Skip to content

Latest commit

 

History

History
217 lines (128 loc) · 6.32 KB

REFERENCE.md

File metadata and controls

217 lines (128 loc) · 6.32 KB
Raw

Reference

Table of Contents

Classes

  • node_encrypt::certificates: Class: node_encrypt::certificates This class distributes public certificates from your CA node to all compile server configurations. It is r

Functions

  • node_decrypt: Decrypt data with node_encrypt. This is intended to be used as a Deferred function on the agent via the node_encrypted::secret wrapper.
  • node_encrypt: Encrypt data with node_encrypt.
  • node_encrypt: This function simply encrypts the String or Sensitive passed to it using the certificate belonging to the client the catalog is being compile
  • node_encrypt::secret: This function encrypts a string on the server, and then decrypts it on the agent during catalog application.
  • redact: This function will modify the catalog during compilation to remove the named parameter from the class from which it was called. For example,

Classes

node_encrypt::certificates

Class: node_encrypt::certificates

This class distributes public certificates from your CA node to all compile server configurations. It is recommended to classify all your server nodes, including the CA, with this class.

It sets up a file mountpoint on the CA node and synchronizes all agent public certificates to the $ssldir/certs directory on each compile server. These certificates can be used to encrypt secrets for agents.

Note: If this class is applied to nodes in a flat hierarchy (i.e., without a primary server), then all agents will have all public certificates synced. This is not a security risk, as public certificates are designed to be shared widely. However, it is something you should be aware of.

Parameters:

[ca_server] If the CA autodetection fails, you can specify the FQDN of the CA server here.

[sort_order] If you have customized your HOCON-based auth.conf, set the appropriate sort order here. The default rule's weight is 500, so this parameter defaults to 300 to ensure that it overrides the default.

Parameters

The following parameters are available in the node_encrypt::certificates class:

ca_server

Data type: Optional[String[1]]

Default value: undef

sort_order

Data type: Integer

Default value: 300

Functions

node_decrypt

Type: Ruby 4.x API

Decrypt data with node_encrypt. This is intended to be used as a Deferred function on the agent via the node_encrypted::secret wrapper.

node_decrypt(String $content)

Decrypt data with node_encrypt. This is intended to be used as a Deferred function on the agent via the node_encrypted::secret wrapper.

Returns: Any

content

Data type: String

node_encrypt

Type: Ruby 4.x API

Encrypt data with node_encrypt.

node_encrypt(String $content)

The node_encrypt function.

Returns: Any

content

Data type: String

node_encrypt(Sensitive $content)

The node_encrypt function.

Returns: Any

content

Data type: Sensitive

node_encrypt

Type: Ruby 3.x API

This function simply encrypts the String or Sensitive passed to it using the certificate belonging to the client the catalog is being compiled for.

node_encrypt()

This function simply encrypts the String or Sensitive passed to it using the certificate belonging to the client the catalog is being compiled for.

Returns: Any

node_encrypt::secret

Type: Puppet Language

This function encrypts a string on the server, and then decrypts it on the agent during catalog application.

node_encrypt::secret(Variant[String, Sensitive[String]] $data)

The node_encrypt::secret function.

Returns: Deferred

data

Data type: Variant[String, Sensitive[String]]

redact

Type: Ruby 3.x API

This function will modify the catalog during compilation to remove the named parameter from the class from which it was called. For example, if you wrote a class named foo and called redact('bar') from within that class, then the catalog would not record the value of bar that foo was called with.

class foo($bar) {
  # this call will display the proper output, but because it's not a resource
  # the string won't exist in the catalog.
  notice("Class['foo'] was called with param ${bar}")

  # but the catalog won't record what the passed in param was.
  redact('bar')
}

class { 'foo':
  bar => 'this will not appear in the catalog',
}

Warning: If you use that parameter to declare other classes or resources, then you must take further action to remove the parameter from those declarations!

This takes an optional second parameter of the value to replace the original parameter declaration with. This parameter is required if the class declares a type that is not String for the parameter you're redacting.

redact()

This function will modify the catalog during compilation to remove the named parameter from the class from which it was called. For example, if you wrote a class named foo and called redact('bar') from within that class, then the catalog would not record the value of bar that foo was called with.

class foo($bar) {
  # this call will display the proper output, but because it's not a resource
  # the string won't exist in the catalog.
  notice("Class['foo'] was called with param ${bar}")

  # but the catalog won't record what the passed in param was.
  redact('bar')
}

class { 'foo':
  bar => 'this will not appear in the catalog',
}

Warning: If you use that parameter to declare other classes or resources, then you must take further action to remove the parameter from those declarations!

This takes an optional second parameter of the value to replace the original parameter declaration with. This parameter is required if the class declares a type that is not String for the parameter you're redacting.

Returns: Any