hiera-eyaml icon indicating copy to clipboard operation
hiera-eyaml copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Automatically convert encrypted values to Sensitive[T]

Open woky opened this issue 4 years ago • 4 comments

So I'm learning to use secrets and I stumbled upon https://blog.example42.com/2019/04/04/puppet_sensitive_data/ and https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code/. Both blogs get into error when they declare class parameter as Sensitive[String] $foo and receive String, and solve it by manually converting data types for each value that's deemed sensitive in YAML like this:

lookup_options:
  profile::db::password:
    convert_to: "Sensitive"

Couldn't hiera-eyaml do it automatically for all encrypted types?

I guess to not break backward compatibility this would have to be an opt-in in hiear.yaml, e.g.:

defaults:
  lookup_key: eyaml_lookup_key
  options:
    eyaml_convert_to_sensitive: true
    pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
    pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem

woky avatar Aug 03 '20 16:08 woky

I assume that this project is for editing EYAML while Puppet itself decrypts them so it's more of a request to change eyaml_lookup_key.rb.

woky avatar Aug 03 '20 16:08 woky