Our infrastructure uses puppet with public puppet modules. All our secrets and our installation-spesific parameters are thus placed in hiera.
Data distribution
The hieradata directory contains multiple .yaml files holding our information. When we have multiple puppet masters its important that each of the puppetmasters have an updated version of the hieradata, in addition to an updated list of puppet-modules. As the hiera-data are full of secrets we cannot publish them on github, and have all puppetmasters pull the information from there. What we do instead is to let the hieradata be a local git-repo which each puppetserver is pulling from eachother.
Hiera keys
Depending on what services you are handling with puppet, you might need various keys in hiera. This page tries to list which keys needs to be present to use our role/profile repositories.
General information
There are quite a bit of data which are not associated to a specific service, but are rather used by various modules, and should thus generally allways be present:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::networking::rpfilter | Before we used multiple routing-tables on our hosts we had to turn off rpfilter to allow asymmetric routing. Now this should be turned on. | true | N/A | Boolean | All |
profile::networking::management::ipv4::prefixes | A list over IPv4 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '192.0.2.0/26' | N/A | List of strings | All |
profile::networking::management::ipv6::prefixes | A list over IPv6 prefixes for networks where management stations are found. Used to configure the firewall for SSH, stats-pages etc. | - '2001:db8:beef:701::/64' | N/A | List of strings | All |
Dashboard
The general configuration of the dashboard are based on the following keys:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dashboard::django::secret | A secret key used for misc. security features in the django backend. Should be the same on all dashboard servers | 'pM[`SiZd'=+ycXOAKm`srXY?@8DRw=BVdQXg$blHD"RD\2iv97' | pwgen -s -y 50 -1 | String | role::bootstrap, role::dashboard |
profile::dashboard::name | The DNS name used to access the dashboard. This name should have an A and AAAA record configured with the address of the dashboard server (or loadbalancer). | 'dashboard.example.com' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::name::v4only | A DNS name wich also points to the dashboard, but this name should only resolve to an IPv4 address. This is because of some processes currently only works over IPv4 (Authorization of the retrieval of PXE preseed files for example) | 'v4dashboard.example.com' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::url | The url for the LDAP server used for authentication. | 'ldaps://ldap.example.com:636' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::search_base | LDAP search base | 'OU=Users,DC=ldap,DC=example,DC=com' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::ldap::domain | LDAP domain nam | 'example-com' | N/A | String | role::bootstrap, role::dashboard |
There are also some keys which have a suggested value wich should work for all installations, but are still included in hiera for flexibility:
Key | Description | Suggested value | Data-type | Used by: |
---|---|---|---|---|
profile::dashboard::api | A HTTP link used by external clients connecting to the dashboard. | 'http://%{hiera('profile::dashboard::name::v4only')}' | String | role::bootstrap, role::dashboard |
profile::dashboard::datadir | A location where the dashboard can store files. | '/var/lib/machineadmin' | String | role::bootstrap, role::dashboard |
Database
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dashboard::database::type | The database type. | 'mysql' or 'sqlite' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::database::name | The database name (for mysql) or location (for sqlite) | 'dashboard' or '/var/dashboard.sqlite' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::database::user | The database username | 'dashboard' | N/A | String | role::bootstrap, role::dashboard |
profile::dashboard::database::pass | The database password | 'x&1/7LjWbz:i<:W&p+PG' | pwgen -s -y 20 -1 | String | role::bootstrap, role::dashboard |
profile::dashboard::database::host | The database host. Could be a static string, or a hiera lookup. | 'mysql.example.com', '192.0.2.38' or "%{hiera('profile::haproxy::management::ip')}" | N/A | String | role::bootstrap, role::dashboard |
DHCP configuration:
The dashboard needs the keys listed at the section DHCP server in addition to the following keys to configure the DHCP servers:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dhcp::servers | A list of hashes describing the dhcp servers. Key=DHCP-Server-name and value=DHCP-IPv4 | 'dhcp1': '192.0.2.21' | N/A | List of hashes | role::bootstrap, role::dashboard |
DNS configuration:
The Dashboard requires some keys listed under the section DNS-Server, in addition to the following keys:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dns::<shortname>::key | The TSIG key used for updates sent to this server. It can be useful to let this be a hiera-lookup for the zones managed by our own DNS servers. | 'UvetjoX5zMiw/NbQr3biug==' "%{hiera('profile::dns::key::update')}" | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | role::bootstrap, role::dashboard |
DHCP server
