My Profile Photo

Gerard Rambles

Rants, DevOps, and maybe something useful?

on puppet hiera

Using hiera to pull files.

In rebuilding our environment from which extended back to the Puppet 2.x days we needed a new solution for hosting files in a multi client environment. Obviously in our use case client segregation and deployment of files is priority here, both for security and best practice. You don’t want Joe’s Burger Shack knowing what Bill’s Burger Hut is up to.

The solution? Store these files in Puppet? Sure that’s an option, but there’s even more to configure there. It happens we’re using Hiera to store data? Why not leverage this? Now we have to choose a backend. After some looking into, we’ve found an awesome backend for Hiera called hiera-file. When using this though I’d obviously suggest using the Hiera File Gem. One thing to keep in mind however is that this populates data into a file, so if you’re trying to manage images, this will not work for that use case.

The first thing you’ll want to do is install the gem, I’ve written this into my Puppet server module which makes things easier but simply install the gem as described below. I’m running Puppet4 so any server side gems need to be installed via the puppetserver binary.

sudo /opt/puppetlabs/bin/puppetserver gem install hiera-file

Once you install your gem you’ll need to configure the hiera.yaml file which is located /etc/puppetlabs/code/hiera.yaml. I am using a few different backends and I stayed with the suggested %{calling_module}.

---
:backends:
  - yaml
  - redis
  - file
:hierarchy:
  - "%{name}"
  ### Snip ###
:yaml:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata
:file:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata

As you can see I have cut off some of my hiera.yaml but it’s very simple. One thing to note is that you’ll need to remove . from filenames.

As an example of a use case, we prepopulate OpenVPN certificates for remote nodes in which we have many. So in your manifest you’ll define a hiera call along these lines

  file {
    'my-crt':
      ensure  => present,
      path    => "${openvpn::params::basedir}/easy-rsa/keys/my.crt",
      content => hiera("${::hostname}_crt"),
      owner   => 0,
      group   => 0,
      mode    => '0644';
  }

Let’s say the hostname is foo, based on the hiera call above and how you set up your hiera.yaml you’d expect the file to live in /etc/puppetlabs/code/environments/development/hieradata/openvpn.d and the filename in that folder would be foo_crt