I think I ran into a similar issue before. Try putting "eyaml" as the
first backend to see if that helps.
Here's a copy of our hiera.yaml file which works.
---
:backends:
- eyaml
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- common
:yaml:
# datadir is empty here, so hiera uses its defaults:
# # - /etc/puppetlabs/code/environments/%{environment}/hieradata on *nix
# # - %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata
on Windows
# # When specifying a datadir, make sure the directory exists.
# :datadir:
:eyaml:
:extension: 'yaml'
:pkcs7_private_key: '/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem'
:pkcs7_public_key: '/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem'
On Friday, July 8, 2016 at 1:09:02 PM UTC-4, dkoleary wrote:
>
> Hi;
>
> I have hiera.eyaml installed and functional from the CLI; however, when I
> attempt to use it in a module, the encrypted string is being used rather
> than the decrypted value.
>
> I have to be missing something mind numbingly simple; but, I've been
> through the doc at https://github.com/TomPoulton/hiera-eyaml so many
> times it's starting to blur. Can someone tell me waht I messed up?
>
> From the CLI:
>
> -bash-4.1$ cat nap1d030.yaml
> ---
> # mpintp::source: 'ntp.conf.dmz'
> # mpisyslog::el6::source: 'mpi-custom.conf'
> mpisshd::enabled: false
> mpiroot::pwd: >
> ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
> SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
> k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
> PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
> alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
> uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
> 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
> qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
>
>
> -bash-4.1$ eyaml decrypt -f ./nap1d030.yaml
> [hiera-eyaml-core] Loaded config from /opt/puppetlabs/server/data/
> puppetserver/.eyaml/config.yaml
> ---
> # mpintp::source: 'ntp.conf.dmz'
> # mpisyslog::el6::source: 'mpi-custom.conf'
> mpisshd::enabled: false
> mpiroot::pwd: snipped
>
> The test module just does a notify:
>
> class mpiroot (
> $pwd,
> ) {
>
> notify { "Password: ${pwd}": }
> }
>
>
> And the run shows the encrypted string:
>
> $ sudo puppet agent -t
> Notice: Local environment: 'production' doesn't match server specified
> node environment 'dkoleary', switching agent to 'dkoleary'.
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Loading facts
> Info: Caching catalog for nap1d030.multiplan.com
> Info: Applying configuration version '1467996521'
> Notice: Password:
> ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
> DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
> SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
> k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
> PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
> alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
> uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
> 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
> qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
> [[snip]]
>
>
> The hiera.yaml file and keys:
>
> ---
> :backends:
> - yaml
> - eyaml
> :hierarchy:
> - "hosts/%{facts.hostname}"
> - "environments/%{facts.environment}"
> - "host_env/%{facts.env}"
> - "dc/%{facts.dc}"
> - "os/%{facts.operatingsystemmajrelease}"
> - common
> :yaml:
> :datadir: /etc/puppetlabs/code/hieradata
> :eyaml:
> :extension: 'yaml'
> :datadir: /etc/puppetlabs/code/hieradata
> :pkcs7_private_key: /etc/puppetlabs/secure/keys/private_key.pkcs7.pem
> :pkcs7_public_key: /etc/puppetlabs/secure/keys/public_key.pkcs7.pem
>
>
> -bash-4.1$ ls -ld /etc/puppetlabs/secure/keys/{public,private}_key*.pem
> -r--------. 1 puppet puppet 1675 Jul 8 11:28 /etc/puppetlabs/secure/keys/
> private_key.pkcs7.pem
> -r--------. 1 puppet puppet 1050 Jul 8 11:28 /etc/puppetlabs/secure/keys/
> public_key.pkcs7.pem
>
> Any hints/tips, etc gratefully accepted.
>
> Thanks
>
> Doug
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/095fbca4-af87-41fb-8b59-53373b7cbad4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
