-16)
|
6
|
+
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.2.0...v3.2.1)
|
8
|
+
|
9
|
+
**Fixed bugs:**
|
10
|
+
|
11
|
+
- remove question mark from regex in encrypted? method [\#313](https://github.com/voxpupuli/hiera-eyaml/pull/313) ([mcka1n](https://github.com/mcka1n))
|
12
|
+
- Fix block folding [\#307](https://github.com/voxpupuli/hiera-eyaml/pull/307) ([kenyon](https://github.com/kenyon))
|
13
|
+
- add step-by-step how-to encrypting multiline values [\#304](https://github.com/voxpupuli/hiera-eyaml/pull/304) ([kBite](https://github.com/kBite))
|
14
|
+
|
15
|
+
**Closed issues:**
|
16
|
+
|
17
|
+
- eyaml edit should produce evenly folded blocks. [\#281](https://github.com/voxpupuli/hiera-eyaml/issues/281)
|
18
|
+
- Support version 4 hiera config [\#213](https://github.com/voxpupuli/hiera-eyaml/issues/213)
|
19
|
+
|
20
|
+
**Merged pull requests:**
|
21
|
+
|
22
|
+
- migrate CI to github actions [\#315](https://github.com/voxpupuli/hiera-eyaml/pull/315) ([bastelfreak](https://github.com/bastelfreak))
|
23
|
+
- gemspec: fix repo url / Drop Puppet 4/5 tests [\#311](https://github.com/voxpupuli/hiera-eyaml/pull/311) ([bastelfreak](https://github.com/bastelfreak))
|
24
|
+
- Unpin highline [\#310](https://github.com/voxpupuli/hiera-eyaml/pull/310) ([lucywyman](https://github.com/lucywyman))
|
25
|
+
|
26
|
+
## [v3.2.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.0) (2020-01-31)
|
27
|
+
|
28
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.1...v3.2.0)
|
29
|
+
|
30
|
+
**Implemented enhancements:**
|
31
|
+
|
32
|
+
- Permit reading private key from environment variable [\#294](https://github.com/voxpupuli/hiera-eyaml/pull/294) ([nferch](https://github.com/nferch))
|
33
|
+
|
34
|
+
**Fixed bugs:**
|
35
|
+
|
36
|
+
- Version 3.1.0 does not clear the private/public key when options are changed [\#289](https://github.com/voxpupuli/hiera-eyaml/issues/289)
|
37
|
+
|
38
|
+
**Merged pull requests:**
|
39
|
+
|
40
|
+
- \(doc\) Correct order for config file precedence [\#295](https://github.com/voxpupuli/hiera-eyaml/pull/295) ([crayfishx](https://github.com/crayfishx))
|
41
|
+
- \(maint\) Update Gemfile and README for Ruby 2.5/2.4 [\#293](https://github.com/voxpupuli/hiera-eyaml/pull/293) ([glennsarti](https://github.com/glennsarti))
|
42
|
+
|
43
|
+
## [v3.1.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.1) (2019-11-12)
|
44
|
+
|
45
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.0...v3.1.1)
|
46
|
+
|
47
|
+
**Merged pull requests:**
|
48
|
+
|
49
|
+
- Revert "Cache key strings." [\#290](https://github.com/voxpupuli/hiera-eyaml/pull/290) ([alexjfisher](https://github.com/alexjfisher))
|
50
|
+
|
51
|
+
## [v3.1.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.0) (2019-11-11)
|
52
|
+
|
53
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.0.0...v3.1.0)
|
54
|
+
|
55
|
+
**Implemented enhancements:**
|
56
|
+
|
57
|
+
- Should be able to `edit` a new file [\#84](https://github.com/voxpupuli/hiera-eyaml/issues/84)
|
58
|
+
- Cache key strings. [\#191](https://github.com/voxpupuli/hiera-eyaml/pull/191) ([mkulke](https://github.com/mkulke))
|
59
|
+
|
60
|
+
**Closed issues:**
|
61
|
+
|
62
|
+
- Decryption errors should return error code. [\#282](https://github.com/voxpupuli/hiera-eyaml/issues/282)
|
63
|
+
- Release a new version [\#271](https://github.com/voxpupuli/hiera-eyaml/issues/271)
|
64
|
+
|
65
|
+
**Merged pull requests:**
|
66
|
+
|
67
|
+
- \(docs\) Update README with reference to hiera-eyaml-vault [\#287](https://github.com/voxpupuli/hiera-eyaml/pull/287) ([crayfishx](https://github.com/crayfishx))
|
68
|
+
- fix: don't handle cli exceptions early [\#283](https://github.com/voxpupuli/hiera-eyaml/pull/283) ([stuart-warren](https://github.com/stuart-warren))
|
69
|
+
- Adding doc for Google KMS plugin [\#279](https://github.com/voxpupuli/hiera-eyaml/pull/279) ([craigwatson](https://github.com/craigwatson))
|
70
|
+
- catch failed decryption and print a helpful message [\#144](https://github.com/voxpupuli/hiera-eyaml/pull/144) ([GeoffWilliams](https://github.com/GeoffWilliams))
|
71
|
+
|
72
|
+
## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
|
73
|
+
|
74
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
|
75
|
+
|
76
|
+
This is the first release after this project was migrated to Vox Pupuli.
