Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8947

Automatically cast ACPL results to Sensitive for Sensitive-typed class parameters

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Needs Information
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • QA Risk Assessment:
      Needs Assessment

      Description

      When Puppet does an Automatic Class Parameter lookup for a class parameter that is of type Sensitive[T], a T value being returned should automatically be cast to Sensitive[T].

      The use case here is that I store sensitive data in hiera encrypted in eyaml. I have corresponding profiles that have class parameters defined like so:

      class profile::some_profile (
        Sensitive[String[1]] $some_sensitive_value,
      ) {
        # puppet code here
      }

      It is currently a significant amount of extra work to mark each hiera entry that is already encrypted as Sensitive; it actually quadruples the number of lines of data in a given yaml file for the first entry and triples it for all subsequent entries because, as of now, you must do this to mark the value as Sensitive:

      ---
      lookup_options:
        profile::some_profile::some_sensitive_value:
          convert_to: "Sensitive"
       
      profile::some_profile::some_sensitive_value: ENC[PKCS7,encrypted_value_here]

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gene.liverman Gene Liverman
            Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support