puppet-mongodb icon indicating copy to clipboard operation
puppet-mongodb copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Fetching mongodb password from vault not working

Open reschandreas opened this issue 3 years ago • 1 comments

Hi!

I am currently working on adding this module to our puppet infrastucture and I am having a hard time to use it. We manage our secrets with vault and thus we would also like to fetch the mongodb password from vault and not store it in plain text in our puppet repository for obvious security reasons.

I am searching for a way that allows me to read the password either from a file or another parameter which is able to get a Deferred value for evaluation on the agent, not the puppetserver itself since those have no access to these secrets.

Is there already a solution I am not finding/overlooking or else is there a plan to support Deferred values?

Thank you very much! 🙂

How to reproduce (e.g Puppet code you use)

This is currently my code:

  $vars = {
    'password'  => Deferred('vault_lookup::lookup',['[keystore]',"[/path/to/secret/password]",'[key]',"[certificate]"]),
  }

  mongodb::db { $db:
    user     => $user,
    password => Deferred('inline_epp', ['<%= $password.unwrap %>', $vars])
    roles    => ['readWrite', 'dbAdmin'],
  }

What are you seeing

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Mongodb::Db[Users]: parameter 'password' expects a value of type Undef or String, got Deferred

What behaviour did you expect instead

No error

Output log

Any additional information you'd like to impart

reschandreas avatar Apr 16 '21 11:04 reschandreas

This is only an issue when referencing a deferred result through a deferred function. The following use of the mongodb_password function works (puppet-mongodb: 5.0.0, puppet: 7.29.1):

$admin_username='administrator'
$admin_password_path=secret/mongodb/integration/<hostname>/admin_password
$deferred_admin_password_hash = Deferred('mongodb_password', [$admin_username, vault_lookup::lookup($admin_password_path, { 'vault_addr' => lookup('vault_addr'), 'field' => 'value' })])
...
class { 'mongodb::server':
    create_admin        => true,
    admin_username      => $admin_username,
    admin_password_hash => $deferred_admin_password_hash,
   ...
  }
...

Robbie558 avatar Apr 15 '24 14:04 Robbie558