Simple Secrets in Salt Pillars

This is a simple example for storing secrets in Salt Pillars. If you have a hundred slaves machines, you don’t need to trust them all.

Following this tutorial requires working salt master-slave installation and salt states.

Create a Simple Hello World State

$ sudo mkdir -p /srv/salt/hellotero
$ sudoedit /srv/salt/hellotero/init.sls
/tmp/heivaan.txt:
  file.managed:
    - source: salt://hellotero/heivaan.txt
    - template: jinja

Create a template that uses Pillar. Thanks to defaut value “Tero”, it works even without pillars.

Hello {{ pillar.get('yourname', 'Tero') }}!

You can test it already, all slaves will get the default value Tero.

$ sudo salt '*' state.apply hellotero
$ sudo salt '*' cmd.run 'cat /tmp/hei*'

Secrets in /srv/pillar/

Secrets are stored in /srv/pillar/. Only the slaves you authorize will get the values.

$ sudo mkdir -p /srv/pillar/

Pillar top file is different from the normal salt top file. There are usually two different files called top.sls.

$ sudoedit /srv/pillar/top.sls
base:
  paiste:
    - paiste

In this pillar top file, environment is base. The slave id “paiste” will get pillar values from /srv/pillar/paiste.sls.

$ sudoedit /srv/pillar/paiste.sls
yourname: "Secret Agent"

Only slave paiste will get the value “Secret Agent”.

Try it Out

$ sudo salt '*' state.highstate --state-output terse

You can verify the result

$ sudo salt '*' cmd.run 'cat /tmp/hei*'
paiste:
    Hello Secret Agent!
slave01:
    Hello Tero!
slave02:
    Hello Tero!

Now you can store per-slave secrets to /srv/pillar/. And provide default values for those who don’t know the secrets.

Posted in Uncategorized | Tagged , , , , , , , , | Comments Off on Simple Secrets in Salt Pillars

Comments are closed.