hiera-eyaml icon indicating copy to clipboard operation
hiera-eyaml copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

lookup example with default parameter if decrypt fails

Open mvogt1 opened this issue 2 years ago • 3 comments

I'm using puppet apply during development / testing, which does not work anymore, if I use "lookup" for an eyaml value:

I expected that the following call to lookup would return "INVALID" in this case:

class vmware::maintenance::write_vsphere_api_key  {

  $method = lookup('profiles::mail::smarthost_password_eyaml',String,undef,"INVALID")   
  #$method = "INVALID"
  warning("METHOD: $method")
  if ($method != "INVALID") {
    warning("Applying secret")
  }
}

I expected, if the decrypt is not possible, lookup should return INVALID in $method, but I get:

Error: Evaluation Error: Error while evaluating a Function Call, 
Lookup of key 'profiles::mail::smarthost_password_eyaml' failed: 
hiera-eyaml backend error decrypting

and, as a result, puppet apply aborts. puppet documentation for lookup: https://puppet.com/docs/puppet/7/hiera_automatic.html (replacing the eyaml key with anything not available, returns INVALID)

Is there a different solution? Something like:

  • if the the eyaml key is present and decrypt fails, its possible to get this information without aborting puppet?

(I did not find an example for this.)

mvogt1 avatar Jun 21 '22 13:06 mvogt1

Hi, thanka for bringing this up. can you add --debug to the puppet apply? Does that provide more (helpful) output?

bastelfreak avatar Jun 21 '22 13:06 bastelfreak

Thanks for your reply, but --debug does not provide any helpful output, but here is the complete error messge:

Error: Evaluation Error: Error while evaluating a Function Call, 
Lookup of key 'profiles::mail::smarthost_password_eyaml' failed: hiera-eyaml backend error decrypting ENC[PKCS7,M....]
 when looking up profiles::mail::smarthost_password_eyaml in /etc/puppet/environments/devel/hieradata/secrets.eyaml. 
Error was No such file or directory @ rb_sysopen - /etc/puppetlabs/puppet/eyaml_keys/private_key.pkcs7.pem 
(file: /etc/puppet/environments/devel/modules/vmware/manifests/maintenance.pp, line: 20, column: 13) on node host01.home.de

mvogt1 avatar Jun 21 '22 14:06 mvogt1

This is my solution to the problem:

# https://serverfault.com/questions/127466/how-do-i-access-an-environment-variable-in-a-puppet-manifest
#
# before puppet apply write in Makefile or command line
# export FACTER_PUPPET_LOCAL_IS_RUNNING=1
# facter will import this into puppet in lower case.

class vmware::maintenance::write_vsphere_api_key  {
  notify { "(eyaml) puppet_local_is_running: $::puppet_local_is_running": }
  if ( "x$::puppet_local_is_running" == "x" ) {
     # variable not found => assume decrypt will work
     $secret = lookup('secrets::test::confidential',String,undef,"INVALID")   
  } else {
     $secret = "INVALID"
  }

  notify { "(eyaml) Secret: $secret": }
  if ($secret != "INVALID") {
    notify { "(eyaml) Applying secrect": }
  }

}

The secrets cannot be written in the puppet apply case, which is okay for development, and in this case the whole secret part is omitted and will only be executed in an puppet agent run.

As a result:

  • puppet does not abort during local testing and other manifests will work

Note: The notify prints are for testing only and prints on the client in both scenarios (apply and agent) Keep in mind that other loggings debug,notice,.. will appear in the server logs, therefore any logging should be avoided / removed.

mvogt1 avatar Jun 22 '22 14:06 mvogt1