hiera-eyaml
hiera-eyaml copied to clipboard
Published
20 hours ago •
voxpupuli
voxpupuli
hiera_array() creates literal ENC[...] array element along with decrypted string
hiera_array() in conjunction with eyaml will yield an array containing the decrypted element, but also a spurious element containing the eyaml literal.
Consider the following hiera file:
---
array_w_encrypted_element:
- a
- b
- ENC[GPG,hQIOA3fxw9YrYu65EAf/RpCJIsF7b4huIxBBn0tf8BtozuBjNJQ0sBjamJDOjBY4HrhSn7h2pQLBZgRf70JDhkxFNBtrLd2qS0EfPv57RCVlnh4mWKS/DfVJqzQSKLszmKGpSavc+muxeFU0QkpZWIWFZZQ6EG3VJ7HMmrfSLe6DONaQkl58Ie1h9yS7TDK/wGsArEPkQ2BLw/989RRUX0r6qcjSiZ9ooUDufipCO1F4ceBV/CRn7/DoSkF0T0qKeM45jQ/WprYTfO8rFkG9Yy8HSP9pdwa0eSui60fTRbjt47I53ys3+XQXrG2VCF2YXqCMWl8XcgDolDdNkxEDVa6a6O5y1kHF9w6+V+nQcAgAii0qAhL0vWY9fmHPDmySXr5tpDjjSkWc64F1OC8nWD4ifz5rEEU1pEQUVDYTJ4xenvndkgA4EKOQauo4lBQh9MRPAoG+tc78OQNqidW0SHBgm/Cdf/g4DLonZcs1sPj8ZbTvnALsSoiRfphXAzrBfTVJfAvXuPZ1dALNRAlXd1lEneRE7r9yXgGGxD4pfXLnLPfaPGvhNmNXQ7+w0ym4cQIqDUw2PcPV5Z+uJ1+6gO5G9E/8JgW7tkY2VIBZBO+ptMP3FAYGj9HM5UNPK7gONkUwgBm+Zw27lyZ4vqVm+vxzD8LtOqqPmRiwLD5y8dSRR0IxkcAYgNp2wP+GgrObrNI8ASx0OYRjH9tOOul8QUtJYlskY4C1oQI4YhBlOXiG3PdkwFoKSEdoLcX2i3kWC5MKL5dm/yi12tUZhGTd]
And the following manifest:
class manifests::eyaml::woes {
$_data = hiera_array('array_w_encrypted_element')
file { '/tmp/foo.json':
ensure => present,
content => join($_data," "),
}
}
This yields the following file:
a b c ENC[GPG,hQIOA3fxw9YrYu65EAf/RpCJIsF7b4huIxBBn0tf8BtozuBjNJQ0sBjamJDOjBY4HrhSn7h2pQLBZgRf70JDhkxFNBtrLd2qS0EfPv57RCVlnh4mWKS/DfVJqzQSKLszmKGpSavc+muxeFU0QkpZWIWFZZQ6EG3VJ7HMmrfSLe6DONaQkl58Ie1h9yS7TDK/wGsArEPkQ2BLw/989RRUX0r6qcjSiZ9ooUDufipCO1F4ceBV/CRn7/DoSkF0T0qKeM45jQ/WprYTfO8rFkG9Yy8HSP9pdwa0eSui60fTRbjt47I53ys3+XQXrG2VCF2YXqCMWl8XcgDolDdNkxEDVa6a6O5y1kHF9w6+V+nQcAgAii0qAhL0vWY9fmHPDmySXr5tpDjjSkWc64F1OC8nWD4ifz5rEEU1pEQUVDYTJ4xenvndkgA4EKOQauo4lBQh9MRPAoG+tc78OQNqidW0SHBgm/Cdf/g4DLonZcs1sPj8ZbTvnALsSoiRfphXAzrBfTVJfAvXuPZ1dALNRAlXd1lEneRE7r9yXgGGxD4pfXLnLPfaPGvhNmNXQ7+w0ym4cQIqDUw2PcPV5Z+uJ1+6gO5G9E/8JgW7tkY2VIBZBO+ptMP3FAYGj9HM5UNPK7gONkUwgBm+Zw27lyZ4vqVm+vxzD8LtOqqPmRiwLD5y8dSRR0IxkcAYgNp2wP+GgrObrNI8ASx0OYRjH9tOOul8QUtJYlskY4C1oQI4YhBlOXiG3PdkwFoKSEdoLcX2i3kWC5MKL5dm/yi12tUZhGTd]
The same applies to hiera_hash() when one of the keys contains a nested array.
Environment:
Platform: Linux CentOS 7.2.1511
Architecture: x86_64
RPM: puppetserver-2.4.0-1.el7.noarch
$ puppetserver gem list
Warning: The following options to parse-opts are unrecognized: :flag
*** LOCAL GEMS ***
collectd-dsl (0.3.5)
hiera-eyaml (2.1.0)
hiera-eyaml-gpg (0.6)
highline (1.6.21)
jar-dependencies (0.1.13)
jruby-openssl (0.9.7 java)
json (1.8.0 java)
rake (10.1.0)
rdoc (4.1.2)
ruby_gpg (0.3.2)
trollop (2.1.2)
uuidtools (2.1.5)
Is that due to the file being parsed by both the eyaml parser and the yaml parser?
Is there any progress/news to this issue?
As a dirty workaround you could do the following:
---
myvalue: ENC[GPG,hQIOA3fxw9YrYu65EAf/RpCJIsF7b4huIxBBn0tf8BtozuBjNJQ0sBjamJDOjBY4HrhSn7h2pQLBZgRf70JDhkxFNBtrLd2qS0EfPv57RCVlnh4mWKS/DfVJqzQSKLszmKGpSavc+muxeFU0QkpZWIWFZZQ6EG3VJ7HMmrfSLe6DONaQkl58Ie1h9yS7TDK/wGsArEPkQ2BLw/989RRUX0r6qcjSiZ9ooUDufipCO1F4ceBV/CRn7/DoSkF0T0qKeM45jQ/WprYTfO8rFkG9Yy8HSP9pdwa0eSui60fTRbjt47I53ys3+XQXrG2VCF2YXqCMWl8XcgDolDdNkxEDVa6a6O5y1kHF9w6+V+nQcAgAii0qAhL0vWY9fmHPDmySXr5tpDjjSkWc64F1OC8nWD4ifz5rEEU1pEQUVDYTJ4xenvndkgA4EKOQauo4lBQh9MRPAoG+tc78OQNqidW0SHBgm/Cdf/g4DLonZcs1sPj8ZbTvnALsSoiRfphXAzrBfTVJfAvXuPZ1dALNRAlXd1lEneRE7r9yXgGGxD4pfXLnLPfaPGvhNmNXQ7+w0ym4cQIqDUw2PcPV5Z+uJ1+6gO5G9E/8JgW7tkY2VIBZBO+ptMP3FAYGj9HM5UNPK7gONkUwgBm+Zw27lyZ4vqVm+vxzD8LtOqqPmRiwLD5y8dSRR0IxkcAYgNp2wP+GgrObrNI8ASx0OYRjH9tOOul8QUtJYlskY4C1oQI4YhBlOXiG3PdkwFoKSEdoLcX2i3kWC5MKL5dm/yi12tUZhGTd]
array_w_encrypted_element:
- a
- b
- "%{hiera('myvalue')}"
But this isn't nice and a fix would be better.
