Puppet Encrypted Hiera eyaml variable decrypts on master but not on node

Puppet Encrypted Hiera eyaml variable decrypts on master but not on node,puppet,hiera,Puppet,Hiera,I just set up hiera-eyaml on my Puppet 3.8, opensource environment. defaults.yaml db_password: ENC[PKCS7,MXCGFDS......] site.pp $password=hiera(db_password) If I'm running: puppet master --debug --compile funky_hostname.mydomain.com --environment=dev I can see that my tempated configfile is generating correctly: password="password123" But when I'm running it on the actual node (funky_hostname.mydomain.com), I'm getting the original, encrypted string as result: password="ENC[PKCS7,MXCG

I just set up hiera-eyaml on my Puppet 3.8, opensource environment.

defaults.yaml
db_password: ENC[PKCS7,MXCGFDS......]

site.pp
$password=hiera(db_password)

If I'm running:

puppet master --debug --compile funky_hostname.mydomain.com --environment=dev

I can see that my tempated configfile is generating correctly:

password="password123"

But when I'm running it on the actual node (funky_hostname.mydomain.com), I'm getting the original, encrypted string as result:

password="ENC[PKCS7,MXCGFDS......]"

Isn't the Hiera decryption is happening on the puppet master side?


#1

Puppet catalogues are compiled on the Puppet Master. The compiled catalogue is then shared with the client over an SSL connection (assuming the Puppet CA has signed the SSL certificate request from the client). The catalogue is then realised on the client. The compilation stage also involves merging Hiera data (and decrypting first if using the EYAML backend). If using e.g. GPG encryption, the GPG recipients file on the Puppet Master is used in deciding which keys to use in the decryption process. The net result is that clients don't in fact decrypt the EYAML, this is all done on the Puppet Master. The only clients that can decrypt EYAML (at least if GPG is used) are those clients listed in the GPG recipients file. Hope that helps!


#2

It looks like there was multiple issues together, one of them is the permission of the key file.

$ chown -R puppet:puppet /etc/puppet/secure/keys
enter code here$ chmod -R 0500 /etc/puppet/secure/keys
$ chmod 0400 /etc/puppet/secure/keys/*.pem
$ ls -lha /etc/puppet/secure/keys
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem

Also running the puppet master in --no-deamonize mode with --debug --verbose flags helps to track what's happening on both side.


#3

To be clear, are you running puppet agent --test --environment=dev to get that result?

#4

Without --test and with writing the output to a log file in verbose mode. But these shouldnt affect the outcome. Env=dev is defined in the puppet.conf at the node.

#5

That makes believe, that running the puppet master --compile command should give the same result then the puppet agent on the node. Then why is the password replaced only when it's called on puppet master?