When running DHCP servers, the following keys are needed:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dhcp::omapi::key | The omapi key used to update the DHCP servers | 'omapi_key==' | dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST key_name | String | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::omapi::name | The omapi key name | 'key_name' | ↑ | String | role::bootstrap, role::dashboard, role::dhcp |
profile::dhcp::searchdomain | The default search-domain handed to DHCP clients | 'cloud.domain.com' | N/A | String | role::bootstrap, role::dhcp |
profile::dns::resolvers | The DNS resolvers for clients to use | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of strings | role::bootstrap, role::dhcp |
DNS server
If you are hosting a DNS server the following keys are needed:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dns::forwarders | Which DNS servers your DNS server should use to resolve domainnames where it is not an authorative DNS | - '<ip-addres-DNS1>' - '<ip-address-DNS2>' | N/A | List of strings | role::bootstrap, role::dns::master |
profile::dns::key::transfer | The TSIG keys used for zone-transfers | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::key::update | The TSIG keys used for DNS updates | 'UvetjoX5zMiw/NbQr3biug==' | dnssec-keygen -a HMAC-MD5 -b 128 -n HOST <keyname> | String | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::slaves | A list over DNS slave-servers which replicates the zone-files from the main DNS server. The hash is structured as key=Servername and value=DNS-IPv4 | 'ns2.example.com': '192.0.2.130' | N/A | List of Hashes | role::bootstrap, role::dns::master, role::dns::slave |
profile::dns::zones | A list over DNS zones managed by our DNS servers, or used by our dashboard. The hash is structured as key=DNS-zone and value=DNS-server-shortname. | 'zone.example.com': 'ns1' | N/A | List of Hashes | role::bootstrap, role::dashboard, role::dns::master, role::dns::slave |
I addition there are a set of keys which are needed for each DNS server managing a DNS zone used by us. Shortname is here the name used in "profile::dns::zones".
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::dns::<shortname>::ipv4 | The IPv4 address of a specific DNS server. | '192.0.2.129' | N/A | String | role::bootstrap, role::dashboard, role::dns::master, role::dns::slave |
profile::dns::<shortname>::name | The fqdn of a specific DNS server | 'ns1.example.com' | N/A | String | role::bootstrap, role::dns::master, role::dns::slave |
Haproxy
We use haproxy to loadbalance multiple of our services. It needs the following keys present in hiera to work:
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::haproxy::management::ipv4 | The IPv4 address used in front og the loadbalancer used for managemnet services | '192.0.2.151' | N/A | String | role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::management::ipv4::id | The VRRP id used by the IPv4 VRRP instance. | 11 | N/A | Integer | role::balancer::management |
profile::haproxy::management::ipv4::priority | The VRRP priority used by the IPv4 VRRP instance. | 10 | N/A | Integer | role::balancer::management |
profile::haproxy::management::ipv6 | The IPv4 address used in front og the loadbalancer used for managemnet services | '2001:db8:beef:707::7b1' | N/A | String | role::puppet::db, role::puppet::server, role::mysql, role::balancer::management |
profile::haproxy::management::ipv6::id | The VRRP id used by the IPv6 VRRP instance. | 12 | N/A | Intege | role::balancer::management |
profile::haproxy::management::ipv6::priority | The VRRP priority used by the IPv6 VRRP instance. | 10 | N/A | Integer | role::balancer::management |
MySQL
Our mysql cluster uses the following hiera-keys:
Key | Description | Example | Created by | Data-type | Used by |
---|---|---|---|---|---|
profile::mysqlcluster::servers | This is a list over IPv4 addresses used by servers in the cluster. This list are used when a server starts up, to discover at least one of the machines already in the cluster. | - '192.0.2.201' | N/A | String | role::mysql |
profile::mysqlcluster::master | The fqdn of one of the mysql-servers. This are in theory used by the puppet-galera module to start one server in case all servers are down. | 'mysql1.example.com' | N/A | String | role::mysql |
profile::mysqlcluster::root_password | This is the password of the mysql root user | 'OwT$Etc$=|;h(=upip#3' | pwgen -s -y 20 -1 | String | role::mysql |
profile::mysqlcluster::status_password | This is the password of the mysql status user | ';^8P"M,Oem6le\T"am!0' | pwgen -s -y 20 -1 | String | role::mysql |
profile::mysqlcluster::haproxy_password | This is the password of the mysql haproxy user. This user is so that haproxy can create more robust checks than just see if port 3306 is open. | '4g36-&jHNFF?J-7yQZHa' | pwgen -s -y 20 -1 | String | role::mysql |
Redis
Key | Description | Example | Created by | Data-type | Used by: |
---|---|---|---|---|---|
profile::redis::master | Name or IP address of initial redis master | 'redis1.cloud.domain.com' | N/A | String | role::redis |
profile::redis::nodetype | Defined on each redis-node. Only valid values are 'master' or 'slave' | 'master' | N/A | String | role::redis |
profile::redis::ip | The IP redis clients should contact redis on. Typically the haproxy ip | '192.168.100.10' or "%{hiera('profile::haproxy::management::ip')}" or redis.cloud.domain.com | N/A | String | All |