key filter for vault_hiera_hash lookup

[jsfrerot]

Hi, is there a way to filter requests going to vault when doing a lookup of a key? At this moment, every keys in hiera are being checked one after the other against vault which takes a lot of time.

some alternative modules have this feature implemented which will check only for key matching a specific pattern with "confine_to_keys" e.g.: https://github.com/petems/petems-hiera_vault

[jsfrerot]

After more investigation I think this is not needed. The issue I had: I saw an awful lots of requests to vault with a lot of 404. I'm using vault kv secret v2 and find out that I had to add "data" to the uri in the vault_hiera_hash config https://vault.mydomain.com/v1/puppet-hiera/data/common

now that puppet doesn't get a 404, it's working a lot better without spamming vault.

I think it should be nice to add this information to the README.md for kv v2.

[jsfrerot]

Commenting on the MR, I found out that the reason why vault was getting spammed is because, when the uri doesn't exists and returns nil, then puppet will retry a lot of time. Specifying and fake hash with fake hash like { 0 => 0 } puppet will cache something and will stop querying vault for nothing.

In my case I use the following URI in my hiera config: https://vault.mydomain.com/v1/puppet-hiera/data/fqdn/%{::clientcert} and for the hosts where not secrets have been defined (where cliencert doesnt exists in fqdn) puppet spams vault for nothing.