We've made some more progress integrating Puppet 6+ Deferred lookups with
Vault for secrets storage.
The basic principle we've used for the isolation is to upload and sync a
Puppet TLS certificate per host, and lookup the relevant keys under there
for the secret storage.
```
vault write secret/test1.exampledomain.com policies=test1.exampledomain.com
certificate=@/etc/puppetlabs/puppet/ssl/ca/signed/test1.exampledomain.com.pem
vault kv put secret/test1.exampledomain.com
mysql=TheVerySecureMySQLRootPassword123!
echo "path \"secret/test1.exampledomain.com\" {capabilities = [\"read\"]}"
> test1.exampledomain.com.hcl
vault policy write test1.exampledomain.com test1.exampledomain.com.hcl
```
We can then see the above working on the client with this code -
```
$mysql_root = Deferred('vault_lookup::lookup',
["secret/test1.exampledomain.com", 'https://puppet.exampledomain.com:8200'])
notify {mysql_root: message => $mysql_root}
```
What we can't figure out is how to reference the KV pair inside a Puppet
manifest as a parameter. Eg, in YAML:
```
---
mysql::server::root_password: "%{something wonderful happens here}"
```
Any ideas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/907b7092-1048-42ec-89c3-7c7448fdebf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
