Closing the loop on this for anyone else trying this in the future.
The custom backend was correct the entire time and was returning the
Deferred function. However since I was defining a key prefix that wasn't
actually used in Hiera for the custom backend to key off of, I was making
use of the `lookup` function to grab perform the lookup of that key. After
re-reading the docs, I realized that `lookup` will always convert the value
to a string, which was exactly my problem. Switching to use the `alias`
function brought me success, as it does not attempt a conversion to string
if it is the only value being interpolated.
I was then able to use that value as desired, provided whatever was
consuming the value accepted (and unwrapped) the Sensitive[String] that was
returned from the Deferred function.
Cheers,
Aaron
On Monday, October 31, 2022 at 1:00:25 PM UTC-7 Aaron Russo wrote:
> So I managed to get this to work by changing hiera data slightly,
> replacing the `lookup` function with `alias` so that the type wasn't
> automatically converted to a string.
>
> ```
> # this works! note the weird quoting is to avoid hiera treating fqdn dots
> as sub-keys and is intentional.
> profile::gitlab_runner::lookup_test:
> "%{alias(\"'vault_lookup::kv/data/host/
> gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
> ```
>
> Unfortunately, this breaks down when I want to embed that key in a config
> hash within hiera, like this:
> ```
> gitlab_ci_runner::runners:
> 'instance':
> config:
> name: "Instance Runner on %{::hostname}"
> registration-token: "%{alias(\"'vault_lookup::kv/data/host/
> gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
> ...
> ```
>
> I'm guessing without some changes in Hiera/Puppet, this part may not be
> possible? Anyone have experience with this?
>
>
> On Fri, Oct 21, 2022 at 2:28 PM Aaron Russo <[email protected]> wrote:
>
>> We're using the vault_lookup[1] module to retrieve secrets from Vault via
>> mTLS. It works fairly well when grabbing secrets within a manifest.
>>
>> However it feels like an anti-pattern by forcing lookups into our
>> manifests when we want to keep that in Hiera. I found a previous related
>> thread[2] where Henrik suggested writing a custom backend for Hiera and
>> return a Deferred.
>>
>> However after doing what I thought was the correct thing, and returning a
>> Deferred in our custom backend, the value in the file ends up being the
>> literal string 'Deferred ...' and not being evaluated. I even wrote a quick
>> manifest to check if a Deferred is being returned by Hiera/APL and it does
>> not seem to be the case -- Hiera is returning a String representation of it.
>>
>> So my question is -- is it possible to actually return a Deferred via a
>> Hiera lookup_key backend and if so, what might I be doing wrong? Sanitized
>> code / outputs / etc provided[3] for mocking.
>>
>> Versions:
>> puppet: 7.20.0
>> puppetserver: 7.8.0
>> puppetlabs/stdlib: 8.30
>>
>> Thanks!
>>
>> Aaron
>>
>> [1] https://forge.puppet.com/modules/puppet/vault_lookup
>> [2] https://groups.google.com/g/puppet-users/c/E-Q-ok-B0gQ/m/h-tYJFPdBwAJ
>> [3] https://gist.github.com/arusso/9eed3cac93e02aa270b6811b560b2093
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
> Aaron Russo (He/Him/His)
> PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
> [email protected]
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9226eba1-c794-4a4c-98e3-ff74160f752an%40googlegroups.com.
