Closing the loop on this for anyone else trying this in the future.
The custom backend was correct the entire time and was returning the
Deferred function. However since I was defining a key prefix that wasn't
actually used in Hiera for the custom backend to key off of, I was making
use of the `lookup` function to grab perform the lookup of that key. After
re-reading the docs, I realized that `lookup` will always convert the value
to a string, which was exactly my problem. Switching to use the `alias`
function brought me success, as it does not attempt a conversion to string
if it is the only value being interpolated.
I was then able to use that value as desired, provided whatever was
consuming the value accepted (and unwrapped) the Sensitive[String] that was
returned from the Deferred function.
Cheers,
Aaron
On Monday, October 31, 2022 at 1:00:25 PM UTC-7 Aaron Russo wrote:
> So I managed to get this to work by changing hiera data slightly,
> replacing the `lookup` function with `alias` so that the type wasn't
> automatically converted to a string.
>
> ```
> # this works! note the weird quoting is to avoid hiera treating fqdn dots
> as sub-keys and is intentional.
> profile::gitlab_runner::lookup_test:
> "%{alias(\"'vault_lookup::kv/data/host/
> gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
> ```
>
> Unfortunately, this breaks down when I want to embed that key in a config
> hash within hiera, like this:
> ```
> gitlab_ci_runner::runners:
> 'instance':
> config:
> name: "Instance Runner on %{::hostname}"
> registration-token: "%{alias(\"'vault_lookup::kv/data/host/
> gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
> ...
> ```
>
> I'm guessing without some changes in Hiera/Puppet, this part may not be
> possible? Anyone have experience with this?
>
>
> On Fri, Oct 21, 2022 at 2:28 PM Aaron Russo <aru...@pixar.com> wrote:
>
>> We're using the vault_lookup[1] module to retrieve secrets from Vault via
>> mTLS. It works fairly well when grabbing secrets within a manifest.
>>
>> However it feels like an anti-pattern by forcing lookups into our
>> manifests when we want to keep that in Hiera. I found a previous related
>> thread[2] where Henrik suggested writing a custom backend for Hiera and
>> return a Deferred.
>>
>> However after doing what I thought was the correct thing, and returning a
>> Deferred in our custom backend, the value in the file ends up being the
>> literal string 'Deferred ...' and not being evaluated. I even wrote a quick
>> manifest to check if a Deferred is being returned by Hiera/APL and it does
>> not seem to be the case -- Hiera is returning a String representation of it.
>>
>> So my question is -- is it possible to actually return a Deferred via a
>> Hiera lookup_key backend and if so, what might I be doing wrong? Sanitized
>> code / outputs / etc provided[3] for mocking.
>>
>> Versions:
>> puppet: 7.20.0
>> puppetserver: 7.8.0
>> puppetlabs/stdlib: 8.30
>>
>> Thanks!
>>
>> Aaron
>>
>> [1] https://forge.puppet.com/modules/puppet/vault_lookup
>> [2] https://groups.google.com/g/puppet-users/c/E-Q-ok-B0gQ/m/h-tYJFPdBwAJ
>> [3] https://gist.github.com/arusso/9eed3cac93e02aa270b6811b560b2093
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
> Aaron Russo (He/Him/His)
> PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
> aru...@pixar.com
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9226eba1-c794-4a4c-98e3-ff74160f752an%40googlegroups.com.
