Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 0 additions & 29 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -243,39 +243,10 @@ would result in following lookups:
- http://vault.foobar.com:8200/some_secret/data/foo.example.com/cool_key (for v2)
- http://vault.foobar.com:8200/some_secret/data/common/cool_key (for v2)

#### Multiple keys in trusted certname

Often you want to whitelist multiple paths for each host (e.g. due to host having multiple roles). In this case simply add keys delimited with comma to trusted field. For example:

```yaml
mounts:
secret:
- "%{trusted.extensions.pp_role}"
```

and host configured with

```yaml
---
extension_requests:
pp_role: api,ssl
```

would result in lookups in:

- http://vault.foobar.com:8200/secret/api/cool_key (for v1)
- http://vault.foobar.com:8200/secret/api/data/cool_key (for v2)
- http://vault.foobar.com:8200/secret/data/api/cool_key (for v2)
- http://vault.foobar.com:8200/secret/ssl/cool_key (for v1)
- http://vault.foobar.com:8200/secret/ssl/data/cool_key (for v2)
- http://vault.foobar.com:8200/secret/data/ssl/cool_key (for v2)

#### More verbose paths in Hiera

Often implicit path extension makes it hard to understand which exact paths are used for given host - as you need to inspect both Hiera and trusted field for each host.

With above configuration and lookup `$cool_key = lookup({"name" => "cool_key"})` you cannot be sure whether `api/cool_key` or `ssl/cool_key` will be used (whichever happens to be first in lookup list).

To alleviate this problem you can use full paths in Hiera, provided `v2_guess_mount: false` configuration is active. For example with:

```yaml
Expand Down
29 changes: 1 addition & 28 deletions lib/puppet/functions/hiera_vault.rb
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ def vault_get(key, options, context)

# Only kv mounts supported so far
kv_mounts.each_pair do |mount, paths|
interpolate(context, paths).each do |path|
paths.each do |path|
secretpath = context.interpolate(File.join(mount, path))

context.explain { "[hiera-vault] Looking in path #{secretpath} for #{key}" }
Expand Down Expand Up @@ -308,31 +308,4 @@ def stringify_keys(value)
value
end
end

def interpolate(context, paths)
allowed_paths = []
paths.each do |path|
path = context.interpolate(path)
# TODO: Unify usage of '/' - File.join seems to be a mistake, since it won't work on Windows
# secret/puppet/scope1,scope2 => [[secret], [puppet], [scope1, scope2]]
segments = path.split('/').map { |segment| segment.split(',') }
allowed_paths += build_paths(segments) unless segments.empty?
end
allowed_paths
end

# [[secret], [puppet], [scope1, scope2]] => ['secret/puppet/scope1', 'secret/puppet/scope2']
def build_paths(segments)
paths = [[]]
segments.each do |segment|
p = paths.dup
paths.clear
segment.each do |option|
p.each do |path|
paths << (path + [option])
end
end
end
paths.map { |p| File.join(*p) }
end
end
87 changes: 0 additions & 87 deletions spec/functions/hiera_vault_path_interpolation_spec.rb

This file was deleted.

Loading