Comments (6)
Hi, let me look into this for you. If it cant reach Vault, it should just error out and then hiera should return an error.
Q: Is there a reason you're using hiera over the new lookup avaliable with Puppet 6? This: https://forge.puppet.com/puppet/vault_lookup
from petems-hiera_vault.
So from my testing, this isn't reproducible with the documented method of using lookup, either an automatic parameter lookup or explicit lookup in Puppet code:
---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
ssl_verify: false
address: http://puppet:8200
token: /etc/does_not_exist.txt
default_field: value
mounts:
puppet:
- '%{::trusted.certname}/'
# profile to deploy a puppet vault_message
class profile::vault_message {
$vault_notify = lookup({"name" => "vault_notify"})
notify { "testing vault ${vault_notify}":}
}
Error when running from Puppet:
Info: Retrieving locales
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'vault_notify' on node node1.vm
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
It's been a long time, but I do remember you being able to have functions within yaml files but it being heavily not recommended to do, because of issues like this. Is there a reason you're doing the lookup within the yaml file, rather than either doing an explicit lookup or using automatic parameter lookup?
from petems-hiera_vault.
Ah yes, so this would've been an interpolation function... never really understood the benefits of that, but if you do have a need to use it, I would defend against the empty string by strongly typing the parameter to prevent the empty string issue, or just a function to check it's not an empty string.
The error isnt from hiera_vault but how interpolation functions from Hiera handle errors, the same thing would happen with any backend if it couldnt find a value
from petems-hiera_vault.
Thank you so much for getting back to me @petems . I was out of town hence my delayed response. I don't necessarily have a need to use the interpolation function. I have tried the following, but an empty string still gets substituted. How can I interpolate this value without using the lookup function? It appears the lookup doesn't go to Vault at all.
virtual::secret_key: "%{password_virtual_key)}"
As a test, I interpolated a fact, and is working fine. I've perused the documentation a number of times, and I don't see a clear cut way to interpolate a string without using the lookup function in Hiera.
This works (test only).
virtual::secret_key: "%{facts.hostname)}"
from petems-hiera_vault.
Interpolation itself isn't the issue, it's how interpolation deals with errors. It appears that if there's an issue with doing a lookup (such as the token being unavailable so the Vault process returns nothing) then it returns an empty string. So a fact lookup would have the same thing if theres an error returning a fact.
In fact, you're doubling up a little, as you dont need to use a yaml data file for vault lookup at all.
You dont need to do a lookup in the yaml at all: Puppet will use Vault directly via the plugin.
So with automatic parameter lookup: when the class is compiled, it will try and do a hiera lookup for the parameter secret_key.
So you could simply have the secret as a value at the mount, in your case that would be on your vault as a key entry like this:
secrets/puppet_nogroup/nodes/app01.example.com/virtual::secret_key
One thing to highlight: Vault will only do a lookup for keys that match your restrictions, with your current config it would not do that lookup, you could add in secret or key regex:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
- '^.*_key$'
If you still wanted to use lookup within the yaml code, you could simply change your code so an empty string would cause an error:
class virtual (
String[1] $secret_key,
# ...
) {
# ...
}
Does that all make sense?
from petems-hiera_vault.
Thank You @petems . We've sorted out our issues. For reference, I decided to not use APM so I can confine my variables to a specific key ie vault_. Here is what I did to work around this in my YAML data file.
lookup_options:
something::secret:
convert_to: "String[1]"
from petems-hiera_vault.
Related Issues (20)
- Mark fields as Sensitive HOT 1
- vault caching HOT 3
- IGNORE-VAULT doesn't work correctly if set in the file. HOT 2
- puppet lookup does not work as desired HOT 2
- Caching vault object causes heisenbug on heavy-loaded puppetserver HOT 14
- Supporting AWS IAM/EC2 authentication HOT 1
- When get the secrets if the secret contain a dollar (example$rest) sign only retrieve the secret until the dollar sign (example) HOT 2
- Release 2.0.0 is not tagged HOT 1
- changelog not updated for 2.0.0 HOT 2
- get a specific version secret HOT 1
- Testing - Running a real vault server is flaky
- Writing variables as key value pair HOT 1
- question: using wildcards in mounts paths
- Integration into hiera-eyaml
- Lots of CLOSE_WAITS to Vault on petems-hiera_vault v2.0.0 HOT 4
- Puppet 7 Support and New Forge Version
- Alternative ways to specify Vault token (or secure it) HOT 1
- Lookup-error in strict_mode in case of not found secret
- Docs: More guidance on how to use this in yaml
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from petems-hiera_vault.