Encrypted Hiera eyaml variable decrypts on master but not on node

Question

I just set up hiera-eyaml on my Puppet 3.8, opensource environment.

defaults.yaml
db_password: ENC[PKCS7,MXCGFDS......]

site.pp
$password=hiera(db_password)

If I'm running:

puppet master --debug --compile funky_hostname.mydomain.com --environment=dev

I can see that my tempated configfile is generating correctly:

password="password123"

But when I'm running it on the actual node (funky_hostname.mydomain.com), I'm getting the original, encrypted string as result:

password="ENC[PKCS7,MXCGFDS......]"

Isn't the Hiera decryption is happening on the puppet master side?

Answer 1

Puppet catalogues are compiled on the Puppet Master. The compiled catalogue is then shared with the client over an SSL connection (assuming the Puppet CA has signed the SSL certificate request from the client). The catalogue is then realised on the client. The compilation stage also involves merging Hiera data (and decrypting first if using the EYAML backend). If using e.g. GPG encryption, the GPG recipients file on the Puppet Master is used in deciding which keys to use in the decryption process. The net result is that clients don't in fact decrypt the EYAML, this is all done on the Puppet Master. The only clients that can decrypt EYAML (at least if GPG is used) are those clients listed in the GPG recipients file. Hope that helps!

Answer 2

It looks like there was multiple issues together, one of them is the permission of the key file.

$ chown -R puppet:puppet /etc/puppet/secure/keys
enter code here$ chmod -R 0500 /etc/puppet/secure/keys
$ chmod 0400 /etc/puppet/secure/keys/*.pem
$ ls -lha /etc/puppet/secure/keys
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem

Also running the puppet master in --no-deamonize mode with --debug --verbose flags helps to track what's happening on both side.