Our great sponsors
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Git + SOPS here.
Another way is to use the Hiera eyaml backend: https://github.com/voxpupuli/hiera-eyaml. With eyaml, you swap out the plaintext secrets in your Hiera for encrypted strings that are decrypted during catalog compilation.
Not sure if this would help, but if you're able to use AWS the SSM Parameter Store offers secrets management with version control and flexible ACLs. We use chamber to simplify reading/writing secrets, but again it's specific to AWS.
There’s also https://github.com/petems/petems-hiera_vault which will work with 4.10 but you will have pain installing any plugins with puppet being so old. (We’re on 4.10 too)
git2consul (https://github.com/breser/git2consul) is an interesting idea...
Check out https://github.com/crayfishx/hiera-eyaml-vault which is a vault backend for hiera-eyaml. I'm not 100% sure but it could work with Puppet 4.10.
Yeah, I had considered something like this. There are many abandoned git2consul projects and forks... https://github.com/miniclip/gonsul looks like a good one, but a hashicorp official tool would be nice.