Normal Description
Problem:
The hiera example presented in https://puppet.com/docs/puppet/7/hiera_config_yaml_5.html#config_syntax is not typical of how we would suggest writing it. In most cases seperation of named hiearcys is only required for external sources such as Puppet Data service
Suggested improvement:
https://puppet.com/docs/puppet/7/hiera_config_yaml_5.html#config_syntax
Current text :
version: 5 |
defaults: # Used for any hierarchy level that omits these keys. |
datadir: data # This path is relative to hiera.yaml's directory.
|
data_hash: yaml_data # Use the built-in YAML backend.
|
hierarchy:
|
- name: "Per-node data" # Human-readable name. |
path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. |
# ^^^ IMPORTANT: include the file extension!
|
- name: "Per-datacenter business group data" # Uses custom facts. |
path: "location/%{facts.whereami}/%{facts.group}.yaml" |
- name: "Global business group data" |
path: "groups/%{facts.group}.yaml" |
- name: "Per-datacenter secret data (encrypted)" |
lookup_key: eyaml_lookup_key # Uses non-default backend. |
path: "secrets/nodes/%{trusted.certname}.eyaml" |
options:
|
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
|
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
|
- name: "Per-OS defaults" |
path: "os/%{facts.os.family}.yaml" |
- name: "Common data" |
path: "common.yaml" |
Suggested improvement:
version: 5 |
defaults: # Used for any hierarchy level that omits these keys. |
datadir: data # This path is relative to hiera.yaml's directory.
|
hierarchy:
|
- name: "Hiera data in yaml and eyaml files committed to the control-repo" |
lookup_key: eyaml_lookup_key
|
options:
|
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
|
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
|
paths:
|
- "nodes/%{trusted.certname}.yaml" |
- "location/%{facts.whereami}/%{facts.group}.yaml" |
- "groups/%{facts.group}.yaml" |
- "secrets/nodes/%{trusted.certname}.eyaml" |
- "os/%{facts.os.family}.yaml" |
- "common.yaml" |
Summary:
As adivsed by reid its more typical with eyaml and yaml specifically to ONLY use lookup_key: eyaml because eyaml can read yaml values just fine, and you don’t have to encrypt every key. You can just encrypt the ones you want encrypted.