Skip to content

Latest commit

 

History

History
262 lines (167 loc) · 7.18 KB

README.md

File metadata and controls

262 lines (167 loc) · 7.18 KB

Jerakia setup guideline. OS packages can be used, or gem files.

Powerful, flexible and extendible lookup tool

Provides easy examples of plugins that can be expanded to take care of our backend services.

May be this could also provide motivation and hinst if we are to write a custom backend lookup for hiera, which would be the best alternative if it works.

  1. Installation

Ensure development tools packages are installed on OS.

For Redhat, ("development tools). Might already be installed by default. Check next step and see if it fails

Ubuntu. Minimum tools install -y libsqlite3-dev make gcc g++ &&

1.1 gem installation.

gem install jerakia jerakia-client jerakia-puppet

and needs 2nd installation

puppetserver gem install jerakia-client

It's necessary to install jerakia-client twice with gem and puppetserver gem to avoid jerakia/client errors during lookup. Explanation: (https://github.com/crayfishx/puppet-jerakia/issues/6 )

If the above 2 installations do not fix, the other workaround is to add a ruby agent PATH in puppetserver.conf (below). This may require service restart.

head /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf

configuration for the JRuby interpreters

jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [/opt/puppetlabs/puppet/lib/ruby/vendor_ruby, /opt/puppetlabs/puppet/cache/lib]

And then reload puppetserver /opt/puppetlabs/server/bin/puppetserver reload

1.2 AIO packages

(Could also be installed from AIO package) Ref: https://packager.io/gh/crayfishx/jerakia such as for RHEL/CentOS 7,

[hostname]# cat /etc/yum.repos.d/jerakia.repo

This file was generated by dl.packager.io

[jerakia] name=Repository for crayfishx/jerakia (stable) packages. baseurl=https://dl.packager.io/srv/rpm/crayfishx/jerakia/stable/el/7/$basearch enabled=1 gpgcheck=0 repo_gpgcheck=1 gpgkey=https://dl.packager.io/srv/crayfishx/jerakia/key

yum install jerakia

Run configuration as below and restart the service

systemctl enable jerakia systemctl start jerakia

AIO package installation on Ubuntu

wget -qO- https://dl.packager.io/srv/crayfishx/jerakia/key | apt-key add - sudo wget -O /etc/apt/sources.list.d/jerakia.list
https://dl.packager.io/srv/crayfishx/jerakia/stable/installer/ubuntu/16.04.repo sudo apt-get update sudo apt-get install jerakia Note: You might need to apt-get install wget apt-transport-https for the above instructions to work.

Ref: http://jerakia.io/basics/install/ Prefer gem installation especially if on docker images

  1. configuration (directories / files would exist if installed from AIO packages)

mkdir -p /etc/jerakia /var/log/jerakia /var/db/jerakia /etc/jerakia/lib/jerakia/lookup/plugin /var/lib/jerakia/schema

Copy relevant files to their destinations. jerakia.yaml

Jerakia has a small main configuration in jerakia.yaml. The default location for the configuration file is /etc/jerakia

Example:


policydir: /etc/jerakia/policy.d plugindir: /etc/jerakia/lib loglevel: info logfile: /var/log/jerakia.log

copy policy file (default.rb) to /etc/jerakia/policy.d

Notes on the policy file, default.rb: -hiera plugin changes the jerakia lookup to be similar to the hiera lookup, i.e :: -Additional plugins can be specified such as access_groups_backend

copy you custom plugins to $plugindir/jerakia/lookup/plugin/ Pluginsdir = /etc/jerakia/lib

cp access_groups_backend.rb /etc/jerakia/lib/jerakia/lookup/plugin/

this backend is a quick hack without much error checking.

The log level, can be info or debug logfile

Configure schemas to allow merging behavior. Works even if this property is not included in the Puppet module such as: COPY schema.json /var/lib/jerakia/ (allows merging of classes) copy vas.json /var/lib/jerakia/schema/ ( allows merging of users_allow_entries) etc.. need to add additional schema files for any other parameters that need to be merged.

Copy hiera data to docroot specified in /etc/jerakia/policy.d/default.rb (if Docrooot = /var/lib/jerakia/data == equivalent to data from /var/lib/hiera )

Ref: http://jerakia.io/basics/configure/

  1. Integrate with Puppet Uses hiera 5 data provider - available as part of crayfishx/jerakia module
  • Add crayfishx/jerakia puppet module to server modulePATh to provide the Hiera 5 data provider. puppet module install crayfishx/jerakia --modulepath /opt/puppetlabs/puppet/modules or (/etc/puppetlabs/puppet/modules , etc)

  • Then generate token jerakia token create such as jerakia token create puppet

or if lost jerakia token regenerate

and add it to hiera.yaml to allow hiera access to jerakia backend

/etc/puppetlabs/code/hiera/hiera.yaml (/etc/puppetlabs/code/environment/production/hiara.yaml)

version: 5

defaults: data_hash: yaml_data datadir: "/var/lib/jerakia/data" #datadir: hieradata

hierarchy:

  • name: "Jerakia Server" lookup_key: jerakia options: token: puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3 proto: https host: '<IP_address>' port: 9843

(every hiera.yaml modification requires puppetserver restart)

  1. Restart puppetserver

Start jerakia server (if installed from package)

pkill jerakia ; jerakia server & (if installed from ruby gems)

Ref: http://jerakia.io/integration/puppet

Ref: https://www.craigdunn.org/2017/04/managing-puppet-secrets-with-jerakia-and-vault/

Alternative setups.

Common central server.

  1. Put data in a central place on remote jerakia server and install the server.

with the following configuretion [root@jerakia-server]# cat /etc/jerakia/jerakia.yaml

policydir: /etc/jerakia/policy.d plugindir: /etc/jerakia/lib loglevel: info logfile: /var/log/jerakia/jerakia.log server: token: 'puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3' bind: 'Public IP of Jerakia server' port: 9843 proto: https (Use https for access, and put server behind reverse proxy if necessary)

And then provide this token and host IP to Puppet v5 hiera, or for fallback on Puppet server /etc/jerakia/jerakia.yaml

root@puppet-server:/# cat /etc/puppetlabs/code/hiera/hiera.yaml version: 5

defaults: data_hash: yaml_data datadir: "/var/lib/jerakia/data" #datadir: hieradata

hierarchy:

  • name: "Jerakia Server" lookup_key: jerakia options: token: puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3 proto: https host: '<IP_address>' port: 9843

    scope: # No PATHs, just scope #certname: fqdn/%{trusted.certname} fqdn: "%{facts.fqdn}" #groups: "groups/%{facts.groups}" groups: "%{facts.groups}" environment: environment/%{environment} profile: "%{facts.profile}" access: "%{facts.access}" vas_domain: "%{facts.vas_domain}" domain: "%{facts.domain}" osfamily: "%{facts.osfamily}"

     .....
     .....
     .....
    

TBD: Automate, and if we use custom Docker images (& decide for Jerakia), we can include these steps in the image already so when deployed the container will be ready for use