I’m in the process of evaluating Puppet Enterprise as a configuration management solution for my company. A glaring issue I hit early on is figuring out how to secure credentials that are fed to the various Puppet configurations. By default, there is no way I’m aware of to obfuscate credentials in the configuration areas (including hiera files and class parameters in the GUI). This is an issue as I can’t expose certain credentials to the general public.
Fortunately, hiera-eyaml was easy-to-find and does the trick. There’s a lot of good documentation out there on how to set this up, and I won’t belabor that point, but to a Puppet noob the documentation makes a lot of assumptions. The main assumption I want to clear up is how to get it up-and-running on your Puppet Master server using the eyaml utility from the CLI.
The GitHub document appears easy-to-follow:
The first step makes perfect sense, and worked without issue:
puppetserver gem install hiera-eyaml
The problem was after this. I could not call the eyaml executable. If I typed “eyaml –help”, “eyaml encrypt” or any valid variation of the command I received a “eyaml: command not found” error.
Long story short, the issue is the Puppet master server does not have the ruby interpreter setup by default for command line use. The command above does make hiera-eyaml available for the Puppet software’s use, and you can go about configuring it and using as stated in the GitHub readme for Puppet, but the eyaml calls will not work for you on the CLI. The assumption they make is that you know to install the Ruby interpreter and gem separately for CLI usage. To do this, do the following from the Puppet master (or any Linux station):
apt-get install ruby gem install hiera-eyaml
Now the ruby interpreter is available for use to you on the CLI and you can call the eyaml executable as noted in the GitHub article.
I’m sure this is obvious to a Ruby/Linux expert, but it took me about 3/4 of a day to figure this out, so hopefully this helps save someone some time down the road.