On 2019-03-11 04:01, comport3 wrote:
Hi Henrik,
You're correct - this sample code precedes getting the Hiera
function/lookup working, I want to be able to do it in Puppet code first.
I've ended up with the following -
```
$secret_lookup = Deferred('vault_lookup::lookup',
["secret/client.example.com", 'https://puppet.example.com:8228'])
notify {mysql_root: message => Deferred('get', [$secret_lookup,
'mysql_root_password'])}
```
It returns this error -
*Error: Failed to apply catalog: 'dig' parameter 'data' expects a value
of type Undef or Collection, got Sensitive[Hash]*
Any ideas?
Yeah - sigh... The vault lookup returns an instance of Sensitive which
get / dig cannot dig into. We could possibly allow digging into a
Sensitive value as the result would also be made sensitive, but that
function does not do that. (Please file a ticket).
There is unfortunately no way of solving the issue with just Deferred
since unwrapping a Sensitive is done with a lambda and those cannot be
deferred. There is a proposal (and an implementation) in ticket
https://tickets.puppetlabs.com/browse/PUP-9254 where an eval() function
is added.
Another approach of getting what you want is to write your own custom
ruby function that does the unwrap and dig.
And lastly - you could avoid having to dig out a detailed value and
instead look it up separately.
- henrik
On Friday, March 8, 2019 at 8:43:55 PM UTC+11, Henrik Lindberg wrote:
On 2019-03-08 03:13, comport3 wrote:
> Hi Henrik,
>
> Thanks for your reply.
>
> I still don't really understand how to use your example - is it an
> additional custom function written in Ruby that would be
synchronised
> from the master?
>
I showed a hiera backend that returns Deferred - but it seems that is
not really what you were asking about (your example is different).
> How would this be structured or implemented step by step please?
>
> This is what's in my current class, with specifically what
doesn't work
> commented out at the bottom (ignore my custom Vault port, please) -
>
> class profile::vaulttest {
>
> $secret_lookup = Deferred('vault_lookup::lookup',
> ["secret/client.example.com <http://client.example.com>",
'https://puppet.example.com:8228'])
>
> ## Works, returns a hashed array of key/value pairs, I want to
look
> up a SPECIFIC key and it's value, eg 'mysql_root_password'
> notify {mysql_root: message => $secret_lookup}
>
> ## Trying to lookup a key within the array, fails with error
> ## Evaluation Error: Operator '[]' is not applicable to an
Object.
> #notify {mysql_root: message =>
$secret_lookup[mysql_root_password]}
>
> }
>
> Help?! :-)
>
The reason your commented out code does not work is because you are
trying to get the key "mysql_root_password" from a Deferred that has
not
yet been resolved. (It will be resolved later when the catalog is
processed on the agent, but while compiling the Deferred is just an
instruction to do something later).
You need the following:
message => Deferred('get', [$secret_lookup, 'mysql_root_password'])
To get what I think you want.
- henrik
>
> On Thursday, February 28, 2019 at 4:29:15 AM UTC+11, Henrik
Lindberg wrote:
>
> On 2019-02-27 00:01, comport3 wrote:
> > Hi Henrik and Group,
> >
> > Thank you very much, this sounds like exactly what we are
after.
> After
> > reviewing
> https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html>
>
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html
<https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html>>
> > we are a little lost as to how to get started. Does anyone
have any
> > example code of using a Customer Backend or Puppet
Function in
> > conjunction with a Deferred data type lookup for us to
review?
> Anything
> > including the Vault lookup logic or some 'proof of
concept' code
> would
> > be a much welcomed starting point.
> >
>
> It is actually dead simple - here is an example that returns
a hard
> coded deferred. The example is written in the Puppet
Language, and is
> autoloaded just like other functions from "mymodule".
>
> This simple example is a "data hash" kind of backend - it is
called
> once
> and is expected to return a hash with key => value bindings.
>
> function mymodule::deferred_example(
> Hash $options,
> Puppet::LookupContext $context,
> ) {
> # Return a hash with key(s) bound to Deferred value(s)
> { 'the_key' => Deferred('vault_lookup', ['the key']) }
> }
>
> Then there are lots of different things you could do.
>
> The $options hash contains information from hiera.yaml:
> - if a path/URI was given or not (and that path existed)
> - any custom options given in hiera.yaml for this entry
>
> This means you could configure what the backend would do
based on
> either
> options given directly (a list of keys for which this backend
should
> return a Deferred), or you can use the path to read such data
from a
> file, using say a function to read that file as json from the
path in
> options.
>
> To use this backend simply enter its name in hiera.yaml like
you do for
> other backend functions.
>
> Another alternative is to write a backend of "lookup key"
kind. The
> contract there is to return a value per key or that the
> $context.not_found() is called (if it does not have a value
for the
> key).
>
> If you go this route, then the function could for example
lookup a key
> in hiera that holds the names of keys to lookup in a deferred
way.
> Or, if you design it so that all deferred parameters can be
identified
> via their name then you could simply return a Deferred for
all keys
> that
> match a pattern.
>
> Read all the details starting from here:
> https://puppet.com/docs/puppet/latest/hiera_custom_backends.html
<https://puppet.com/docs/puppet/latest/hiera_custom_backends.html>
>
<https://puppet.com/docs/puppet/latest/hiera_custom_backends.html
<https://puppet.com/docs/puppet/latest/hiera_custom_backends.html>>
>
> Hope this helps.
> - henrik
>
>
> --
>
> Visit my Blog "Puppet on the Edge"
> http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>
> <http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it,
send
> an email to puppet-users...@googlegroups.com <javascript:>
> <mailto:puppet-users+unsubscr...@googlegroups.com <javascript:>>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/puppet-users/2ecccdee-e130-4f44-b6a1-b1a0c8532bbd%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/2ecccdee-e130-4f44-b6a1-b1a0c8532bbd%40googlegroups.com>
>
<https://groups.google.com/d/msgid/puppet-users/2ecccdee-e130-4f44-b6a1-b1a0c8532bbd%40googlegroups.com?utm_medium=email&utm_source=footer
<https://groups.google.com/d/msgid/puppet-users/2ecccdee-e130-4f44-b6a1-b1a0c8532bbd%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
<http://puppet-on-the-edge.blogspot.se/>
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d7900a19-e1c4-4ffa-8581-ef48f66192b8%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/d7900a19-e1c4-4ffa-8581-ef48f66192b8%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/q6835f%244o6a%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.
