Ask Your Question
0

Issues in getting hiera eyaml to work [closed]

asked 2016-12-09 13:37:13 -0500

updated 2017-01-31 16:00:46 -0500

1) Eyaml is setup with public key 2) Hiera.yaml is setup with backends consul, eyaml and yaml. 3) A string is encrypted 4) The encrypted string is mentioned in the below file:

[vagrant@localhost puppet]$ cat /etc/puppetlabs/code/environments/production/hieradata/common.eyaml
---
hiera_lookup_token: ENC[PKCS7,some text]

[vagrant@localhost puppet]$

In my manifest:

$token = hiera('hiera_lookup_token',[])

5) When i do a notify {"token: ${token}":} i get an empty response from hiera.

[vagrant@localhost puppet]$ sudo puppet apply /home/vagrant/hiera_conf/manifests/init.pp


Notice: token : [] 
Notice: /Stage[main]/Main/Notify[token : []]/message: defined 'message' as 'token : []'
Notice: /Stage[main]/Hiera/File[/etc/puppetlabs/code/hiera.yaml]/ensure: defined content as '{md5}96604da0e1343bcb8fc7f8313dfb5f67'

Hiera.yaml looks like this:

---
:backends:
- eyaml
- consul
- yaml

:logger: console

:hierarchy:
  - secure
  - "nodes/%{::hostname}"
  - common

 :eyaml:
  :datadir: "/etc/puppetlabs/code/environments/%{::environment}/hieradata"
  :pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
  :pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

:consul:
  :host: 127.0.0.1
  :port: '8500'
  :paths:
  - "/v1/catalog/service"
  - "/v1/catalog/node"

:yaml:
  :datadir: "/etc/puppetlabs/code/environments/%{::environment}/hieradata"

On a side note, if i have the contents of the "eyaml" inside a "yaml" file instead: I get this:

 [vagrant@localhost puppet]$ cat /etc/puppetlabs/code/environments/production/hieradata/common.yaml
    ---
    hiera_lookup_token: ENC[Some text]

Output:

         ENC[PKCS7,Sometext=][vagrant@localhost puppet]$

Update: This is the output of the debug:

[vagrant@localhost ~]$ hiera -d 'acl_token' environment=production
DEBUG: 2016-12-09 22:35:54 +0000: Hiera YAML backend starting
DEBUG: 2016-12-09 22:35:54 +0000: Looking up hiera_lookup_token in YAML backend
DEBUG: 2016-12-09 22:35:54 +0000: Ignoring bad definition in :hierarchy: 'nodes/'
DEBUG: 2016-12-09 22:35:54 +0000: Looking for data source common
DEBUG: 2016-12-09 22:35:54 +0000: Found acl_token in common
ENC[SomeText=]
[vagrant@localhost ~]$

[vagrant@localhost ~]$ sudo rm     /etc/puppetlabs/code/environments/production/hieradata/common.yaml
[vagrant@localhost ~]$ hiera -d 'acl_token' environment=production
DEBUG: 2016-12-09 22:41:09 +0000: Hiera YAML backend starting
DEBUG: 2016-12-09 22:41:09 +0000: Looking up hiera_lookup_token in YAML backend
DEBUG: 2016-12-09 22:41:09 +0000: Ignoring bad definition in :hierarchy: 'nodes/'
DEBUG: 2016-12-09 22:41:09 +0000: Looking for data source common
DEBUG: 2016-12-09 22:41:09 +0000: Cannot find datafile    /etc/puppetlabs/code/environments/production/hieradata/common.yaml, skipping
nil
[vagrant@localhost ~]$

Permissions on keys are as follows:

[vagrant@localhost ~]$ ls -la /etc/puppetlabs/puppet/keys/
total 8
drwxr-xr-x. 2 puppet puppet   61 Dec  8 22:05 .
drwxr-xr-x. 4 root   root     78 Dec  8 21:36 ..
-rw-------. 1 puppet puppet 1675 Dec  8 22:05 private_key.pkcs7.pem
-rw-r--r--. 1 puppet puppet 1050 Dec  8 22:05 public_key.pkcs7.pem
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Redsmile
close date 2017-01-31 15:56:53.572990

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-12-09 14:20:44 -0500

lupin gravatar image

Do you have the right permission on your keys directory? You can debug it from master with this commandhiera -d 'acl_token' environment=production

edit flag offensive delete link more

Comments

Hi Lupin, I have updated the output from the debug in my question above.

Redsmile gravatar imageRedsmile ( 2016-12-09 16:38:47 -0500 )edit

In your first debug run, it retrieved the value of acl_token. The extension of encrypted file should be .eyaml unless you modify it. On your manifest hiera lookup can you remove the default value([]). i.e, $token = hiera('acl_token').

lupin gravatar imagelupin ( 2016-12-09 21:09:16 -0500 )edit
1

Ah, another issue is you're executing puppet apply and hiera debug as vagrant user. Try running as root.

lupin gravatar imagelupin ( 2016-12-09 21:13:41 -0500 )edit

Lupin, First debug retrieved data because i had the contents in common.yaml file. Even when i run as root user, if i just have a common.eyaml it doesn't bring any data. Are you saying the contents should be under common.yaml? I did not understand your solution.

Redsmile gravatar imageRedsmile ( 2016-12-12 12:12:13 -0500 )edit

My thoughts that you need a privilege to be able to read the keys but as you said even root you still cannot see the result. The contents should be on *.eyaml ending files. I cannot replicate your issue on my setup unfortunately. How did you install the hiera-eyaml? Are you using Puppet PE?

lupin gravatar imagelupin ( 2016-12-12 12:35:50 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2016-12-09 13:37:13 -0500

Seen: 422 times

Last updated: Jan 31