Path to pkcs7-keys using Bolt, eyaml, hiera.yaml

[Andreas Torbiörnsson]

Hi group!

Does anyone know if it is possible to use relative paths for the encryption keys when using hiera/eyaml with Bolt. I can't find any info about how Bolt/hiera treats relative paths when it comes to keys. Intuitively, I would have thought it would be relative to the Boltdir, or perhaps the hiera datadir, but those two options do not seem to work.

What does Bolt use as its working directory when trying to get the key files? It's working fine with absolute paths.

Below is an example, keys are located under Boltdir/keys/.

From Boltdir/hiera.yaml:

hierarchy:
  - name: "Secret data"
    path: "common.eyaml"
    lookup_key: eyaml_lookup_key
    options:
      pkcs7_private_key: 'keys\private_key.pkcs7.pem'
      pkcs7_public_key:  'keys\public_key.pkcs7.pem'

Excerpt from output:

localhost: Evaluation Error: Error while evaluating a Function Call, No such file or directory @ rb_sysopen - keys\private_key.pkcs7.pem (file: C:/Users/toband/source/repos/Bolt RTjP/Boltdir/site-modules/rd_chocolatey/manifests/init.pp, line: 35, column: 51) on node localhost
C:/Users/toband/.gem/ruby/2.5.0/gems/hiera-eyaml-3.1.1/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:57:in `read': Evaluation Error: Error while evaluating a Function Call, No such file or directory @ rb_sysopen - keys\private_key.pkcs7.pem (file: C:/Users/toband/source/repos/Bolt RTjP/Boltdir/site-modules/rd_chocolatey/manifests/init.pp, line: 35, column: 51) on node localhost (Puppet::PreformattedError)

[Alex Dreyer]

On Tue, Dec 10, 2019 at 3:57 AM Andreas Torbiörnsson <andreas.to...@gmail.com> wrote:

Hi group!

Does anyone know if it is possible to use relative paths for the encryption keys when using hiera/eyaml with Bolt. I can't find any info about how Bolt/hiera treats relative paths when it comes to keys. Intuitively, I would have thought it would be relative to the Boltdir, or perhaps the hiera datadir, but those two options do not seem to work.

What does Bolt use as its working directory when trying to get the key files? It's working fine with absolute paths.

Bolt attempts to evaluate paths like this relative to the Boltdir. Plugins have access to the boltdir path to aid this. The Bolt pkcs7 plugin will evaluate key paths relative to the boltdir. The issue here is loading in the pkcs7 encryptor for hiera eyaml. I'm not sure how bolt could initialize hiera to support this for relative paths in hiera.yaml.

The default is `./keys/public_key.pkcs7.pem`which is passed directly to File.read have you tried using `./` or executing bolt from the top level of the Boltdir as a workaround?
 

Below is an example, keys are located under Boltdir/keys/.

From Boltdir/hiera.yaml:

hierarchy:
  - name: "Secret data"
    path: "common.eyaml"
    lookup_key: eyaml_lookup_key
    options:
      pkcs7_private_key: 'keys\private_key.pkcs7.pem'
      pkcs7_public_key:  'keys\public_key.pkcs7.pem'

Excerpt from output:

localhost: Evaluation Error: Error while evaluating a Function Call, No such file or directory @ rb_sysopen - keys\private_key.pkcs7.pem (file: C:/Users/toband/source/repos/Bolt RTjP/Boltdir/site-modules/rd_chocolatey/manifests/init.pp, line: 35, column: 51) on node localhost
C:/Users/toband/.gem/ruby/2.5.0/gems/hiera-eyaml-3.1.1/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:57:in `read': Evaluation Error: Error while evaluating a Function Call, No such file or directory @ rb_sysopen - keys\private_key.pkcs7.pem (file: C:/Users/toband/source/repos/Bolt RTjP/Boltdir/site-modules/rd_chocolatey/manifests/init.pp, line: 35, column: 51) on node localhost (Puppet::PreformattedError)

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7b447ceb-fb40-4e1c-bbf8-9a5351812a79%40googlegroups.com.