Our team rolled puppet out to our systems over the last six months. We're managing all sorts of resources, and some of them have sensitive data (database passwords for automated backups, license keys for proprietary software, etc.).
Other teams want to get involved in the development of (or at least be able to see) our modules and manifests. What have other people done to continue to have secure data moving through Puppet, while sharing the modules and manifests with a larger audience?
Use Hiera with GPG (you'll need the Hiera GPG plugin) for storing anything sensible (passwords etc.) and access it when needed. It's like a keychain for puppet (or anything else that needs access to shared secrets).
Also check this little guide to get an impression here.
Hiera can also do much more!
The trick in my mind is to have one puppet manifest file that isn't in the regular version control system. Make a
secrets
class and store all private information in there. The other thing I did for own purposes to ensure that every system has a different password without having to store a different password for every one was to generate a single random string in my secrets class and use the hash of that combined with an individual service value. Knowing the service value does not help you guess the master secret, but rather acts as a salt. See Managing service passwords with Puppet for how I did that, and how a few others approached the idea.Mediawiki also uses the "single class of secrets" for their data: http://blog.wikimedia.org/2011/09/19/ever-wondered-how-the-wikimedia-servers-are-configured/
We use github (both public and private repositories) to share modules and coordinate development. Modules are committed indiviually on github (split from the main repository using
git-subtree
).All changes are made to user repositories on github and go through pull requests, where all users can comment on them before they get merged and pulled back to the puppetmasters.