|
77
|
+
|
78
|
+
**Breaking changes:**
|
79
|
+
|
80
|
+
- Upgrading trollop to optimist to remove deprecation warnings [\#268](https://github.com/voxpupuli/hiera-eyaml/pull/268) ([chadlyon](https://github.com/chadlyon))
|
81
|
+
|
82
|
+
**Implemented enhancements:**
|
83
|
+
|
84
|
+
- Don't use SHA1 for the digest [\#257](https://github.com/voxpupuli/hiera-eyaml/issues/257)
|
85
|
+
- Update to make use of Backend.datasourcefiles\(\) [\#92](https://github.com/voxpupuli/hiera-eyaml/issues/92)
|
86
|
+
- allow setting an individual keysize [\#227](https://github.com/voxpupuli/hiera-eyaml/pull/227) ([tuxmea](https://github.com/tuxmea))
|
87
|
+
|
88
|
+
**Fixed bugs:**
|
89
|
+
|
90
|
+
- on OSX, eyaml isn't expanding `~` into /Users/$USER [\#170](https://github.com/voxpupuli/hiera-eyaml/issues/170)
|
91
|
+
- Performance bug: unnecessary double-decryption of blocks [\#182](https://github.com/voxpupuli/hiera-eyaml/pull/182) ([peculater](https://github.com/peculater))
|
92
|
+
|
93
|
+
**Closed issues:**
|
94
|
+
|
95
|
+
- PuppetDB gets base64 encoded string on exported ressources [\#273](https://github.com/voxpupuli/hiera-eyaml/issues/273)
|
96
|
+
- DEPRECATION - trollop gem is deprecated, need to switch to optimist [\#267](https://github.com/voxpupuli/hiera-eyaml/issues/267)
|
97
|
+
- Puppet can't find key on server [\#266](https://github.com/voxpupuli/hiera-eyaml/issues/266)
|
98
|
+
- Re-encryption is broken [\#258](https://github.com/voxpupuli/hiera-eyaml/issues/258)
|
99
|
+
- AWS KMS/IAM integration? [\#234](https://github.com/voxpupuli/hiera-eyaml/issues/234)
|
100
|
+
- Feature Request: Ability to use edit without the private key [\#231](https://github.com/voxpupuli/hiera-eyaml/issues/231)
|
101
|
+
- Not decrypting/working with puppetserver 2.7.2 \(Function lookup\(\) did not find a value for the name\) [\#228](https://github.com/voxpupuli/hiera-eyaml/issues/228)
|
102
|
+
- Allow stronger than 2048 bit keys [\#226](https://github.com/voxpupuli/hiera-eyaml/issues/226)
|
103
|
+
- failed: DataBinding 'hiera': No such file or directory - /var/lib/puppet/keys/private\_key.pkcs7.pem [\#225](https://github.com/voxpupuli/hiera-eyaml/issues/225)
|
104
|
+
- Migrate to Vox Pupuli [\#224](https://github.com/voxpupuli/hiera-eyaml/issues/224)
|
105
|
+
- Allow to `decrypt` while keeping the "DEC::..." [\#217](https://github.com/voxpupuli/hiera-eyaml/issues/217)
|
106
|
+
- secret in the logs [\#216](https://github.com/voxpupuli/hiera-eyaml/issues/216)
|
107
|
+
- eyaml produces base64 string for complex data [\#209](https://github.com/voxpupuli/hiera-eyaml/issues/209)
|
108
|
+
- Hiera-eyaml cannot decrypt with key, plain gpg works [\#206](https://github.com/voxpupuli/hiera-eyaml/issues/206)
|
109
|
+
- Unable to decrypt on remote nodes [\#202](https://github.com/voxpupuli/hiera-eyaml/issues/202)
|
110
|
+
- Backend not found in tests [\#200](https://github.com/voxpupuli/hiera-eyaml/issues/200)
|
111
|
+
- ArgumentError [\#193](https://github.com/voxpupuli/hiera-eyaml/issues/193)
|
112
|
+
- High CPU consumption [\#192](https://github.com/voxpupuli/hiera-eyaml/issues/192)
|
113
|
+
- hiera call from manifeast not able to locate key [\#174](https://github.com/voxpupuli/hiera-eyaml/issues/174)
|
114
|
+
- PE 3.8 - sporadically failing to load eyaml backend. [\#173](https://github.com/voxpupuli/hiera-eyaml/issues/173)
|
115
|
+
- eyaml and templates [\#171](https://github.com/voxpupuli/hiera-eyaml/issues/171)
|
116
|
+
- cucumber failures with puppet 3.7.5 [\#154](https://github.com/voxpupuli/hiera-eyaml/issues/154)
|
117
|
+
- issue with jruby under PE 3.7 [\#150](https://github.com/voxpupuli/hiera-eyaml/issues/150)
|
118
|
+
- hiera eyaml does not work on PE 3.7.2 [\#126](https://github.com/voxpupuli/hiera-eyaml/issues/126)
|
119
|
+
- invalid byte sequence in UTF-8 on encrypted binary [\#124](https://github.com/voxpupuli/hiera-eyaml/issues/124)
|
120
|
+
- having an issue when loding hiera-eyaml [\#117](https://github.com/voxpupuli/hiera-eyaml/issues/117)
|
121
