Hiera + GPG: If GPG first backend, yaml (non-gpg) entries cause failure

69 views

Skip to first unread message

Jake Lundberg

unread,

Dec 9, 2013, 2:27:28 PM12/9/13

to puppet...@googlegroups.com

I'm able to get Hiera + GPG working fine, but am running into an issue when I want to use GPG as the primary backend. We want to do this to make sure any secrets are realized first. However, it seems when a value in GPG backend also exists in a YAML backend, hiera dies with a message:

Debug: Automatically imported puppet::client from puppet/client into DEVENV_20131205_2000
Debug: hiera(): [gpg_backend]: Loaded gpg_backend
Debug: hiera(): [gpg_backend]: Lookup called, key puppet::client::runinterval resolution type is
Debug: hiera(): [gpg_backend]: GNUPGHOME is /etc/puppet/gpgkeys
Debug: hiera(): [gpg_backend]: loaded cipher: /etc/puppet/hiera/DEVENV_20131205_2000/adhoc.gpg
Debug: hiera(): [gpg_backend]: result is a String ctx #<GPGME::Ctx:0x2b191de61458> txt ---

encryption_key: 'HIERA + GPG ROCKS!'
integrity_key: 'HIERA + GPG ROCKS!'

<SNIP>
Debug: hiera(): Looking for data source env/ec2-labs/lab3
Error: undefined method `read_file' for #<Hiera::Filecache:0x2b191dd93760 @cache={}> at /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 on node <node>
Wrapped exception:
undefined method `read_file' for #<Hiera::Filecache:0x2b191dd93760 @cache={}>
Error: undefined method `read_file' for #<Hiera::Filecache:0x2b191dd93760 @cache={}> at /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 on node <node>
Error: undefined method `read_file' for #<Hiera::Filecache:0x2b191dd93760 @cache={}> at /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 on node <node>

adhoc.gpg is higher in the hierarchy, env/ec2-labs/lab3 is lower, but holds values for the node the catalog is being built for. In this particular case, the "encryption_key" and "integrity_key" values have been commented out of lab3.yaml.

If I switch to have YAML as the primary provider, everything works, but I get the YAML value as opposed to the GPG value (if both are defined).

If the value doesn't exist in the YAML, everything works perfectly if GPG is the secondary backend, however, since our repository is shared between teams, we want to make GPG the primary value.

Is there some sort of cache collision if GPG values are created for a node's variables in the catalog first?

Reply all

Reply to author

Forward

0 new messages