Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7543

Hiera 5 eyaml_lookup_key options gets overwritten when multiple entries are used.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.10.0
    • Fix Version/s: PUP 4.10.2
    • Component/s: Hiera & Lookup
    • Environment:

      PE 2017.2.1 with Hiera 5 with eyaml backend

    • Template:
    • Acceptance Criteria:
      Hide

      Hiera 5 eyaml_lookup_key function should use the options defined for the appropriate level. The global options should work with the global hierarchy. This should also function for environment and module hierarchies.

      Show
      Hiera 5 eyaml_lookup_key function should use the options defined for the appropriate level. The global options should work with the global hierarchy. This should also function for environment and module hierarchies.
    • Sub-team:
    • Team:
      Agent
    • Story Points:
      1
    • Sprint:
      Agent 2017-06-14
    • Method Found:
      Customer Feedback
    • CS Priority:
      Normal
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      When using eyaml and hiera 5 and having multiple entries with different set of options for eyaml those options could override each other in an unpredictable way. This is now fixed.
    • QA Risk Assessment:
      No Action
    • QA Risk Assessment Reason:
      Check in includes tests for the change

      Description

      When using Hiera 5 with the same Hierarchy file name at the global and environment level, lookups fail to use the options associated with the global level It appears that the global file path is used, but the environment options are used. When using eyaml, this results in using the wrong keys on the eyaml file.

      Example

      Global hiera.yaml

      ---
      version: 5
      defaults:
        datadir: data
       
      hierarchy:
        - name: "Global secrets"
          lookup_key: eyaml_lookup_key
          path: "secrets.eyaml"
          options:
            pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
            pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
      

      Environment hiera.yaml

      ---
      version: 5
      defaults:
        datadir: data
       
      hierarchy:
        - name: "Environment secrets"
          lookup_key: eyaml_lookup_key
          path: "secrets.eyaml"
          options:
            pkcs7_private_key: /etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem
            pkcs7_public_key: /etc/puppetlabs/code/environments/production/keys/public_key.pkcs7.pem
      

      Looking up a key which is both the environment and global secrets.eyaml

      # puppet lookup secret --explain
      Error: Could not run: bad decrypt
      

      Looking up a nonexistent key

      # puppet lookup doesnotexist --explain
      Searching for "doesnotexist"
        Global Data Provider (hiera configuration version 5)
          Using configuration "/etc/puppetlabs/puppet/hiera.yaml"
          Hierarchy entry "Global secrets"
            Path "/etc/puppetlabs/puppet/data/secrets.eyaml"
              Original path: "secrets.eyaml"
              No such key: "doesnotexist"
        Environment Data Provider (hiera configuration version 5)
          Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"
          Hierarchy entry "Environment secrets"
            Path "/etc/puppetlabs/code/environments/production/data/secrets.eyaml"
              Original path: "secrets.eyaml"
              No such key: "doesnotexist"
      Function lookup() did not find a value for the name 'doesnotexist'
      

      An environment specific key works when not defined in the global eyaml file.

      # puppet lookup envsecret --explain
      Warning: Unknown variable: 'creates_path'. at /opt/puppetlabs/puppet/modules/pe_staging/manifests/extract.pp:56:22
      Searching for "envsecret"
        Global Data Provider (hiera configuration version 5)
          Using configuration "/etc/puppetlabs/puppet/hiera.yaml"
          Hierarchy entry "Global secrets"
            Path "/etc/puppetlabs/puppet/data/secrets.eyaml"
              Original path: "secrets.eyaml"
              No such key: "envsecret"
        Environment Data Provider (hiera configuration version 5)
          Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"
          Hierarchy entry "Environment secrets"
            Path "/etc/puppetlabs/code/environments/production/data/secrets.eyaml"
              Original path: "secrets.eyaml"
              Found key: "envsecret" value: "environmentsecret"
      

      A global specific key fails

      # puppet lookup globalsecret --explain
      Error: Could not run: bad decrypt
      

      Steps to Reproduce

      1. Install 2017.2.1
      2. Install eyaml
      3. Configure the global hiera.yaml as above
      4. Create eyaml keys for the global eyaml
      5. Create encrypted keys in the global data/secrets.eyaml
      6. Configure the environment hiera.yaml as above
      7. Create eyaml keys for the environment eyaml
      8. Create encrypted keys in the environment data/secrets.eyaml
      9. Lookup keys defined in the global secrets.eyaml

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            jarret.lavallee Jarret Lavallee
            QA Contact:
            Eric Delaney
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support