The Pillars workspace allows you to create and manage pillar data that is stored natively in SaltStack Config. Pillars are structures of data defined on the Salt master and passed through to one or more minions, using targets. They allow confidential, targeted data to be securely sent only to the relevant minion. Pillars are useful for limiting user access to private data. For example, you could use pillars to allow a user to run a job that requires authentication to an external service without accessing those authentication credentials themselves. In this case, you would assign the user access to the given job and target, but not to the pillar containing sensitive authentication details.
Pillar data is encrypted in the SaltStack Config database and is not stored in plain text. It is encrypted during transmission, and made visible only to minions specified in the pillar target settings. For more on assigning pillar to a target, see Assigning pillar.
A target is the group of minions, across one or many Salt masters, that a job’s Salt command applies to. A Salt master can also be managed like a minion and can be a target if it is running the minion service. Minions are nodes running the minion service, which can listen to commands from a Salt master and perform the requested tasks. See Minions for more information.
Pillar data can be stored in either of the following:
- A private pillar in the Pillars workspace
- A job’s settings
- In other pillar roots in the API (RaaS) server
Pillar data stored within a job is less secure than data in a standard pillar, as any user with permission to access the job can also view the pillar data. Jobs are used to run remote execution tasks, apply states, and start Salt runners. See Jobs for more information.
For more on pillar in Salt, see Salt pillar walkthrough.
In the Pillars workspace you can create new pillars and assign pillars to targets. When you assign a pillar to a target, you can also choose to refresh the pillar.
Accessing the Pillars workspace
To use the Pillars workspace, click Config > Pillars on the side menu.
Creating a pillar
To create a new pillar:
- In the Pillars workspace, click Create.
- Enter pillar data in JSON format and click Save.
Assigning pillar
To assign a pillar to a specific target:
-
In the Pillars workspace, select a pillar.
-
Click Update Targets.
-
In the dialog, select targets you want to apply the pillar to.
In addition to selecting a target, select Refresh pillar to make the pillar available to the selected target immediately.
-
Click Save.
The pillar data is now available to all minions in the selected target.
Pillars and the All Minions target
The All Minions target is read-only, and cannot be assigned pillar data. To assign pillar data to all minions, create a new target that matches all minions (*
). See Minions for more information.
Value precedence
If the same pillar data is defined in multiple sources, SaltStack Config selects the data to apply in the following order of precedence:
- Values passed directly on the job
- Values in the SaltStack Config user interface (in the Pillars workspace)
- Values in other pillar roots
You can change this behavior by adjusting the order of pillar_roots
in the Salt master configuration.
Pillar data format
External pillar data must be in JSON format. YAML is not currently supported.
Pillar dependencies
Files
Pillar data is useful for passing data into states, reactors, and other types of files. Make sure when creating or updating pillar data to also update pillar references in any corresponding files. See File Server.
Targets
Pillar data attached to a target is used when associated jobs run on the target. Make sure when updating pillar data to also refresh pillar on its associated targets. See Assigning pillar.