Closed tenajsystems closed 4 years ago
It has to be set within the context of the Puppetserver run as an environment variable, not hiera.
So this could be done as export VAULT_TOKEN=abc
in either
/etc/sysconfig/puppetserver
on RHEL and its derivatives/etc/default/puppetserver
on Debian, Ubuntu, and their derivativesOr in the Environment/EnvironmentFile setting in the Puppetserver systemd unit file.
Thank you for the quick response.
I am using Ubuntu and on puppet enterprise. I went into /etc/default/pe-puppetserver
and added export VAULT_TOKEN=<token here>
Do I need to set a value in token field like in the hiera sample below. As in where do I set ENV["VAULT_TOKEN"]
. I am sure I am missing something but not sure what I am doing wrong
---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
ssl_verify: false
address: https://vault.foobar.com:8200
token: 'ENV["VAULT_TOKEN"]'
default_field: value
mounts:
some_secret:
- %{::trusted.certname}
- common
another_secret:
- %{::trusted.certname}
- common
Remove the token
field completely from the config, it will look for the environment value automatically:
---
version: 5
hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- '^vault_.*'
- '^.*_password$'
- '^password.*'
ssl_verify: false
address: https://vault.foobar.com:8200
default_field: value
mounts:
some_secret:
- %{::trusted.certname}
- common
another_secret:
- %{::trusted.certname}
- common
When I remove the token
field completely and then run puppet agent -t
I get the below error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN
Ok, looks like you're right: For Puppetserver the variable has to be set in the /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf
file:
I did a quick test now and it worked for me:
https://puppet.com/docs/puppetserver/latest/config_file_puppetserver.html
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
This will mean that it will use the value from the exported environmental setting within the JRuby run:
[root@puppet vagrant]# cat /etc/sysconfig/puppetserver | grep TOKEN
VAULT_TOKEN=s.2NwgupDg5BRSBEy4Gya3kkFR
[root@puppet vagrant]# cat /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
[root@puppet vagrant]# cat token.rb
puts "Vault token is #{ENV['VAULT_TOKEN']}}"
[root@puppet vagrant]# puppetserver ruby token.rb
Vault token is s.2NwgupDg5BRSBEy4Gya3kkFR}
You'll need to restart the puppet and puppetserver processes after making the changes also.
So I have set export VAULT_TOKEN=<token_here>
in /etc/default/pe-puppetserver
and also set environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf
. Restarted puppet server and puppet but I keep getting the error below:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN
Can you run this test for me:
$ cat /etc/sysconfig/pe-puppetserver | grep TOKEN
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppetserver.conf | grep TOKEN
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb
$ pe-puppetserver ruby token.rb
$ pe-puppetserver version
Below are the outputs based on the commands you wanted me to run. Please not that, setting environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf
causes the puppet server to fail to start and each time puppet runs, it fails.
$ cat /etc/default/pe-puppetserver | grep TOKEN
export export VAULT_TOKEN=<token_here>
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb (no output)
$ puppetserver ruby token.rb
NameError: uninitialized constant VAULT_TOKEN
const_missing at org/jruby/RubyModule.java:3748
<main> at token.rb:1
$ puppetserver version
puppetserver: 'version' is not a puppetserver command. See 'puppetserver --help'.
$ pe-puppetserver version
pe-puppetserver: command not found
Let me know if there is anything else that you would like for me to try. Thanks!
@tenajsystems I think you have a double export command in your /etc/default/pe-puppetserver
, could be a problem with puppetserver start failure. There is also a quote escaping trap in the echo command posted above. This simplifies things a bit:
echo "puts \"Vault token is #{ENV['VAULT_TOKEN']}\"" > token.rb
Btw adding the environment-vars
map in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf
worked for me too for Puppetserver 5.3.
Thank you. I decided to just have the token in a text file.
@petems How is the ENV["VAULT_TOKEN"] supposed to be set? I have exported the token as
export VAULT_TOKEN=<token_here>
and in my hiera.yaml file, I havetoken: 'ENV["VAULT_TOKEN"]'
but when I run puppet, it fails to lookup the key in vault. Setting thetoken: '/path/to/token'
works however.Any thoughts on why setting
token: 'ENV["VAULT_TOKEN"]'
doesn't work? or I'm I doing something wrong?