|
+
- Puppet hiera\(\): Cannot load backend eyaml: no such file to load [\#115](https://github.com/voxpupuli/hiera-eyaml/issues/115)
|
122
|
+
- Public/private keys undefined for Vagrant [\#101](https://github.com/voxpupuli/hiera-eyaml/issues/101)
|
123
|
+
- bug in hiera 1.3.2-1 vs rubygem-hiera 1.3.2-1 [\#85](https://github.com/voxpupuli/hiera-eyaml/issues/85)
|
124
|
+
- Errors of yaml and no eyaml files exist. Fine if just eyaml files exist. [\#82](https://github.com/voxpupuli/hiera-eyaml/issues/82)
|
125
|
+
|
126
|
+
**Merged pull requests:**
|
127
|
+
|
128
|
+
- Use UTF-8 as the encoding for plain text data [\#274](https://github.com/voxpupuli/hiera-eyaml/pull/274) ([jarretlavallee](https://github.com/jarretlavallee))
|
129
|
+
- Fix regem.sh shebang, it does not need bash [\#265](https://github.com/voxpupuli/hiera-eyaml/pull/265) ([AMDmi3](https://github.com/AMDmi3))
|
130
|
+
- Allow selection of digest, default to SHA256 [\#261](https://github.com/voxpupuli/hiera-eyaml/pull/261) ([juniorsysadmin](https://github.com/juniorsysadmin))
|
131
|
+
- expand README on whole-file encryption usage [\#260](https://github.com/voxpupuli/hiera-eyaml/pull/260) ([jflorian](https://github.com/jflorian))
|
132
|
+
- Add encrypt-only flag for 'edit' command. [\#256](https://github.com/voxpupuli/hiera-eyaml/pull/256) ([benjunmun](https://github.com/benjunmun))
|
133
|
+
- Test only with current Puppet and Ruby combination [\#254](https://github.com/voxpupuli/hiera-eyaml/pull/254) ([vinzent](https://github.com/vinzent))
|
134
|
+
- Update \#{self.prefix} to match yamllint rules [\#248](https://github.com/voxpupuli/hiera-eyaml/pull/248) ([jordanconway](https://github.com/jordanconway))
|
135
|
+
- Fix badge, link to AWS KMS/IAM integration [\#245](https://github.com/voxpupuli/hiera-eyaml/pull/245) ([rnelson0](https://github.com/rnelson0))
|
136
|
+
- Remove tildes that don't expand from configuration examples [\#242](https://github.com/voxpupuli/hiera-eyaml/pull/242) ([rnelson0](https://github.com/rnelson0))
|
137
|
+
- Disable deprecation warnings [\#241](https://github.com/voxpupuli/hiera-eyaml/pull/241) ([rnelson0](https://github.com/rnelson0))
|
138
|
+
- Add a cache for decrypted values [\#240](https://github.com/voxpupuli/hiera-eyaml/pull/240) ([stlava](https://github.com/stlava))
|
139
|
+
- Suppressing logging of configuration files on init [\#237](https://github.com/voxpupuli/hiera-eyaml/pull/237) ([sigv](https://github.com/sigv))
|
140
|
+
- Update the keys' example directory [\#236](https://github.com/voxpupuli/hiera-eyaml/pull/236) ([sigv](https://github.com/sigv))
|
141
|
+
- Modify edit command to not recrypt unchanged values [\#233](https://github.com/voxpupuli/hiera-eyaml/pull/233) ([ccojocar](https://github.com/ccojocar))
|
142
|
+
- Modify recrypt command to allow recrypting file with different encryp… [\#232](https://github.com/voxpupuli/hiera-eyaml/pull/232) ([ccojocar](https://github.com/ccojocar))
|
143
|
+
- \(docs\) Update README with instructions for using Hiera 5 [\#229](https://github.com/voxpupuli/hiera-eyaml/pull/229) ([nfagerlund](https://github.com/nfagerlund))
|
144
|
+
- Attempt to resolve Travis CI issues [\#220](https://github.com/voxpupuli/hiera-eyaml/pull/220) ([rnelson0](https://github.com/rnelson0))
|
145
|
+
- Make it clear that the ID and parens must be deleted, not just the ID [\#188](https://github.com/voxpupuli/hiera-eyaml/pull/188) ([sdotz](https://github.com/sdotz))
|
146
|
+
- Refactor highline import [\#187](https://github.com/voxpupuli/hiera-eyaml/pull/187) ([petems](https://github.com/petems))
|
147
|
+
- Adding hiera-eyaml-kms plugin to readme file [\#184](https://github.com/voxpupuli/hiera-eyaml/pull/184) ([adenot](https://github.com/adenot))
|
148
|
+
- Make output of `eyaml decrypt` valid yaml with multiline values. [\#183](https://github.com/voxpupuli/hiera-eyaml/pull/183) ([peculater](https://github.com/peculater))
|
149
|
+
- Add testing support for puppet 4 [\#181](https://github.com/voxpupuli/hiera-eyaml/pull/181) ([peculater](https://github.com/peculater))
