Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow loading vault address from ENV VAULT_ADDR #89

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow loading vault address from ENV VAULT_ADDR #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ee24f9
Allow loading vault address from ENV VAULT_ADDR
Nov 17, 2022
c9264cd
Add info about passing ENV vars in jruby-puppet in README.md
Nov 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,18 @@ The following are optional configuration parameters supported in the `options` h

`token`: The token to authenticate with Vault, also read as `ENV["VAULT_TOKEN"]` or a full path to the file with the token (eg. `/etc/vault_token.txt`). When bootstrapping, you can set this token as `IGNORE-VAULT` and the backend will be stubbed, which can be useful when bootstrapping.

Note that to pass ENV variables from shell to puppetserver you have to list them in `/etc/puppetlabs/puppetserver/conf.d/puppetserver.conf` JRuby settings https://puppet.com/docs/puppet/6/server/config_file_puppetserver.html#settings .
```conf
jruby-puppet: {

environment-vars: {
VAULT_ADDR: ${VAULT_ADDR}
VAULT_TOKEN: ${VAULT_TOKEN}
}

...
```

`cache_for`: How long to cache a given key in seconds. If not present the response will never be cached.

`confine_to_keys:`: Only use this backend if the key matches one of the regexes in the array, to avoid constantly reaching out to Vault for every parameter lookup
Expand Down
13 changes: 12 additions & 1 deletion lib/puppet/functions/hiera_vault.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,15 @@ def prune
end
}

def vault_addr(options)
addr = nil

addr = ENV['VAULT_ADDR'] unless ENV['VAULT_ADDR'].nil?
addr ||= options['address'] unless options['address'].nil?

addr
end

def vault_token(options)
token = nil

Expand Down Expand Up @@ -203,8 +212,10 @@ def vault_get(key, options, context)


begin
context.explain { "[hiera-vault] Vault address configured to #{vault_addr(options)}" }

$hiera_vault_client.configure do |config|
config.address = options['address'] unless options['address'].nil?
config.address = vault_addr(options)
config.token = vault_token(options)
config.ssl_pem_file = options['ssl_pem_file'] unless options['ssl_pem_file'].nil?
config.ssl_verify = options['ssl_verify'] unless options['ssl_verify'].nil?
Expand Down
6 changes: 6 additions & 0 deletions spec/functions/hiera_vault_happy_path_v2_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@ def vault_test_client
ctx
end

it 'should allow configuring vault address from ENV VAULT_ADDR' do
ENV['VAULT_ADDR'] = RSpec::VaultServer.address
expect { function.lookup_key('test_key', vault_options.merge({'address' => nil}), context) }.
to output(/Read secret: test_key/).to_stdout
end

it 'should exit early if ENV VAULT_TOKEN is set to IGNORE-VAULT' do
ENV['VAULT_TOKEN'] = 'IGNORE-VAULT'
expect(context).to receive(:not_found)
Expand Down