Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: More guidance on how to use this in yaml #97

Open
whoracle opened this issue Jan 9, 2024 · 0 comments
Open

Docs: More guidance on how to use this in yaml #97

whoracle opened this issue Jan 9, 2024 · 0 comments

Comments

@whoracle
Copy link

whoracle commented Jan 9, 2024
edited
Loading

So, I've been reading the README, and came across this:

And make yourself a favor and avoid lookup directly ;) Use

profile::ssl_role::key: "%{alias('vault_storage::ssl/params.key')}"

to inject value from key inside http://vault.foobar.com:8200/secret/data/ssl/params.

To me, this suggests that I can "just" use this as-is in my node.yaml files. However, for a given vault path puppet/data/nodes/node01.example.com/vault_gitlab with a key of token and a value of some_value, and a line in my yaml like this:

profiles::gitlab::runner::runners:
  '%{::fqdn}_shell':
    url: 'https://example.com'
    executor: 'shell'
    token: "%{alias('vault_storage::nodes/node01.example.com/vault_gitlab.token')}"

I get exactly nothing. If I use lookup() in my corresponding profile, I get the correct value back.

So, I am missing something, quite possibly something trivial. But what? My guess'd be that I have not defined a class vault_storage anywhere, but how would I go ahead and define the alias correctly?

Relevant part of my hiera.yaml looks like this:

---
version: 5

defaults:
  datadir: 'data'
  data_hash: 'yaml_data'

hierarchy:
  ## Hashicorp Vault
  - name: 'Hiera-vault lookup'
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
      address: https://vault.example.com
      token: /etc/puppetlabs/code/vault_token.txt
      v2_guess_mount: false
      v1_lookup: false
      mounts:
        puppet/data:
          - 'nodes/%{::trusted.certname}'
          - 'global'

  ## Server
  - name: 'Machine specific data for one configured node served by puppet.'
    path: 'nodes/%{trusted.certname}.yaml'

Edit: I also tried with the following hiera.yaml:

---
version: 5

defaults:
  datadir: 'data'
  data_hash: 'yaml_data'

hierarchy:
  ## Hashicorp Vault
  - name: 'Hiera-vault lookup'
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_storage::.*'
        - '^vault_.*'
      strip_from_keys:
        - 'vault_storage::'
      address: https://vault.example.com
      token: /etc/puppetlabs/code/vault_token.txt
      v2_guess_mount: false
      v1_lookup: false
      mounts:
        puppet/data:
          - 'nodes/%{::trusted.certname}'
          - 'global'

  ## Server
  - name: 'Machine specific data for one configured node served by puppet.'
    path: 'nodes/%{trusted.certname}.yaml'

Still to no avail.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@whoracle