search

abstractitptyltd / abstractit-puppet

Manage puppet agent, master, modules and hiera with puppet
https://forge.puppetlabs.com/abstractit/puppet
18 stars 46 forks source link

Unable to deploy hiera eyaml keys #86

Open Wicaeed opened 8 years ago

Wicaeed commented 8 years ago

Greetings, I'm using the following snippet in a puppet manifest to set up my master:

class { '::puppet::profile::agent':
    allinone      => true,
    environment   => 'puppet_vagrant',
    collection    => 'PC1',
    manage_repos  => true,
    enable_repo   => true,
    enabled           => false,
    puppet_server => $::fqdn,
    custom_facts  => {
      'puppet_role' => 'puppet_master',
    }
  }

  exec { 'pre-generate puppetserver certs':
  command => "/opt/puppetlabs/bin/puppet cert generate $::fqdn"
}

class { '::puppet::profile::master':
    basemodulepath              => '/etc/puppetlabs/code/modules:/etc/puppetlabs/puppet/modules',
    server_type                             => 'puppetserver',
    puppet_service_name         => 'puppetserver',
    eyaml_keys                  => true,
    hiera_eyaml_pkcs7_private_key_file  => '/etc/puppetlabs/code/hiera_eyaml_keys/private_key.pkcs7.pem',
    hiera_eyaml_pkcs7_public_key_file   => '/etc/puppetlabs/code/hiera_eyaml_keys/public_key.pkcs7.pem',
    hiera_backends                        => {'eyaml' => { 'datadir' => '/etc/puppetlabs/code/environments/%{::environment}/hieradata',}, 'yaml' => { 'datadir' => '/etc/puppetlabs/code/environments/%{::environment}/hieradata',},},
    hiera_hierarchy                       => ['clientcert/%{::clientcert}', 'environment/%{::environment}/%{::puppet_role}','environment/%{::environment}','location/%{::location}','puppet_role/%{::puppet_role}', 'global'],
    java_ram                    => '512m',
    puppetdb                            => true,
    puppetdb_server                       => $::fqdn,
    puppetdb_listen_address     => '0.0.0.0',
    puppetdb_ssl_listen_address => '0.0.0.0',
    puppetdb_version              => 'latest',
    }

The above code works fine as long as I omit the 3 (4 including just setting up a default yaml backend) regarding configuring eyaml. When I run the code above I see the following error:

root@puppet-master:/puppet-provision# puppet apply master.pp 
Warning: Config file /etc/puppetlabs/code/hiera.yaml not found, using Hiera defaults
Warning: Scope(Apt::Source[puppetlabs-pc1]): $key_server is deprecated and will be removed in the next major release, please use $key => { 'server' => pgp.mit.edu } instead.
Warning: Scope(Apt::Source[apt.postgresql.org]): $include_src is deprecated and will be removed in the next major release, please use $include => { 'src' => false } instead
Warning: Scope(Apt::Source[apt.postgresql.org]): $key_source is deprecated and will be removed in the next major release, please use $key => { 'source' => https://www.postgresql.org/media/keys/ACCC4CF8.asc } instead.
Warning: Scope(Apt::Key[Add key: 47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30 from Apt::Source puppetlabs-pc1]): $key_server is deprecated and will be removed in the next major release. Please use $server instead.
Warning: Scope(Apt::Key[Add key: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 from Apt::Source apt.postgresql.org]): $key_source is deprecated and will be removed in the next major release. Please use $source instead.
Notice: Compiled catalog for puppet-master.localdomain.lan in environment production in 1.89 seconds
Notice: /Stage[main]/Main/Exec[pre-generate puppetserver certs]/returns: Error: A Certificate already exists for puppet-master.localdomain.lan
Error: /opt/puppetlabs/bin/puppet cert generate puppet-master.localdomain.lan returned 24 instead of one of [0]
Error: /Stage[main]/Main/Exec[pre-generate puppetserver certs]/returns: change from notrun to 0 failed: /opt/puppetlabs/bin/puppet cert generate puppet-master.localdomain.lan returned 24 instead of one of [0]
Notice: /Stage[main]/Puppet::Master::Hiera/File[/etc/puppetlabs/code/hiera.yaml]/ensure: defined content as '{md5}ae979fc2bde32e544505b369712f7506'
Notice: /Stage[main]/Puppet::Master::Hiera/File[/etc/puppetlabs/code/hiera_eyaml_keys]/ensure: created
Error: /Stage[main]/Puppet::Master::Hiera/File[/etc/puppetlabs/code/hiera_eyaml_keys/private_key.pkcs7.pem]: Could not evaluate: Could not retrieve information from environment production source(s) file:/etc/puppetlabs/code/hiera_eyaml_keys/private_key.pkcs7.pem
Error: /Stage[main]/Puppet::Master::Hiera/File[/etc/puppetlabs/code/hiera_eyaml_keys/public_key.pkcs7.pem]: Could not evaluate: Could not retrieve information from environment production source(s) file:/etc/puppetlabs/code/hiera_eyaml_keys/public_key.pkcs7.pem
Notice: /Stage[main]/Puppet::Master::Server/Service[puppetserver]: Dependency File[/etc/puppetlabs/code/hiera_eyaml_keys/private_key.pkcs7.pem] has failures: true
Notice: /Stage[main]/Puppet::Master::Server/Service[puppetserver]: Dependency File[/etc/puppetlabs/code/hiera_eyaml_keys/public_key.pkcs7.pem] has failures: true
Warning: /Stage[main]/Puppet::Master::Server/Service[puppetserver]: Skipping because of failed dependencies
Notice: Applied catalog in 13.10 seconds

Not too sure what I'm doing wrong here, do I need to pre-create the pkcs7 private/public keys before eyaml will work?

rendhalver commented 8 years ago

I see whats going on. hiera_eyaml_pkcs7_private_key_file and hiera_eyaml_pkcs7_public_key_file should be set to the puppet source for the file you want to copy in as the eyaml key. It gets passed straight to a file resource which uses the value as the source for that resource.

Does that make sense?