|
150
|
+
|
151
|
+
## v2.1.0 (2016-03-02)
|
152
|
+
|
153
|
+
- (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
|
154
|
+
- (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
|
155
|
+
|
156
|
+
## v2.0.8 (2015-04-15)
|
157
|
+
|
158
|
+
- (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
|
159
|
+
|
160
|
+
## v2.0.7 (2015-03-04)
|
161
|
+
|
162
|
+
- (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
|
163
|
+
- (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
|
164
|
+
- (#138) - Added missing tags and new tagging tool (@elyscape)
|
165
|
+
|
166
|
+
## v2.0.6 (2014-12-13)
|
167
|
+
|
168
|
+
- (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
|
169
|
+
|
170
|
+
## v2.0.5 (2014-12-11)
|
171
|
+
|
172
|
+
- (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
|
173
|
+
|
174
|
+
## v2.0.4 (2014-11-24)
|
175
|
+
|
176
|
+
- Add change log
|
177
|
+
- (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
|
178
|
+
- (#114) - Add new config file resolution so that a system wide /etc/eyaml/config.yaml is processed first (@gtmtech)
|
179
|
+
- (#112) - Improve debugging options and colorise output (@gtmtech)
|
180
|
+
- (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
|
181
|
+
- (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
|
182
|
+
- (#96), #111, #116 - Various updates to docs
|
183
|
+
|
184
|
+
|
185
|
+
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
|
data/Gemfile
CHANGED
@@ -7,12 +7,11 @@ group :development do
|
|
7
7
|
gem "cucumber", '~> 1.1'
|
8
8
|
gem "rspec-expectations", '~> 3.1.0'
|
9
9
|
gem "hiera-eyaml-plaintext"
|
10
|
-
gem "puppet", ENV['PUPPET_VERSION'] || '
|
10
|
+
gem "puppet", ENV['PUPPET_VERSION'] || '>= 7'
|
11
|
+
gem 'github_changelog_generator', :require => false, :git => 'https://github.com/voxpupuli/github-changelog-generator', :branch => 'voxpupuli_essential_fixes'
|
12
|
+
gem "activesupport"
|
11
13
|
end
|
12
14
|
|
13
15
|
group :test do
|
14
16
|
gem "rake"
|
15
17
|
end
|
16
|
-
|
17
|
-
|
18
|
-
|
data/{CHANGES.md → HISTORY.md}
RENAMED
@@ -1,30 +1,27 @@
|
|
1
|
-
|
2
|
-
==========================
|
1
|
+
## v2.1.0 (2016-03-02)
|
3
2
|
|
4
|
-
|
5
|
-
|
3
|
+
- (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
|
4
|
+
- (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
|
5
|
+
|
6
|
+
## v2.0.8 (2015-04-15)
|
6
7
|
|
7
8
|
- (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
|
8
9
|
|
9
|
-
|
10
|
-
-----
|
10
|
+
## v2.0.7 (2015-03-04)
|
11
11
|
|
12
12
|
- (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
|
13
13
|
- (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
|
14
14
|
- (#138) - Added missing tags and new tagging tool (@elyscape)
|
15
15
|
|
16
|
-
|
17
|
-
-----
|
16
|
+
## v2.0.6 (2014-12-13)
|
18
17
|
|
19
18
|
- (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
|
20
19
|
|
21
|
-
|
22
|
-
-----
|
20
|
+
## v2.0.5 (2014-12-11)
|
23
21
|
|
24
22
|
- (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
|
25
23
|
|
26
|
-
|
27
|
-
-----
|
24
|
+
## v2.0.4 (2014-11-24)
|
28
25
|
|
29
26
|
- Add change log
|
30
27
|
- (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
|
@@ -33,6 +30,3 @@ Change log for hiera-eyaml
|
|
33
30
|
- (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
|
34
31
|
- (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
|
35
32
|
- (#96), #111, #116 - Various updates to docs
|
36
|
-
|
37
|
-
2.0.3
|
38
|
-
-----
|
data/README.md
CHANGED
@@ -1,18 +1,25 @@
|
|
1
1
|
Hiera eyaml
|
2
2
|
===========
|
3
3
|
|
4
|
-
[![Build Status](https://travis-ci.org/
|
4
|
+
[![Build Status](https://travis-ci.org/voxpupuli/hiera-eyaml.png?branch=master)](https://travis-ci.org/voxpupuli/hiera-eyaml)
|
5
|
+
[![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
6
|
+
[![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
5
7
|
|
6
|
-
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
8
|
+
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
7
9
|
to be used by Puppet.
