Re: [EXTERNAL] - Re: [Puppet Users] Hiera 5 and Deferred / Sensitive

Am Mittwoch, dem 02.11.2022 um 00:21 -0700 schrieb Aaron Russo: There is petems-hiera_vault which is close -- Didn't know thi

Re: [Puppet Users] Hiera 5 and Deferred / Sensitive

If you're referring to hiera-eyaml-vault , that's not pulling secrets out of Vault -- it's using the transit encryption provider in place of gpg keys and storing those in yaml. It's a neat approach but not what I'm looking for. There is petems-hiera_

Re: [Puppet Users] Hiera 5 and Deferred / Sensitive

Am Freitag, dem 21.10.2022 um 11:49 -0700 schrieb Aaron Russo: However it feels like an anti-pattern by forcing lookups into our manifests when we want to keep that in Hiera. I found a previous related thread[2] where Henrik suggested writing a custom backend for Hiera and return a Deferred. hi

Re: [Puppet Users] Hiera 5 and Deferred / Sensitive

Closing the loop on this for anyone else trying this in the future. The custom backend was correct the entire time and was returning the Deferred function. However since I was defining a key prefix that wasn't actually used in Hiera for the custom backend to key off of, I was making use of the

Re: [Puppet Users] Hiera 5 and Deferred / Sensitive

So I managed to get this to work by changing hiera data slightly, replacing the `lookup` function with `alias` so that the type wasn't automatically converted to a string. ``` # this works! note the weird quoting is to avoid hiera treating fqdn dots as sub-keys and is intentional. profile::gitlab_

[Puppet Users] Hiera 5 and Deferred / Sensitive

We're using the vault_lookup[1] module to retrieve secrets from Vault via mTLS. It works fairly well when grabbing secrets within a manifest. However it feels like an anti-pattern by forcing lookups into our manifests when we want to keep that in Hiera. I found a previous related thread[2] wher