... | ... | @@ -708,6 +708,35 @@ neded more functions (like `map` and `filter`) to get what I wanted |
|
|
(see [this gist](https://gist.github.com/bastelfreak/b9620fa1892ebcc659c442b115db34f9)). I gave up at that point: the `puppetdbquery`
|
|
|
abstraction is much cleaner and usable.
|
|
|
|
|
|
### Hiera lookups
|
|
|
|
|
|
For more security-sensitive data, we should use a trusted data source
|
|
|
to extract information about hosts. We do this through Hiera lookups,
|
|
|
with the [lookup](https://puppet.com/docs/puppet/latest/function.html#lookup) function. A good example is how we populate the
|
|
|
SSH public keys on all hosts, for the admin user. In the
|
|
|
`profile::ssh` class, we do the following:
|
|
|
|
|
|
$keys = lookup('profile::admins::keys', Data, 'hash')
|
|
|
|
|
|
This will lookup the `profile::admin::keys` field in Hiera, which is a
|
|
|
trusted source because under the control of the Puppet git repo. This
|
|
|
refers to the following data structure in `hiera/common.yaml`:
|
|
|
|
|
|
profile::admins::keys:
|
|
|
anarcat:
|
|
|
type: "ssh-rsa"
|
|
|
pubkey: "AAAAB3[...]"
|
|
|
|
|
|
The key point with Hiera is that it's a "hierarchical" data structure,
|
|
|
so each host can have its own override. So in theory, the above keys
|
|
|
could be overriden per host. Similarly, the IP address information for
|
|
|
each host could be stored in Hiera instead of LDAP. But in practice,
|
|
|
we do not currently do this and the per-host information is limited.
|
|
|
|
|
|
### LDAP lookups
|
|
|
|
|
|
TODO.
|
|
|
|
|
|
## Revoking and generating a new certificate for a host
|
|
|
|
|
|
Revocation procedures problems were discussed in [33587][] and [33446][].
|
... | ... | @@ -1043,7 +1072,10 @@ Puppet itself, currently as part of the `torproject_org` module. |
|
|
|
|
|
### LDAP integration
|
|
|
|
|
|
TODO: document how Puppet talks with LDAP (and vice-versa?).
|
|
|
TODO: document how Puppet talks with LDAP (and vice-versa?). Note that
|
|
|
this is from a design perspective (ie. firewalls, access controls,
|
|
|
passwords, etc), not from a "user" perspective (ie. how to actually do
|
|
|
it in the Puppet code).
|
|
|
|
|
|
### External data sources
|
|
|
|
... | ... | |