|
8
10
|
|
9
|
-
|
11
|
+
-------------------------
|
12
|
+
:new: **hiera-eyaml is now part of voxpupuli**
|
13
|
+
|
14
|
+
hiera-eyaml has a new home https://github.com/voxpupuli/hiera-eyaml.
|
15
|
+
|
16
|
+
Hopefully this will mean more frequent feature updates and bug fixes!
|
10
17
|
|
11
18
|
Advantages over hiera-gpg
|
12
19
|
-------------------------
|
13
20
|
|
14
|
-
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
15
|
-
one of the best expressed frustrations was
|
21
|
+
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
22
|
+
one of the best expressed frustrations was
|
16
23
|
[written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
|
17
24
|
[Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
|
18
25
|
and this was refined into an elegant solution over the following months.
|
@@ -21,14 +28,14 @@ Unlike `hiera-gpg`, `hiera-eyaml`:
|
|
21
28
|
|
22
29
|
- only encrypts the values (which allows files to be swiftly reviewed without decryption)
|
23
30
|
- encrypts the value of each key individually (this means that `git diff` is meaningful)
|
24
|
-
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
31
|
+
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
25
32
|
easy as using clear text files)
|
26
|
-
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
33
|
+
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
27
34
|
be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
|
28
|
-
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
35
|
+
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
29
36
|
if you have the need for multiple keys and easier key rotation)
|
30
37
|
|
31
|
-
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
38
|
+
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
32
39
|
method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
|
33
40
|
Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
|
34
41
|
|
@@ -75,17 +82,22 @@ This creates a public and private key with default names in the default location
|
|
75
82
|
|
76
83
|
Since the point of using this module is to securely store sensitive information, it's important to store these keys securely.
|
77
84
|
If using Hiera with Puppet, Your puppetmaster will need to access these keys to perform decryption when the puppet agent runs on a remote node.
|
78
|
-
So for this reason, a suggested location might be to store them in `/etc/puppet/
|
85
|
+
So for this reason, a suggested location might be to store them in `/etc/puppetlabs/puppet/eyaml` or `/var/lib/puppet/keys` depending on your setup.
|
79
86
|
|
80
87
|
The permissions for this folder should allow the puppet user (normally 'puppet') execute access to the keys directory, read only access to the keys themselves and restrict everyone else:
|
81
88
|
|
82
|
-
$ chown -R puppet:puppet /etc/puppet/
|
83
|
-
$ chmod -R 0500 /etc/puppet/
|
84
|
-
$ chmod 0400 /etc/puppet/
|
85
|
-
$ ls -lha /etc/puppet/
|
89
|
+
$ chown -R puppet:puppet /etc/puppetlabs/puppet/eyaml
|
90
|
+
$ chmod -R 0500 /etc/puppetlabs/puppet/eyaml
|
91
|
+
$ chmod 0400 /etc/puppetlabs/puppet/eyaml/*.pem
|
92
|
+
$ ls -lha /etc/puppetlabs/puppet/eyaml
|
86
93
|
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
|
87
94
|
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
|
88
95
|
|
96
|
+
You may also load the keypair into an environment variable and use the `pkcs7_private_key_env_var` and `pkcs7_public_key_env_var` options to specify the environment variable names to avoid writing the secret key to disk.
|
97
|
+
|
98
|
+
|
99
|
+
Basic usage
|
100
|
+
-----------
|
89
101
|
|
90
102
|
### Encryption
|
91
103
|
|
@@ -109,17 +121,18 @@ To test decryption you can also use the eyaml tool if you have both keys
|
|
109
121
|
$ eyaml decrypt -f filename # Decrypt a file
|
110
122
|
$ eyaml decrypt -s 'ENC[PKCS7,.....]' # Decrypt a string
|
111
123
|
|
112
|
-
### Editing eyaml
|
124
|
+
### Editing files with a mixture of eyaml-encrypted and plain-text content
|
113
125
|
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
126
|
+
This is, perhaps, the most common use of eyaml where you have created a few
|
127
|
+
eyaml files, with a mixture of encrypted and non-encrypted properties, you can
|
128
|
+
edit the encrypted values in place, using the special edit mode of the eyaml
|
129
|
+
utility. Edit mode opens a decrypted copy of the eyaml file in your `$EDITOR`
|
130
|
+
and will encrypt and modified values when you exit the editor.
