blackbox/docs/with-puppet.md

How to use the secrets with Puppet?
===================================

# Entire files:

Entire files, such as SSL certs and private keys, are treated just
like regular files. You decrypt them any time you push a new release
to the puppet master.

Example of an encrypted file named `secret_file.key.gpg`

* Plaintext file is: `modules/${module_name}/files/secret_file.key`
* Encrypted file is: `modules/${module_name}/files/secret_file.key.gpg`
* Puppet sees it as: `puppet:///modules/${module_name}/secret_file.key`

Puppet code that stores `secret_file.key` in `/etc/my_little_secret.key`:

```
file { '/etc/my_little_secret.key':
    ensure  => 'file',
    owner   => 'root',
    group   => 'puppet',
    mode    => '0760',
    source  => "puppet:///modules/${module_name}/secret_file.key",  # No ".gpg"
}
```

# Small strings:

For small strings such as passwords and API keys, it makes sense
to store them in an (encrypted) YAML file which is then made
available via hiera.

For example, we use a file called `blackbox.yaml`. You can access the
data in it using the hiera() function.

*Setup:*

Edit `hiera.yaml` to include "blackbox" to the search hierarchy:

```
:hierarchy:
  - ...
  - blackbox
  - ...
```

In blackbox.yaml specify:

```
---
module::test_password: "my secret password"
```

In your Puppet Code, access the password as you would any hiera data:

```
$the_password = hiera('module::test_password', 'fail')

file {'/tmp/debug-blackbox.txt':
    content => $the_password,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
}
```

The variable `$the_password` will contain "my secret password" and can be used anywhere strings are used.
Implement blackbox in Golang (#250) * Initial release 2020-07-24 14:21:33 -04:00			`How to use the secrets with Puppet?`
			`===================================`

			`# Entire files:`

			`Entire files, such as SSL certs and private keys, are treated just`
			`like regular files. You decrypt them any time you push a new release`
			`to the puppet master.`

			Example of an encrypted file named `secret_file.key.gpg`

			* Plaintext file is: `modules/${module_name}/files/secret_file.key`
			* Encrypted file is: `modules/${module_name}/files/secret_file.key.gpg`
			* Puppet sees it as: `puppet:///modules/${module_name}/secret_file.key`

			Puppet code that stores `secret_file.key` in `/etc/my_little_secret.key`:

			```
			`file { '/etc/my_little_secret.key':`
			`ensure => 'file',`
			`owner => 'root',`
			`group => 'puppet',`
			`mode => '0760',`
			`source => "puppet:///modules/${module_name}/secret_file.key", # No ".gpg"`
			`}`
			```

			`# Small strings:`

			`For small strings such as passwords and API keys, it makes sense`
			`to store them in an (encrypted) YAML file which is then made`
			`available via hiera.`

			For example, we use a file called `blackbox.yaml`. You can access the
			`data in it using the hiera() function.`

			`Setup:`

			Edit `hiera.yaml` to include "blackbox" to the search hierarchy:

			```
			`:hierarchy:`
			`- ...`
			`- blackbox`
			`- ...`
			```

			`In blackbox.yaml specify:`

			```
			`---`
			`module::test_password: "my secret password"`
			```

			`In your Puppet Code, access the password as you would any hiera data:`

			```
			`$the_password = hiera('module::test_password', 'fail')`

			`file {'/tmp/debug-blackbox.txt':`
			`content => $the_password,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0600',`
			`}`
			```

			The variable `$the_password` will contain "my secret password" and can be used anywhere strings are used.