Comments (10)
It has to be set within the context of the Puppetserver run as an environment variable, not hiera.
So this could be done as export VAULT_TOKEN=abc
in either
/etc/sysconfig/puppetserver
on RHEL and its derivatives/etc/default/puppetserver
on Debian, Ubuntu, and their derivatives
Or in the Environment/EnvironmentFile setting in the Puppetserver systemd unit file.
from petems-hiera_vault.
Thank you for the quick response.
I am using Ubuntu and on puppet enterprise. I went into /etc/default/pe-puppetserver
and added export VAULT_TOKEN=<token here>
Do I need to set a value in token field like in the hiera sample below. As in where do I set ENV["VAULT_TOKEN"]
. I am sure I am missing something but not sure what I am doing wrong
---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
ssl_verify: false
address: https://vault.foobar.com:8200
token: 'ENV["VAULT_TOKEN"]'
default_field: value
mounts:
some_secret:
- %{::trusted.certname}
- common
another_secret:
- %{::trusted.certname}
- common
from petems-hiera_vault.
Remove the token
field completely from the config, it will look for the environment value automatically:
---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
ssl_verify: false
address: https://vault.foobar.com:8200
default_field: value
mounts:
some_secret:
- %{::trusted.certname}
- common
another_secret:
- %{::trusted.certname}
- common
from petems-hiera_vault.
When I remove the token
field completely and then run puppet agent -t
I get the below error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN
from petems-hiera_vault.
Ok, looks like you're right: For Puppetserver the variable has to be set in the /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf
file:
I did a quick test now and it worked for me:
https://puppet.com/docs/puppetserver/latest/config_file_puppetserver.html
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
This will mean that it will use the value from the exported environmental setting within the JRuby run:
[root@puppet vagrant]# cat /etc/sysconfig/puppetserver | grep TOKEN
VAULT_TOKEN=s.2NwgupDg5BRSBEy4Gya3kkFR
[root@puppet vagrant]# cat /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
[root@puppet vagrant]# cat token.rb
puts "Vault token is #{ENV['VAULT_TOKEN']}}"
[root@puppet vagrant]# puppetserver ruby token.rb
Vault token is s.2NwgupDg5BRSBEy4Gya3kkFR}
You'll need to restart the puppet and puppetserver processes after making the changes also.
from petems-hiera_vault.
So I have set export VAULT_TOKEN=<token_here>
in /etc/default/pe-puppetserver
and also set environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf
. Restarted puppet server and puppet but I keep getting the error below:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN
from petems-hiera_vault.
Can you run this test for me:
$ cat /etc/sysconfig/pe-puppetserver | grep TOKEN
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppetserver.conf | grep TOKEN
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb
$ pe-puppetserver ruby token.rb
$ pe-puppetserver version
from petems-hiera_vault.
Below are the outputs based on the commands you wanted me to run. Please not that, setting environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf
causes the puppet server to fail to start and each time puppet runs, it fails.
$ cat /etc/default/pe-puppetserver | grep TOKEN
export export VAULT_TOKEN=<token_here>
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb (no output)
$ puppetserver ruby token.rb
NameError: uninitialized constant VAULT_TOKEN
const_missing at org/jruby/RubyModule.java:3748
<main> at token.rb:1
$ puppetserver version
puppetserver: 'version' is not a puppetserver command. See 'puppetserver --help'.
$ pe-puppetserver version
pe-puppetserver: command not found
Let me know if there is anything else that you would like for me to try. Thanks!
from petems-hiera_vault.
@tenajsystems I think you have a double export command in your /etc/default/pe-puppetserver
, could be a problem with puppetserver start failure. There is also a quote escaping trap in the echo command posted above. This simplifies things a bit:
echo "puts \"Vault token is #{ENV['VAULT_TOKEN']}\"" > token.rb
Btw adding the environment-vars
map in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf
worked for me too for Puppetserver 5.3.
from petems-hiera_vault.
Thank you. I decided to just have the token in a text file.
from petems-hiera_vault.
Related Issues (20)
- If the Vault token becomes unavailable to the Hiera/Vault module, a secret is substituted with an empty string HOT 6
- Mark fields as Sensitive HOT 1
- vault caching HOT 3
- IGNORE-VAULT doesn't work correctly if set in the file. HOT 2
- puppet lookup does not work as desired HOT 2
- Caching vault object causes heisenbug on heavy-loaded puppetserver HOT 14
- Supporting AWS IAM/EC2 authentication HOT 1
- When get the secrets if the secret contain a dollar (example$rest) sign only retrieve the secret until the dollar sign (example) HOT 2
- Release 2.0.0 is not tagged HOT 1
- changelog not updated for 2.0.0 HOT 2
- get a specific version secret HOT 1
- Testing - Running a real vault server is flaky
- Writing variables as key value pair HOT 1
- question: using wildcards in mounts paths
- Integration into hiera-eyaml
- Lots of CLOSE_WAITS to Vault on petems-hiera_vault v2.0.0 HOT 4
- Puppet 7 Support and New Forge Version
- Alternative ways to specify Vault token (or secure it) HOT 1
- Lookup-error in strict_mode in case of not found secret
- Docs: More guidance on how to use this in yaml
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from petems-hiera_vault.