Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Incomplete
-
PUP 6.0.0, PUP 6.1.0
-
None
-
None
-
Platform Core
-
Platform Core Grooming
-
Customer Feedback
-
33029
-
1
Description
In Puppet 6.x exported resources with parameters from eyaml are stored in binary format, which results in the incorrect data being applied when realized.
Rich data in PuppetDB 6.x now allows for rich data, so the encoding of the strings from hiera backends are being sent into PuppetDB within resources. Unfortunately, hiera-eyaml is returning "ASCII-8BIT" encoded strings, so this is present in any resources that use the eyaml based hiera lookup as a parameter.
This breaks exported resources, as the realized resource on a different node will get the encoded string instead of the decrypted string. The encoded string is then used in the exported resource when realized so the value of the parameter in the realized resource is incorrect.
Using a notify resource with a parameter populated from an eyaml lookup we see the binary encoded value. The exported resource looks like the following in PuppetDB.
"exported": true,
|
"parameters": {
|
"message": {
|
"__ptype": "Binary",
|
"__pvalue": "VGhpcyBpcyBlbmNyeXB0ZWQ="
|
}
|
Whereas using a yaml based hiera lookup we see the correct string.
"parameters": {
|
"message": "This is a non enctrypted string"
|
},
|
"exported": true
|
henrik.lindberg describes this a bit more in https://groups.google.com/forum/#!msg/puppet-users/KCyV2Grjfsg/lQqg_YX7GAAJ
This is specific to hiera-eyaml as the Base64.decode64 returns the ASCII-8BIT encoded string here: https://github.com/voxpupuli/hiera-eyaml/blob/master/lib/hiera/backend/eyaml/encryptor.rb#L28-L30
Below is a simple example.
irb(main):001:0> require 'base64'
|
=> true
|
irb(main):002:0> enc = Base64.encode64('a string')
|
=> "YSBzdHJpbmc=\n"
|
irb(main):003:0> Base64.decode64(enc).encoding
|
=> #<Encoding:ASCII-8BIT>
|
irb(main):004:0> 'a string'.encoding
|
=> #<Encoding:UTF-8>
|
Â
Reproduction
1. Configure eyaml in Puppet 6.x+
2. Add an encrypted key
3. Use an exported resource with the eyaml based key
4. Realize the exported resource on a different node.
5. Query the exported resource in PuppetDB
$encryptedkey = lookup('encryptedkey')
|
$nonencryptedkey = lookup('nonencryptedkey')
|
|
|
@@notify{"${fqdn} This is the encrypted key: ${encryptedkey}":
|
message => $encryptedkey
|
|
|
}
|
@@notify{"${fqdn} This is the nonencrypted key: ${nonencryptedkey}":
|
message => $nonencryptedkey
|
}
|
|
|
Notify <<| |>>
|
Example output:
# puppet query 'resources{exported = true and type = "Notify"}'
|
[
|
{
|
"tags": [
|
"class",
|
"notify",
|
"encrypted_export",
|
"default",
|
"node"
|
],
|
"file": "/etc/puppetlabs/code/environments/production/modules/encrypted_export/manifests/init.pp",
|
"type": "Notify",
|
"title": "pe-201901-master.puppetdebug.vlan This is the encrypted key: This is encrypted, type: String",
|
"line": 10,
|
"resource": "392dfdc652cd2763a9b8576b51f4e184aebbb11c",
|
"environment": "production",
|
"certname": "pe-201901-master.puppetdebug.vlan",
|
"parameters": {
|
"message": "VGhpcyBpcyBlbmNyeXB0ZWQ="
|
},
|
"exported": true
|
},
|
{
|
"tags": [
|
"class",
|
"notify",
|
"encrypted_export",
|
"default",
|
"node"
|
],
|
"file": "/etc/puppetlabs/code/environments/production/modules/encrypted_export/manifests/init.pp",
|
"type": "Notify",
|
"title": "pe-201901-master.puppetdebug.vlan This is the nonencrypted key: not encrypted",
|
"line": 15,
|
"resource": "eb6f9775670013c45f3258a2dfd7dfe07cecb9e3",
|
"environment": "production",
|
"certname": "pe-201901-master.puppetdebug.vlan",
|
"parameters": {
|
"message": "not encrypted"
|
},
|
"exported": true
|
}
|
]
|
Attachments
Issue Links
- relates to
-
-
- Resolved
-
-
-
- Closed
-