Private data in public puppet

The puppet manifest for setting a DB password got me thinking. Is there a standard way to get puppet to set private data, like passwords, without storing them in a plain-text file? Perhaps prompting for them on run, or having some encoding mechanism? I mean, if one stores the manifests in git, they might end up pushing them to some remote repository or simply sharing them with another person. My memory is poor enough that I could easily forget the passwords are in the manifests and having all my passwords in plain text where another can easily find them… well, that just doesn’t sound good :)

That’s an excellent question. When I’ve done Puppet in anger the entire repo has been hidden off in a separate location, so we didn’t have to worry about that. But I don’t much like that approach; I’d rather have the Puppet manifests open and accessible like everything else so that other folks can ask questions or suggest improvements.

I’ve seen a couple of ways to do this, and I think Tony’s done this. Tony, correct me if I’m wrong, but you used a symlink to another directory where the “private-data” repo was held, right? There’s a variant on this that uses submodules with a remote that uses git+ssh that Nick Schottelius wrote up here: http://www.nico.schottelius.org/blog/how-to-add…. Generally, the approach seems to be to use another repo and lock down access to that repo.

There’s also a thread on puppet-users about this here: http://groups.google.com/group/puppet-users/bro… . Some of the same ideas, plus a password generate/fetch function and a suggestion to write your own data store.