Jira (PUP-9436) Exported resources in Puppet 6.x are realized withBinary values from Eyaml

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-9436 Exported resources in Puppet 6.x are realized with Binary values from Eyaml Change By: Henrik Lindberg Summary: Exported resources in Puppet 6.x are realized with incorrect Binary values from Eyaml Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Henrik Lindberg (JIRA)]

Henrik Lindberg commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml This is already reported as an issue for the eyaml module: https://github.com/voxpupuli/hiera-eyaml/issues/273 - I made a link there back to this issue.

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml

I think this is where the fix needs to go: https://github.com/voxpupuli/hiera-eyaml/blob/bdc4b0291bb38a55bdc0e9965906432172bf8775/lib/hiera/backend/eyaml/encryptor.rb#L28-L30

Add Comment

[Jarret Lavallee (JIRA)]

Jarret Lavallee commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml

I opened https://github.com/voxpupuli/hiera-eyaml/pull/274 for this. In doing some testing, the method call at <https://github.com/voxpupuli/hiera-eyaml/blob/master/lib/hiera/backend/eyaml/encryptors/pkcs7.rb#L64> also returned ASCII-8BIT data. I ended up just doing a conversion in the initialization of the class. I guess my concern is with this ticket is that other custom backends may encounter the same behavior depending on the implementation. As the encoded values can cause changes on agents when they are upgraded to 6.x, should we call this out in the known issues or release notes?

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Thank Jarret Lavallee - you beat me to it I added some comments to your PR. Hit me up on slack "helindbe" if you want to chat.

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg assigned an issue to Unassigned

Puppet / PUP-9436

Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Henrik Lindberg Assignee: Thomas Hallgren

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml The PR to hiera-eyaml has now been merged (https://github.com/voxpupuli/hiera-eyaml/pull/274). Waiting for a release.

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml

I've reproduced this now.  The user resource in the cached 6.0.4 catalog looks like this: "parameters": { "ensure": "present", "password": { "__ptype": "Binary", "__pvalue": "c2VjcmV0X3Bhc3MxMjM=" } }, Whereas the 5.5.4 catalog has: "parameters": { "ensure": "present", "password": "secret_pass123" }, Additional details: When the 5.5.4 applies the 6.0.4 cached catalog there is an error: Error: Could not send report: Error 400 on SERVER: Bad Request: The request body is invalid: Could not intern from json: Internal Error: Puppet Context ':loaders' missing The catalog applies any changes, but the report isn't sent There's a similar error if the 6.0.4 agent tries to apply the 6.0.4 cached catalog: Error: Cached catalog for hmlilodi28f6x5y.delivery.puppetlabs.net failed: Could not parse JSON data for catalog hmlilodi28f6x5y.delivery.puppetlabs.net: Could not intern from rich_data_json: Internal Error: Puppet Context ':loaders' missing In this case the cached catalog cannot be applied and the agent requests a new one.

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen updated an issue

Puppet / PUP-9436

Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Erik Hansen Attachment: 5_catalog.json

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen updated an issue

Puppet / PUP-9436 Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Erik Hansen Attachment: 6_catalog.json

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen updated an issue

Puppet / PUP-9436 Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Erik Hansen Comment:

I've reproduced this now.  The user resource in the cached 6.0.4 catalog looks like this:

{code:json}"parameters": {

"ensure": "present",    "password": {      "__ptype": "Binary",      "__pvalue": "c2VjcmV0X3Bhc3MxMjM="    }

},{code}

Whereas the 5.5.4 catalog has:

{code:json}"parameters": {

"ensure": "present",    "password": "secret_pass123"

},{code}

Additional details: When the 5.5.4 applies the 6.0.4 cached catalog there is an error:

{noformat}Error: Could not send report: Error 400 on SERVER: Bad Request: The request body is invalid: Could not intern from json: Internal Error: Puppet Context ':loaders' missing {noformat}

The catalog applies any changes, but the report isn't sent There's a similar error if the 6.0.4 agent tries to apply the 6.0.4 cached catalog:

{noformat}Error: Cached catalog for hmlilodi28f6x5y.delivery.puppetlabs.net failed: Could not parse JSON data for catalog hmlilodi28f6x5y.delivery.puppetlabs.net: Could not intern from rich_data_json: Internal Error: Puppet Context ':loaders' missing {noformat}

In this case the cached catalog cannot be applied and the agent requests a new one.

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen updated an issue

Puppet / PUP-9436 Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Erik Hansen Attachment: 5_catalog.json

Add Comment

[Erik Hansen (JIRA)]

Erik Hansen updated an issue

Puppet / PUP-9436 Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Erik Hansen Attachment: 6_catalog.json

Add Comment

[Jarret Lavallee (JIRA)]

Jarret Lavallee commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml hiera-eyaml 3.0.0 was released yesterday with a number of changes including the fix for this issue. https://github.com/voxpupuli/hiera-eyaml/blob/master/CHANGELOG.md#v300-2019-01-17. I did some basic testing and was unable to reproduce the issue after upgrading to hiera-eyaml 3.0.0 using the process below. puppetserver gem install hiera-eyaml -v 3.0.0 /opt/puppetlabs/puppet/bin/gem install hiera-eyaml 3.0.0 puppet resource service pe-puppetserver ensure=stopped puppet resource service pe-puppetserver ensure=running The resulting resource values in PuppetDB are now as expected. {preformatted} "parameters": { "message": "This is encrypted" }, "exported": true{preformatted}   https://tickets.puppetlabs.com/browse/SERVER-2433 and https://tickets.puppetlabs.com/browse/PA-2413 have been opened to upgrade the vendored gem in Puppet server and Puppet agent.

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-9436

Re: Exported resources in Puppet 6.x are realized with Binary values from Eyaml

hiera-eyaml fix was released and puppet-agent was updated. The server ticket is still open, but there's no need to keep this ticket open. Closing.

Add Comment

[Austin Boyd (JIRA)]

Austin Boyd updated an issue

Puppet / PUP-9436

Exported resources in Puppet 6.x are realized with Binary values from Eyaml

Change By: Austin Boyd Zendesk Ticket IDs: 33029 Zendesk Ticket Count: 1

Add Comment