Export file resource created with exec

asked 2014-11-04 19:34:49 -0500

Glueon
15 ●3 ●5 ●9

On a node I use a command to generate a file which then should be exported to a PuppetDB and therefore be available for all clients. In this particular case it's a private key of installed openvpn server. I tried a naive approach:

define tunnel($id, $mode = 'server') {
  exec { "generateKey$id" :
    command => "/usr/sbin/openvpn --genkey --secret /etc/openvpn/$id.key",
    creates => "/etc/openvpn/$id.key",
    require => Package['openvpn']
  }
  file { "/etc/openvpn/tunnel_${id}_${mode}.conf":
    content => "$id $mode",
    ensure  => present
  }
}

node 'test.example.com' {
  @@tunnel { 'tap6' : id => 6 }
  ...
}

But exec ran each time I collect the resource on a client notwithstanding it's exported. So each client ended up generating server's private key instead of pulling a real one. How can I solve this problem? The only solution I see is to precompile private keys and use "pupet:///" or hiera.

answered 2014-11-05 16:32:30 -0500

cbarbour
967 ●1 ●5 ●16 http://www.taos.com/

Exported resource do not cause content from the node to be copied to other nodes... It causes resources to be defined using facts from that node, and then applied to other nodes.

Exporting an exec resource causes the command to be run on every node; it does not copy around the result.

One solution to your problem would be to pre-generate the key, store it in Hiera, and then apply that to each node. Another is to write a custom function on the master that generates the key once if not already generated, stores it on disk, and then sends the stored key to each node. (Generate might work here.)

Here's another option.

Generate the key using an exec resource. Do not export this resource.
Write a fact where the value of the fact is the content of the generate key.
Write a file resource where the content of the file is the fact from your node.
Export the file resource.
Realize the file resource on every node except the one that originally generated the key.

So, the secret of solving your problem is using a fact to get the key from the node it's generated on to the puppet master, which will then export the key to the rest of your infrastructure.

As an aside... Generating a private key and copying it around is very insecure. The catalog is plain text, and facts are generally visible to anyone with access to your Puppet infrastructure or Puppet console.

A better approach would be to use public key cryptography. Generate the private key on the client, and use a puppet fact and exported resources to apply it to the target host.