This is a simple example for storing secrets in Salt Pillars. If you have a hundred slaves machines, you don’t need to trust them all.
Following this tutorial requires working salt master-slave installation and salt states.
Create a Simple Hello World State
$ sudo mkdir -p /srv/salt/hellotero $ sudoedit /srv/salt/hellotero/init.sls
/tmp/heivaan.txt:
file.managed:
- source: salt://hellotero/heivaan.txt
- template: jinja
Create a template that uses Pillar. Thanks to defaut value “Tero”, it works even without pillars.
Hello {{ pillar.get('yourname', 'Tero') }}!
You can test it already, all slaves will get the default value Tero.
$ sudo salt '*' state.apply hellotero $ sudo salt '*' cmd.run 'cat /tmp/hei*'
Secrets in /srv/pillar/
Secrets are stored in /srv/pillar/. Only the slaves you authorize will get the values.
$ sudo mkdir -p /srv/pillar/
Pillar top file is different from the normal salt top file. There are usually two different files called top.sls.
$ sudoedit /srv/pillar/top.sls
base:
paiste:
- paiste
In this pillar top file, environment is base. The slave id “paiste” will get pillar values from /srv/pillar/paiste.sls.
$ sudoedit /srv/pillar/paiste.sls
yourname: "Secret Agent"
Only slave paiste will get the value “Secret Agent”.
Try it Out
$ sudo salt '*' state.highstate --state-output terse
You can verify the result
$ sudo salt '*' cmd.run 'cat /tmp/hei*'
paiste:
Hello Secret Agent!
slave01:
Hello Tero!
slave02:
Hello Tero!
Now you can store per-slave secrets to /srv/pillar/. And provide default values for those who don’t know the secrets.