search

voxpupuli / hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data
MIT License
527 stars 130 forks source link

Options doesn't interpolate variables for pkcs7_private_key, pkcs7_public_key #252

Open mmarseglia opened 6 years ago

mmarseglia commented 6 years ago

I'm using hiera-eyaml and wanted to dynamically set the path for the public and private key. I tried using:

    options:
      pkcs7_private_key: %{confdir}/keys/private_key.pkcs7.pem
      pkcs7_public_key: %{confdir}/keys/public_key.pkcs7.pem

But %{confdir} isn't interpolated and the resulting path is /keys/public_key.pkcs7.pem. Am I doing something wrong or is this not supported?

rnelson0 commented 6 years ago

@mmarseglia I believe you need to put it in double quotes:

    options:
      pkcs7_private_key: "%{confdir}/keys/private_key.pkcs7.pem"
      pkcs7_public_key: "%{confdir}/keys/public_key.pkcs7.pem"
mmarseglia commented 6 years ago

I tried that and I get this error on the puppet agent.

[root@agent2 vagrant]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, No such file or directory - /keys/private_key.pkcs7.pem at /vagrant/site/roles/manifests/manifest.pp:11:3 on node agent2.vagrant.vm
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

hieral.yaml

[root@master production]# cat hiera.yaml
---
version: 5
defaults:
  datadir: hieradata

hierarchy:
  - name: "Encrypted YAML"
    lookup_key: eyaml_lookup_key
    paths:
      - "secrets/nodes/%{clientcert}.eyaml"
      - "secrets/global.eyaml"
    options:
      pkcs7_private_key: "%{confdir}/keys/private_key.pkcs7.pem"
      pkcs7_public_key: "%{confdir}/keys/public_key.pkcs7.pem"

  - name: "Plaintext YAML"
    data_hash: yaml_data
    paths:
      - "nodes/%{clientcert}.yaml"
      - "global.yaml"

${confdir} should be /etc/puppetlabs/puppet, right?

Here's where I'm storing the keys:

[root@master puppetlabs]# ls -lAF /etc/puppetlabs/puppet/keys/
total 8
-rw-r--r-- 1 root root 1679 Dec  6 13:50 private_key.pkcs7.pem
-rw-r--r-- 1 root root 1050 Dec 20 15:10 public_key.pkcs7.pem
rnelson0 commented 6 years ago

You can check confdir with puppet config print confdir (or maybe puppetserver puppet config print confdir?), but it could also be that confdir isn't a fact and that is why it is not available. The sample at https://puppet.com/docs/puppet/4.10/hiera_config_yaml_5.html does not show use of anything other than facts in interpolation.

I don't think this issue is with eyaml, but with hiera itself.

rnelson0 commented 6 years ago

Discussion on slack indicates that confdir is not available to the master. However %{settings::confdir} should be, per https://puppet.com/docs/puppet/5.3/lang_facts_and_builtin_vars.html.