May be this could also provide motivation and hinst if we are to write a custom backend lookup for hiera, which would be the best alternative if it works.
- Installation
Ensure development tools packages are installed on OS.
For Redhat, ("development tools). Might already be installed by default. Check next step and see if it fails
Ubuntu. Minimum tools install -y libsqlite3-dev make gcc g++ &&
1.1 gem installation.
gem install jerakia jerakia-client jerakia-puppet
and needs 2nd installation
puppetserver gem install jerakia-client
It's necessary to install jerakia-client twice with gem and puppetserver gem to avoid jerakia/client errors during lookup. Explanation: (https://github.com/crayfishx/puppet-jerakia/issues/6 )
If the above 2 installations do not fix, the other workaround is to add a ruby agent PATH in puppetserver.conf (below). This may require service restart.
jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [/opt/puppetlabs/puppet/lib/ruby/vendor_ruby, /opt/puppetlabs/puppet/cache/lib]
And then reload puppetserver /opt/puppetlabs/server/bin/puppetserver reload
1.2 AIO packages
(Could also be installed from AIO package) Ref: https://packager.io/gh/crayfishx/jerakia such as for RHEL/CentOS 7,
rpm --import https://rpm.packager.io/key
[hostname]# cat /etc/yum.repos.d/jerakia.repo
[jerakia] name=Repository for crayfishx/jerakia (stable) packages. baseurl=https://dl.packager.io/srv/rpm/crayfishx/jerakia/stable/el/7/$basearch enabled=1 gpgcheck=0 repo_gpgcheck=1 gpgkey=https://dl.packager.io/srv/crayfishx/jerakia/key
yum install jerakia
Run configuration as below and restart the service
systemctl enable jerakia systemctl start jerakia
AIO package installation on Ubuntu
wget -qO- https://dl.packager.io/srv/crayfishx/jerakia/key | apt-key add -
sudo wget -O /etc/apt/sources.list.d/jerakia.list
https://dl.packager.io/srv/crayfishx/jerakia/stable/installer/ubuntu/16.04.repo
sudo apt-get update
sudo apt-get install jerakia
Note: You might need to apt-get install wget apt-transport-https for the above instructions to work.
Ref: http://jerakia.io/basics/install/ Prefer gem installation especially if on docker images
- configuration (directories / files would exist if installed from AIO packages)
mkdir -p /etc/jerakia /var/log/jerakia /var/db/jerakia /etc/jerakia/lib/jerakia/lookup/plugin /var/lib/jerakia/schema
Copy relevant files to their destinations. jerakia.yaml
Jerakia has a small main configuration in jerakia.yaml. The default location for the configuration file is /etc/jerakia
Example:
policydir: /etc/jerakia/policy.d plugindir: /etc/jerakia/lib loglevel: info logfile: /var/log/jerakia.log
copy policy file (default.rb) to /etc/jerakia/policy.d
Notes on the policy file, default.rb: -hiera plugin changes the jerakia lookup to be similar to the hiera lookup, i.e :: -Additional plugins can be specified such as access_groups_backend
copy you custom plugins to $plugindir/jerakia/lookup/plugin/ Pluginsdir = /etc/jerakia/lib
cp access_groups_backend.rb /etc/jerakia/lib/jerakia/lookup/plugin/
this backend is a quick hack without much error checking.
The log level, can be info or debug logfile
Configure schemas to allow merging behavior. Works even if this property is not included in the Puppet module such as: COPY schema.json /var/lib/jerakia/ (allows merging of classes) copy vas.json /var/lib/jerakia/schema/ ( allows merging of users_allow_entries) etc.. need to add additional schema files for any other parameters that need to be merged.
Copy hiera data to docroot specified in /etc/jerakia/policy.d/default.rb (if Docrooot = /var/lib/jerakia/data == equivalent to data from /var/lib/hiera )
Ref: http://jerakia.io/basics/configure/
- Integrate with Puppet Uses hiera 5 data provider - available as part of crayfishx/jerakia module
-
Add crayfishx/jerakia puppet module to server modulePATh to provide the Hiera 5 data provider. puppet module install crayfishx/jerakia --modulepath /opt/puppetlabs/puppet/modules or (/etc/puppetlabs/puppet/modules , etc)
-
Then generate token jerakia token create such as jerakia token create puppet
or if lost jerakia token regenerate
and add it to hiera.yaml to allow hiera access to jerakia backend
/etc/puppetlabs/code/hiera/hiera.yaml (/etc/puppetlabs/code/environment/production/hiara.yaml)
version: 5
defaults: data_hash: yaml_data datadir: "/var/lib/jerakia/data" #datadir: hieradata
hierarchy:
- name: "Jerakia Server" lookup_key: jerakia options: token: puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3 proto: https host: '<IP_address>' port: 9843
(every hiera.yaml modification requires puppetserver restart)
- Restart puppetserver
Ref: http://jerakia.io/integration/puppet
Ref: https://www.craigdunn.org/2017/04/managing-puppet-secrets-with-jerakia-and-vault/
Alternative setups.
Common central server.
- Put data in a central place on remote jerakia server and install the server.
policydir: /etc/jerakia/policy.d plugindir: /etc/jerakia/lib loglevel: info logfile: /var/log/jerakia/jerakia.log server: token: 'puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3' bind: 'Public IP of Jerakia server' port: 9843 proto: https (Use https for access, and put server behind reverse proxy if necessary)
And then provide this token and host IP to Puppet v5 hiera, or for fallback on Puppet server /etc/jerakia/jerakia.yaml
root@puppet-server:/# cat /etc/puppetlabs/code/hiera/hiera.yaml version: 5
defaults: data_hash: yaml_data datadir: "/var/lib/jerakia/data" #datadir: hieradata
hierarchy:
-
name: "Jerakia Server" lookup_key: jerakia options: token: puppet:07e1e2f7967a5398de42a89a89c5ee3670196b77cdcc9831365ce1caa2b7451e08f27f8ae6a8b1c3 proto: https host: '<IP_address>' port: 9843
scope: # No PATHs, just scope #certname: fqdn/%{trusted.certname} fqdn: "%{facts.fqdn}" #groups: "groups/%{facts.groups}" groups: "%{facts.groups}" environment: environment/%{environment} profile: "%{facts.profile}" access: "%{facts.access}" vas_domain: "%{facts.vas_domain}" domain: "%{facts.domain}" osfamily: "%{facts.osfamily}"
..... ..... .....
TBD: Automate, and if we use custom Docker images (& decide for Jerakia), we can include these steps in the image already so when deployed the container will be ready for use