[Puppet Users] Re: Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

We've made some more progress integrating Puppet 6+ Deferred lookups with 
Vault for secrets storage.

The basic principle we've used for the isolation is to upload and sync a 
Puppet TLS certificate per host, and lookup the relevant keys under there 
for the secret storage.

```
vault write secret/test1.exampledomain.com policies=test1.exampledomain.com
 certificate=@/etc/puppetlabs/puppet/ssl/ca/signed/test1.exampledomain.com.pem
vault kv put secret/test1.exampledomain.com
 mysql_root=TheVerySecureMySQLRootPassword123!
echo "path \"secret/test1.exampledomain.com\" {capabilities = [\"read\"]}" 
> test1.exampledomain.com.hcl
vault policy write test1.exampledomain.com test1.exampledomain.com.hcl
```

We can then see the above working on the client with this code -
```
$mysql_root = Deferred('vault_lookup::lookup', ["secret/
test1.exampledomain.com", 'https://puppet.exampledomain.com:8200'])
notify {mysql_root: message => $mysql_root}
```

What we can't figure out is how to reference the KV pair inside a Puppet 
manifest as a parameter. Eg, in YAML:
```
---
mysql::server::root_password: "%{something wonderful happens here}"
```

Any ideas?

On Tuesday, October 9, 2018 at 11:12:39 PM UTC+11, comport3 wrote:
>
> Mentioned in the Puppet 6 release notes are the ability for a client to 
> lookup secret data from Vault.
>
> Is there any more info on how to implement this?
>
> I have done extensive work on POC environments that use Vault as a top 
> level in Hierarchy and mark the secrets as 'sensitive' so they do not 
> appear in logs and reports, but do not want to continue deploying this 
> methodology if it's not the way the technology is headed.
>
> https://github.com/comport3/puppet5-hiera-vault-poc
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/070062ff-0956-47d6-9202-0cba97c67cfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.