Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flagged #10

Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Flagged #10

wants to merge 21 commits into from

Conversation

abooitt
Copy link
Contributor

@abooitt abooitt commented Jan 7, 2016

This changeset (use_hierarchy branch #9 merged into it) adds the feature to read from vault, only when using custom hiera_vault, hiera_vault_array, and hiera_vault_hash functions in the puppet code.
Normal hiera* function calls will cause the vault backend to skip reading from vault.

Why? Because always reading from vault is pretty heavy and easily can exhaust the number of source ports on the puppet master. Found this when doing test runs in a relatively small environment.

Additional features:

  • Flag hiera_vault* calls to tell it to look in vault only. This can even be the default behavior.
  • Generate and write secrets in case they are not found in vault, by using a special value for the second argument (the fallback default) of the hiera_vault* functions.
  • Better handling/renewing connections to vault in case vault has been temporarily unavailable.
  • Handle empty fallback default values as invalid when using hiera_vault* functions. Actually a side effect of making it possible to specify a third parameter without a valid fallback default.

More info in the README and the code.

Arnoud Witt added 11 commits December 7, 2015 07:52
- Changes in vault_backend.rb to support skipping reading from
  vault, unless it is flagged to do so using the override parameter
-  Added special hiera_vault and hiera_vault_array parser functions,
   hiera_vault_hash will be added soon.
Conflicts:
	lib/hiera/backend/vault_backend.rb
Now the Flagged functionality is complete.
And with the HieraVault module all 3 specific function
use the HieraVault module since most code is the same.
after merging in Flagged branch
- Test vault availabality with every lookup, not only at initialize.
  Puppet runs will now fail consistently when vault is unavailable. No
  need to restart puppetmasterd (or apache2 or nginx), after vault has
  become available anymore.
- Fix: in case default was empty or nil, the specific functions would
  still return the default in case lookup in vault and/or other backends
  would not find anything, while an Exception should be raised.
- Added auto-generate feature, see README.md and code for more details.
- The previous fix was incomplete: When a value was found in vault, but
  not in the rest of the backends, it would still raise an exception when
  default was empty or nil.
Conflicts:
	README.md : fixed
	lib/hiera/backend/vault_backend.rb : fixed
@abooitt abooitt mentioned this pull request Jan 7, 2016
Arnoud Witt added 5 commits January 8, 2016 12:17
- While HieraVault module retrieved hiera config from HieraPuppet, the
  logger was reset to console_logger. This caused logs to easily get
  filled up with a lot of debug messages, since console_logger just writes
  to stdout.
- Very often, when exceptions occurred, it was not clear at which position
  of the code.
abooitt pushed a commit to abooitt/hiera-vault that referenced this pull request Jan 29, 2016
This makes the vault backend compliant with other backends.

WARNING: using this with a decently long `:hierarchy` list will result in
a lot of connections to vault.

This can be solved using the 'Flagged' behavior. See jsok#10
Arnoud Witt added 2 commits January 29, 2016 20:07
@nickithewatt
Copy link

+1

@abooitt
Copy link
Contributor Author

abooitt commented Feb 1, 2016

The last commit contains a bug. Investigating and fixing it.

Arnoud Witt added 2 commits February 1, 2016 10:29
It was already correct. Did not think of Ruby passing variables by reference.
When using the vault backend, we do not want to skip it if any error
occurs with connecting or reading. For example when permission is denied.
@jovandeginste
Copy link

jovandeginste commented Jun 20, 2016

Is it possible to perform a fallback to vault from eg. hiera-yaml? Like in hiera-yaml you can do a new lookup with

first_key: "%{hiera('other_key')}"

Then you could specify from the yaml file that some secret value should be found in vault:

the_password: "%{hiera_vault('the_password')}"

Any thoughts? Is this already possible in another way?

@abooitt
Copy link
Contributor Author

abooitt commented Jun 20, 2016

As far as I have seen in the hiera code, the hiera() function as used in the data sources is one of a few supported functions. See also https://docs.puppet.com/hiera/1/variables.html
But I think it would not be very difficult to augment the code with a hiera_vault() function to be used within the data sources.

@jovandeginste
Copy link

I'm aware of the existing functions, I have no clue about implementing a custom one...

@jfroche
Copy link

jfroche commented Jun 20, 2016

interpolation functions are defined here: https://github.com/puppetlabs/hiera/blob/master/lib/hiera/interpolate.rb#L22:L26
they are contained in an immutable hash for the moment

@vide
Copy link

vide commented Dec 12, 2016

+1 pretty please merge this PR. I'd like to start using Vault+Puppet but seeing that every hiera() call will go through Vault I already know that it will be slow as hell.

@FransUrbo
Copy link

I tried your PR. Unfortunately, I get:

Error: Could not run: undefined method `errors' for #<Vault::MissingTokenError:0x00000002d6b918> in /etc/puppet/third_party/hiera-vault/lib/hiera/backend/vault_backend.rb:212:in `rescue in lookup_generic'

with the original code, I get:

Error: Missing Vault token! I cannot make requests to Vault without a token. Please
set a Vault token in the client:

    Vault.token = "42d1dee5-eb6e-102c-8d23-cc3ba875da51"

or authenticate with Vault using the Vault CLI:

    $ vault auth ...

or set the environment variable $VAULT_TOKEN to the token value:

    $ export VAULT_TOKEN="..."

Please refer to the documentation for more examples.
 at /etc/puppet/modules/mcollective/manifests/init.pp:40 on node puppet-master-00001.pharmpress.net
Error: Missing Vault token! I cannot make requests to Vault without a token. Please
set a Vault token in the client:

    Vault.token = "42d1dee5-eb6e-102c-8d23-cc3ba875da51"

or authenticate with Vault using the Vault CLI:

    $ vault auth ...

or set the environment variable $VAULT_TOKEN to the token value:

    $ export VAULT_TOKEN="..."

Please refer to the documentation for more examples.
 at /etc/puppet/modules/mcollective/manifests/init.pp:40 on node puppet-master-00001.domain.tld

so there's a regression somewhere..

@abooitt
Copy link
Contributor Author

abooitt commented Jul 31, 2017

@FransUrbo the error clearly shows you still need to provide the token. It is a while ago that I have been working on this code. It might be that this PR requires the token to be provided via environment variable. Not sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants