Giter Site home page Giter Site logo

Comments (10)

petems avatar petems commented on July 29, 2024

It has to be set within the context of the Puppetserver run as an environment variable, not hiera.

So this could be done as export VAULT_TOKEN=abc in either

  • /etc/sysconfig/puppetserver on RHEL and its derivatives
  • /etc/default/puppetserver on Debian, Ubuntu, and their derivatives

Or in the Environment/EnvironmentFile setting in the Puppetserver systemd unit file.

from petems-hiera_vault.

tenajsystems avatar tenajsystems commented on July 29, 2024

Thank you for the quick response.

I am using Ubuntu and on puppet enterprise. I went into /etc/default/pe-puppetserver and added export VAULT_TOKEN=<token here> Do I need to set a value in token field like in the hiera sample below. As in where do I set ENV["VAULT_TOKEN"]. I am sure I am missing something but not sure what I am doing wrong

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      token: 'ENV["VAULT_TOKEN"]'
      default_field: value
      mounts:
        some_secret:
          - %{::trusted.certname}
          - common
        another_secret:
          - %{::trusted.certname}
          - common

from petems-hiera_vault.

petems avatar petems commented on July 29, 2024

Remove the token field completely from the config, it will look for the environment value automatically:

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      default_field: value
      mounts:
        some_secret:
          - %{::trusted.certname}
          - common
        another_secret:
          - %{::trusted.certname}
          - common

from petems-hiera_vault.

tenajsystems avatar tenajsystems commented on July 29, 2024

When I remove the token field completely and then run puppet agent -t I get the below error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN

from petems-hiera_vault.

petems avatar petems commented on July 29, 2024

Ok, looks like you're right: For Puppetserver the variable has to be set in the /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf file:

I did a quick test now and it worked for me:

https://puppet.com/docs/puppetserver/latest/config_file_puppetserver.html

environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }

This will mean that it will use the value from the exported environmental setting within the JRuby run:

[root@puppet vagrant]# cat /etc/sysconfig/puppetserver | grep TOKEN
VAULT_TOKEN=s.2NwgupDg5BRSBEy4Gya3kkFR
[root@puppet vagrant]# cat /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf | grep TOKEN
    environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
[root@puppet vagrant]# cat token.rb
puts "Vault token is #{ENV['VAULT_TOKEN']}}"
[root@puppet vagrant]# puppetserver ruby token.rb
Vault token is s.2NwgupDg5BRSBEy4Gya3kkFR}

You'll need to restart the puppet and puppetserver processes after making the changes also.

from petems-hiera_vault.

tenajsystems avatar tenajsystems commented on July 29, 2024

So I have set export VAULT_TOKEN=<token_here> in /etc/default/pe-puppetserver and also set environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} } in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf. Restarted puppet server and puppet but I keep getting the error below:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN

from petems-hiera_vault.

petems avatar petems commented on July 29, 2024

Can you run this test for me:

$ cat /etc/sysconfig/pe-puppetserver | grep TOKEN
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppetserver.conf | grep TOKEN
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb
$ pe-puppetserver ruby token.rb
$ pe-puppetserver version

from petems-hiera_vault.

tenajsystems avatar tenajsystems commented on July 29, 2024

Below are the outputs based on the commands you wanted me to run. Please not that, setting environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} } in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf causes the puppet server to fail to start and each time puppet runs, it fails.

$ cat /etc/default/pe-puppetserver | grep TOKEN
export export VAULT_TOKEN=<token_here>

$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }

$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb (no output)

$  puppetserver ruby token.rb
NameError: uninitialized constant VAULT_TOKEN
  const_missing at org/jruby/RubyModule.java:3748
         <main> at token.rb:1
$ puppetserver version
puppetserver: 'version' is not a puppetserver command. See 'puppetserver --help'.

$ pe-puppetserver version
pe-puppetserver: command not found

Let me know if there is anything else that you would like for me to try. Thanks!

from petems-hiera_vault.

kosfar avatar kosfar commented on July 29, 2024

@tenajsystems I think you have a double export command in your /etc/default/pe-puppetserver, could be a problem with puppetserver start failure. There is also a quote escaping trap in the echo command posted above. This simplifies things a bit:

echo "puts \"Vault token is #{ENV['VAULT_TOKEN']}\"" > token.rb

Btw adding the environment-vars map in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf worked for me too for Puppetserver 5.3.

from petems-hiera_vault.

tenajsystems avatar tenajsystems commented on July 29, 2024

Thank you. I decided to just have the token in a text file.

from petems-hiera_vault.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.