|
118
131
|
|
119
132
|
$ eyaml edit filename.eyaml # Edit an eyaml file in place
|
120
133
|
|
121
|
-
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
122
|
-
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
134
|
+
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
135
|
+
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
123
136
|
is encrypted again only if the clear text value has changed, and is encrypted using the
|
124
137
|
original encryption mechanism (see plugable encryption later).
|
125
138
|
|
@@ -150,17 +163,167 @@ things:
|
|
150
163
|
- nested thing 2.1
|
151
164
|
```
|
152
165
|
|
153
|
-
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
166
|
+
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
154
167
|
omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
|
155
168
|
by the eyaml tool.
|
156
169
|
|
157
170
|
some_new_key: DEC::PKCS7[a new value to encrypt]!
|
158
171
|
|
172
|
+
### Encrypting an entire file
|
173
|
+
|
174
|
+
While not as common, sometimes you need to encrypt an entire file. Maybe this
|
175
|
+
file is binary data that isn't meant for loading into an editor. One example
|
176
|
+
might be a Kerberos keytab file. No problem! Just encrypt the entire file:
|
177
|
+
|
178
|
+
$ eyaml encrypt -f filename
|
179
|
+
|
180
|
+
As with encrypting short strings on the command-line, the encrypted equivalent
|
181
|
+
will be sent to stdout as an ASCII text string and thus now plays nice with
|
182
|
+
your editor. Notice that the file itself, however, remains unchanged. The
|
183
|
+
output is presented in two blocks: once as a single, long string and once in
|
184
|
+
a nice line-wrapped form. Copy the one of your preference, starting with the
|
185
|
+
`ENC[` and ending at the matching `]`. Paste this into your Puppet or Hiera
|
186
|
+
file just like any other eyaml string and your done. If the file is rather
|
187
|
+
large, you may wish to use a helper like `xclip` to copy the stdout directly to
|
188
|
+
your clipboard.
|
189
|
+
|
190
|
+
### Encrypting multiline values
|
191
|
+
|
192
|
+
The following step-by-step example shows you how to encrypt multiline values.
|
193
|
+
|
194
|
+
- Copy the YAML text below to a file named `multiline_example.eyaml`
|
195
|
+
```
|
196
|
+
---
|
197
|
+
accounts::key_sets:
|
198
|
+
dummy:
|
199
|
+
private: |
|
200
|
+
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
201
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
|
202
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
203
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
204
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
205
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
206
|
+
QEPM5xLW0unCsQ==
|
207
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
208
|
+
```
|
209
|
+
|
210
|
+
- Use `edit` to ...
|
211
|
+
- replace '|' with '>',
|
212
|
+
- prepend `DEC::PKCS7[` before the first line,
|
213
|
+
- remove all whitespaces used for indentation,
|
214
|
+
- and append `]!` to the last line of the multiline value.
|
215
|
+
|
216
|
+
`eyaml edit multiline_example.eyaml`
|
217
|
+
```
|
218
|
+
---
|
219
|
+
accounts::key_sets:
|
220
|
+
dummy:
|
221
|
+
private: >
|
222
|
+
DEC::PKCS7[---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
223
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
|
224
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
225
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
226
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
227
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
228
|
+
QEPM5xLW0unCsQ==
|
229
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----]!
