So I managed to get this to work by changing hiera data slightly, replacing
the `lookup` function with `alias` so that the type wasn't automatically
converted to a string.
```
# this works! note the weird quoting is to avoid hiera treating fqdn dots
as sub-keys and is intentional.
profile::gitlab_runner::lookup_test: "%{alias(\"'vault_lookup::kv/data/host/
gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
```
Unfortunately, this breaks down when I want to embed that key in a config
hash within hiera, like this:
```
gitlab_ci_runner::runners:
'instance':
config:
name: "Instance Runner on %{::hostname}"
registration-token: "%{alias(\"'vault_lookup::kv/data/host/
gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
...
```
I'm guessing without some changes in Hiera/Puppet, this part may not be
possible? Anyone have experience with this?
On Fri, Oct 21, 2022 at 2:28 PM Aaron Russo <aru...@pixar.com> wrote:
> We're using the vault_lookup[1] module to retrieve secrets from Vault via
> mTLS. It works fairly well when grabbing secrets within a manifest.
>
> However it feels like an anti-pattern by forcing lookups into our
> manifests when we want to keep that in Hiera. I found a previous related
> thread[2] where Henrik suggested writing a custom backend for Hiera and
> return a Deferred.
>
> However after doing what I thought was the correct thing, and returning a
> Deferred in our custom backend, the value in the file ends up being the
> literal string 'Deferred ...' and not being evaluated. I even wrote a quick
> manifest to check if a Deferred is being returned by Hiera/APL and it does
> not seem to be the case -- Hiera is returning a String representation of it.
>
> So my question is -- is it possible to actually return a Deferred via a
> Hiera lookup_key backend and if so, what might I be doing wrong? Sanitized
> code / outputs / etc provided[3] for mocking.
>
> Versions:
> puppet: 7.20.0
> puppetserver: 7.8.0
> puppetlabs/stdlib: 8.30
>
> Thanks!
>
> Aaron
>
> [1] https://forge.puppet.com/modules/puppet/vault_lookup
> [2] https://groups.google.com/g/puppet-users/c/E-Q-ok-B0gQ/m/h-tYJFPdBwAJ
> [3] https://gist.github.com/arusso/9eed3cac93e02aa270b6811b560b2093
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
Aaron Russo (He/Him/His)
PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
aru...@pixar.com
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAA4bxV6NY%2BFoDk-sSZZ8Bv%3D4wuAVP%3DdeQ4Hbg1RnULQXAqCc-w%40mail.gmail.com.
