Ask Your Question

distribute custom fact built from hiera data with plugin-sync

asked 2016-05-23 07:22:52 -0600

pascal gravatar image

updated 2016-05-24 02:39:25 -0600


I need a custom fact to access resources which require user credentials unique to each agent. For contractual reasons I can not use the "normal" way of pushing a custom fact file and then do another run to read it (I also had fun with /var/lib/puppet for the same reason). What I'd like to do is have the plugin-sync mechanics evaluate a templated ruby fact on the master and populate it with the credentials based on the node name (puppet does know it, it is talking to it).

A) Any idea where to look? I could not find the point where custom facts are distributed.

B) Anybody else interested in this? I'd like to make a feature request.


The credentials are stored in a hiera backend.

    [ <list of credentials 00 >]
    [ <list of credentials 01 >]

The requirements for the agents explicitly state that management credentials must not be permanently stored on agents (don't ask, already tried; btw this makes things like the forge mysql module unusable for me). So the usual answer with two puppet runs is not an option. I already had to implement clean-up for the leftovers in /var/lib/puppet, so the fact will be gone after the run which deployed and used it.

edit retag flag offensive close merge delete


can the credentials be stored in hiera(either as yaml or another backend?) Can they be prepopulated on the instance as a file based fact during bootstrapping?

DarylW gravatar imageDarylW ( 2016-05-23 13:45:27 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2016-05-24 14:12:04 -0600

buzzdeee gravatar image

updated 2016-05-24 15:31:44 -0600


Instead of using facts, how about pushing environment variables to Puppet:

In my puppet module to manage puppet, I implemented a native type so that I can push environment variables to the node, see:

In Hiera I have:

    value: 'secret'
    value: 'supersecret'
    value: 'eu-central-1'

These I just instantiate with:

  $puppet_env = hiera_hash('puppet::env')
  create_resources(puppetenv, $puppet_env)

Then Puppet has these in the environment when it runs on the node. Just make sure you have these resources created/setup before you need them later on in your manifest ;)

hth, Sebastian

edit flag offensive delete link more


Interesting idea. I solved the problem with a custom provider which can handle credentials for my application. Unfortunately this still leaves me with the problem of getting some data from the application to know if I need to create the resource in the first place.

pascal gravatar imagepascal ( 2016-08-29 04:41:33 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2016-05-23 07:22:52 -0600

Seen: 139 times

Last updated: May 24 '16