|
230
|
+
```
|
231
|
+
```
|
232
|
+
# resulting encrypted file
|
233
|
+
---
|
234
|
+
accounts::key_sets:
|
235
|
+
dummy:
|
236
|
+
private: >
|
237
|
+
ENC[PKCS7,MIIDTQYJKoZIhvcNAQcDoIIDPjCCAzoCAQAxggEhMIIBHQIBADAFMAACAQEw
|
238
|
+
DQYJKoZIhvcNAQEBBQAEggEAXH7xB1xuzoMAqA/3jSXO0ZUR6+UCb3DsTTj3
|
239
|
+
Lsrcx5oQBnJ/ml7GfBCPxBKfArZunLcnxmSk4hECKXdfgKsVjAa++JQWvtEm
|
240
|
+
HUNTFqvwd76Ku+nMfI9c8g+X+l6obLjzWfJdg3t6Ja7CJKl8UNFtSmbfYKVi
|
241
|
+
nZ0xBubgdY4plLAFcZyD5/A/lNFqwb051TRLbZOIRRfLUlRL7RNkKRC59Aog
|
242
|
+
S5aJXjmqx6vRzFifNK0JFZvYHGD75TiHJ5LFjg4rjgFd43AnK8iNo773ZWP2
|
243
|
+
48Gly5Zx7qVQDCDDi1YBgNFb0NIBQw+kWy7HcPH2REvPnXu/HV2FWvDP3Ond
|
244
|
+
yr2EbTCCAg4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEH+CjZJ1gKfaQIrr
|
245
|
+
N5zef7OAggHgBmRVsfaoiNEOzhmHZ5SxxZztmpBNtLv7mteaSqSL5o0TtKQh
|
246
|
+
SDgxBhaQmlL51+JM1Jsnvqm57ikZhj7Vtek/vr5DhYhWs0AxttH5rNaw0zKU
|
247
|
+
4bMppVu+SNKCtT+2Qw31x/S7gF7yVl+mwmXhq3qAj9ExWRX3d/8/zTuC61Io
|
248
|
+
f+7O6YUOucZ/m/YPrQnC5v7bDSKlIf1aFaKqukjM3QO8FZlAOHGPvRuWV2Om
|
249
|
+
QIgxQE6F8r+bTkW3KiVIx5FEIthRZ90VS3tz/2wjj77svddBhlid9ov/0ard
|
250
|
+
GGVNGsl1BFpLqxC0mpZXz237cL/aM58naqmX52J6YmC0xQM3DNmahWlYx1HV
|
251
|
+
J/Ogk12pOYPLJB/09OuoHPzKC4WfpB9B7wAC6pghRkO/84cOw6rgSdbzze5W
|
252
|
+
WMPvo181Y74BSBKhJDdO3lWYmEcDyx4TEsMUlpxd9PBDcOHqf9qHviXrwGzO
|
253
|
+
oSm2bUV0Fum5ueU+D2vu3mO0yIQ6fwyvDZLBRjfJV7K/PyDz81feWT6+g38t
|
254
|
+
AC27c0h8wk9b7HYfqG28nZE7F13qrhwCKnOaYLglsmbszNpRrBhfo1IHF6oM
|
255
|
+
YZRZrnrGQg5qQcxMsLq37RAfRgkY0rRLs78EEAhkf4NDxw0A/ovt]
|
256
|
+
```
|
257
|
+
- Output of `eyaml decrypt -f multiline_example.eyaml`:
|
258
|
+
```
|
259
|
+
---
|
260
|
+
accounts::key_sets:
|
261
|
+
dummy:
|
262
|
+
private: |
|
263
|
+
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
264
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
|
265
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
266
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
267
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
268
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
269
|
+
QEPM5xLW0unCsQ==
|
270
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
271
|
+
```
|
272
|
+
- The output *does NOT* have to be valid YAML for usage with Puppet.
|
159
273
|
|
160
274
|
Hiera
|
161
275
|
-----
|
162
276
|
|
163
|
-
To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend
|
277
|
+
To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend.
|
278
|
+
|
279
|
+
Eyaml works with [Hiera 3.x](https://docs.puppet.com/hiera/latest), as well as with [Hiera 5](https://docs.puppet.com/puppet/latest/hiera_intro.html) (Puppet 4.9.3 and later).
|
280
|
+
|
281
|
+
### With Hiera 5
|
282
|
+
|
283
|
+
In Hiera 5, each hierarchy level has one designated backend, as well as its own independent configuration for that backend.
|
284
|
+
|
285
|
+
Hierarchy levels that use eyaml must set the following keys:
|
286
|
+
|
287
|
+
* `name`.
|
288
|
+
* `lookup_key` (must be set to `eyaml_lookup_key`).
|
289
|
+
* `path`/`paths`/`glob`/`globs` (choose one).
|
290
|
+
* `datadir` (can be omitted if you've set a default).
|
291
|
+
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, or `pkcs7_public_key_env_var` and `pkcs7_private_key_env_var`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
292
|
+
|
293
|
+
You do not need to specify key names as `:symbols`; normal strings are fine.
|
294
|
+
|
295
|
+
``` yaml
|
296
|
+
---
|
297
|
+
version: 5
|
298
|
+
defaults:
|
299
|
+
datadir: data
|
300
|
+
hierarchy:
|
301
|
+
- name: "Secret data: per-node, per-datacenter, common"
|
302
|
+
lookup_key: eyaml_lookup_key # eyaml backend
|
303
|
+
paths:
|
304
|
+
- "secrets/nodes/%{trusted.certname}.eyaml" # Include explicit file extension
|
305
|
+
- "secrets/location/%{facts.whereami}.eyaml"
|
306
|
+
- "common.eyaml"
|
307
|
+
options:
|
308
|
+
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
|
309
|
+
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
|
310
|
+
- name: "Normal data"
|
311
|
+
data_hash: yaml_data # Standard yaml backend
|
312
|
+
paths:
|
313
|
+
- "nodes/%{trusted.certname}.yaml"
|
314
|
+
- "location/%{facts.whereami}/%{facts.group}.yaml"
|
315
|
+
- "groups/%{facts.group}.yaml"
|
316
|
+
- "os/%{facts.os.family}.yaml"
|
317
|
+
- "common.yaml"
|
318
|
+
```
|
319
|
+
|
320
|
+
Unlike with Hiera 3, there's no default file extension for eyaml files, so you can specify your own file extension directly in the path name.
