This PR adds support to query just a single element of a secret, and return it as a Sensitive string. This makes it easier to pass a specific secret to another resource, as you don't have to deal with a hash of elements.
The primary goal is to check CI status…
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
If a lookup function raises an exception, the whole catalog compilation will fail. This PR adds the ability to configure the lookup to not raise and instead simply log and return nil if it encounters an error, so that the users can structure their manifests to only conditionally depend on the result of the lookup.
We're not sure if this is useful or not, and are looking for use cases and feedback on the approach.
Fixes #13
Adds path information for data lookup errors when needed
As of now when puppet fails to apply catalog vault_lookup returns message with no clue where error happens:
Error: Failed to apply catalog: Received 403 response code from vault at vault.local for secret lookup (api errors: ["1 error occurred:\n\t* permission denied\n\n"])
With proposed change you can see which lookup actually related to the problem:
Error: Failed to apply catalog: Received 403 response code from vault at vault.local for secret/data/puppet/service/graylog/s1/config lookup (api errors: ["1 error occurred:\n\t* permission denied\n\n"])
This PR adds support to use AppRole Vault's auth method.
It also adds support for configuring vault_lookup
function using a configuration file as in https://github.com/voxpupuli/puppet-prometheus_reporter/blob/master/lib/puppet/reports/prometheus.rb#L12
<!--
Thank you for contributing to this project!
-->
<!--
Fixes #7
-->
The current implementation raises an exception if the lookup fails to resolve a result.... this just doesn't make sense for a data lookup, its more that conceivable that most of the time we will look up a value that might not exist.... raising an exception here means there is no way to handle this within Puppet and limits the usability of this function.
Instead of raising an exception, this PR changes the behaviour so that unresolved lookups return nil (Undef) and can therefore be handled within Puppet code.
$secret = vault_lookup('secret/data/no_exist')
if $secret {
$plantext = $secret.unwrap
}
Without this patch I fail to see how you can ever look up a value that doesn't exist, since it raises an exception and fails the Puppet run it becomes un-handlable.
This adds support for two new authentication methods when doing the Vault lookup.
agent
:add description...
agent_sink
:add description...
Fixes #7
Fixes #24
agent_sink
modevault::vault_lookup()
-> vault_lookup::lookup()
This caches the result of a Vault lookup and uses that cached value for all subsequent lookups of the same path
.
The caching implementation uses the cache_param
feature of the 4.x Function API added here: https://tickets.puppetlabs.com/browse/PUP-8676
An example of why this cache is needed can be seen with this bit of Puppet code:
```puppet
$data = Deferred('vault_lookup::lookup', ['foo', 'https://vault.corp.net:8200'])
notify { 'message1':
message => $data,
}
notify { 'message2':
message => $data,
}
```
Before this change, the lookup for foo
would be done twice per catalog application due to the two notify
resources evaluating the Deferred type.
After this change, the lookup is done only once per catalog application.
path
. This PR adds a new optional parameter gen_secret_len
.
If set it will create a new random secret for the specified vault-key with the supplied length
Fixes #9