We've made some more progress integrating Puppet 6+ Deferred lookups with
Vault for secrets storage.
The basic principle we've used for the isolation is to upload and sync a
Puppet TLS certificate per host, and lookup the relevant keys under there
for the secret storage.
```
vault write secret/test1.exampledomain.com policies=test1.exampledomain.com
certificate=@/etc/puppetlabs/puppet/ssl/ca/signed/test1.exampledomain.com.pem
vault kv put secret/test1.exampledomain.com
mysql=TheVerySecureMySQLRootPassword123!
echo "path \"secret/test1.exampledomain.com\" {capabilities = [\"read\"]}"
> test1.exampledomain.com.hcl
vault policy write test1.exampledomain.com test1.exampledomain.com.hcl
```
We can then see the above working on the client with this code -
```
$mysql_root = Deferred('vault_lookup::lookup',
["secret/test1.exampledomain.com", 'https://puppet.exampledomain.com:8200'])
notify {mysql_root: message => $mysql_root}
```
What we can't figure out is how to reference the KV pair inside a Puppet
manifest as a parameter. Eg, in YAML:
```
---
mysql::server::root_password: "%{something wonderful happens here}"
```
Any ideas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/907b7092-1048-42ec-89c3-7c7448fdebf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