|
321
|
+
|
322
|
+
For more details, see the [hiera.yaml (version 5) reference page](https://docs.puppet.com/puppet/latest/hiera_config_yaml_5.html).
|
323
|
+
|
324
|
+
### With Hiera 3
|
325
|
+
|
326
|
+
In Hiera 3, hierarchy levels don't have a backend assigned to them, and Hiera loops through the entire hierarchy for each backend. Options for the backend are set globally, in an `:eyaml` config section.
|
164
327
|
|
165
328
|
```yaml
|
166
329
|
---
|
@@ -180,6 +343,9 @@ To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml
|
|
180
343
|
# If using the pkcs7 encryptor (default)
|
181
344
|
:pkcs7_private_key: /path/to/private_key.pkcs7.pem
|
182
345
|
:pkcs7_public_key: /path/to/public_key.pkcs7.pem
|
346
|
+
|
347
|
+
# Optionally cache decrypted data (default: false)
|
348
|
+
:cache_decrypted: false
|
183
349
|
```
|
184
350
|
|
185
351
|
Then, edit your hiera yaml files, and insert your encrypted values. The default eyaml file extension is .eyaml, however this can be configured in the :eyaml block to set :extension,
|
@@ -189,6 +355,8 @@ Then, edit your hiera yaml files, and insert your encrypted values. The default
|
|
189
355
|
:extension: 'yaml'
|
190
356
|
```
|
191
357
|
|
358
|
+
### Data formatting note
|
359
|
+
|
192
360
|
*Important Note:*
|
193
361
|
The eyaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will.
|
194
362
|
You'll need to ensure any existing yaml files using json format are converted to syntactically correct yaml format.
|
@@ -238,20 +406,20 @@ Configuration file for eyaml
|
|
238
406
|
|
239
407
|
Default parameters for the eyaml command line tool can be provided by creating a configuration YAML file.
|
240
408
|
|
241
|
-
Config files will be read first from
|
409
|
+
Config files will be read first from `~/.eyaml/config.yaml`, then from `/etc/eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
|
242
410
|
|
243
411
|
The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
|
244
412
|
```yaml
|
245
413
|
---
|
246
|
-
pkcs7_private_key: '
|
247
|
-
pkcs7_public_key: '
|
414
|
+
pkcs7_private_key: './keys/eyaml/private_key.pkcs7.pem'
|
415
|
+
pkcs7_public_key: './keys/eyaml/public_key.pkcs7.pem'
|
248
416
|
```
|
249
417
|
|
250
418
|
Or to override to use GPG by default:
|
251
419
|
```yaml
|
252
420
|
---
|
253
421
|
encrypt_method: 'gpg'
|
254
|
-
gpg_gnupghome: '
|
422
|
+
gpg_gnupghome: './alternative_gnupghome'
|
255
423
|
gpg_recipients: 'sihil@example.com,gtmtech@example.com,tpoulton@example.com'
|
256
424
|
```
|
257
425
|
|
@@ -275,14 +443,20 @@ When editing eyaml files, you will see that the unencrypted plaintext is marked
|
|
275
443
|
This is a list of available plugins:
|
276
444
|
|
277
445
|
- [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
|
278
|
-
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
279
|
-
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
446
|
+
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
447
|
+
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
280
448
|
hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
|
281
449
|
- [hiera-eyaml-twofac](https://github.com/gtmtechltd/hiera-eyaml-twofac) - PKCS7 keypair + AES256 symmetric password for two-factor encryption
|
282
450
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
283
451
|
in conjunction with puppet, as it requires entry of a password over a terminal.
|
284
452
|
- [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
|
453
|
+
- [hiera-eyaml-gkms](https://github.com/craigwatson/hiera-eyaml-gkms) - Encryption using Google Cloud KMS
|
454
|
+
- [hiera-eyaml-vault](https://github.com/crayfishx/hiera-eyaml-vault) - Use the transit secrets engine from Vault for providing encryption.
|
455
|
+
|
285
456
|
|
457
|
+
### How-To's:
|
458
|
+
|
459
|
+
- [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
|
286
460
|
|
287
461
|
Notes
|
288
462
|
-----
|
@@ -322,6 +496,8 @@ Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to s
|
|
322
496
|
Tests
|
323
497
|
-----
|
324
498
|
|
499
|
+
**NOTE** Some testing requirements are not supported on Windows
|
500
|
+
|
325
501
|
In order to run the tests, simply run `cucumber` in the top level directory of the project.
|
326
502
|
|
327
503
|
You'll need to have a few requirements installed:
|