hiera-eyaml not decrypting?

[dkoleary]

Hi;

I have hiera.eyaml installed and functional from the CLI; however, when I attempt to use it in a module, the encrypted string is being used rather than the decrypted value.

I have to be missing something mind numbingly simple; but, I've been through the doc at https://github.com/TomPoulton/hiera-eyaml so many times it's starting to blur.  Can someone tell me waht I messed up?

From the CLI:

-bash-4.1$ cat nap1d030.yaml
---
# mpintp::source: 'ntp.conf.dmz'
# mpisyslog::el6::source: 'mpi-custom.conf'
mpisshd::enabled: false
mpiroot::pwd: >
    ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
    DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA
    SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV
    k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN
    PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC
    alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt
    uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF
    6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ
    qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]


-bash-4.1$ eyaml decrypt -f ./nap1d030.yaml
[hiera-eyaml-core] Loaded config from /opt/puppetlabs/server/data/puppetserver/.eyaml/config.yaml
---
# mpintp::source: 'ntp.conf.dmz'
# mpisyslog::el6::source: 'mpi-custom.conf'
mpisshd::enabled: false
mpiroot::pwd: snipped

The test module just does a notify:

class mpiroot (
  $pwd,
) {

  notify { "Password: ${pwd}": }
}

And the run shows the encrypted string:

$ sudo puppet agent -t
Notice: Local environment: 'production' doesn't match server specified node environment 'dkoleary', switching agent to 'dkoleary'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for nap1d030.multiplan.com
Info: Applying configuration version '1467996521'
Notice: Password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAANy7eyKzeNLVeNqF3h4qM5pEw38G8yWJOezA SQ72MugY8FgwIWNsE2TmS3W2jBe1/zTAggd5p79RBubIdfL5DDPjjNTimzgV k0qppx3EefolMSzphfvVv5JOz8ue13OvpzFV/MM5qZLhOeUFAIUY3NM9RqHN PVM/woxhpnjMStlKXGakJYxLrf8ucMLh5WrW7JpN0jvjjVlVJjGsLaqygUsC alJ3zQkgxtaR0SCCgvvsJ2wYCs82fVnuFf6d0g4cPPCGnT3CtNFFffQMlwTt uEErGyKswxMPnKWybFNLYj+cVOhbLf946CMzCUcpWUIdHBnT3BcAi4qiryJF 6O91WzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA5QFyFpSmqqxUlAByZ qFWsgBDY6tjQ9Pbb4nRHCvkI29ve]
[[snip]]

The hiera.yaml file and keys:

---
:backends:
  - yaml
  - eyaml
:hierarchy:
  - "hosts/%{facts.hostname}"
  - "environments/%{facts.environment}"
  - "host_env/%{facts.env}"
  - "dc/%{facts.dc}"
  - "os/%{facts.operatingsystemmajrelease}"
  - common
:yaml:
  :datadir: /etc/puppetlabs/code/hieradata
:eyaml:
  :extension: 'yaml'
  :datadir: /etc/puppetlabs/code/hieradata
  :pkcs7_private_key: /etc/puppetlabs/secure/keys/private_key.pkcs7.pem
  :pkcs7_public_key: /etc/puppetlabs/secure/keys/public_key.pkcs7.pem


-bash-4.1$ ls -ld /etc/puppetlabs/secure/keys/{public,private}_key*.pem
-r--------. 1 puppet puppet 1675 Jul  8 11:28 /etc/puppetlabs/secure/keys/private_key.pkcs7.pem
-r--------. 1 puppet puppet 1050 Jul  8 11:28 /etc/puppetlabs/secure/keys/public_key.pkcs7.pem

Any hints/tips, etc gratefully accepted.

Thanks

Doug

[Michael Watters]

I think I ran into a similar issue before.  Try putting "eyaml" as the first backend to see if that helps.

Here's a copy of our hiera.yaml file which works.

---
:backends:
  - eyaml
  - yaml


:hierarchy:
  - "nodes/%{::trusted.certname}"
  - common


:yaml:
# datadir is empty here, so hiera uses its defaults:
# # - /etc/puppetlabs/code/environments/%{environment}/hieradata on *nix
# # - %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata on Windows
# # When specifying a datadir, make sure the directory exists.
#   :datadir:


:eyaml:
    :extension: 'yaml'
    :pkcs7_private_key: '/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem'
    :pkcs7_public_key:  '/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem'

[dkoleary]

I'll be damned.. that was it.  Well, I don't feel so bad about that one.  

Thank you very much!  

[Andrew Grimberg]

Our team completely dropped the yaml backend as we always ended up with
weird issues of hiera not always finding the yaml. Doesn't matter if we
don't actually have anything encrypted in the eyaml file, all files for
us are eyaml now.

-Andy-

> classmpiroot (

> $pwd,
> ){
>
> notify {"Password: ${pwd}":}
> }
> |
>
>
> And the run shows the encrypted string:
>
> |
> $ sudo puppet agent -t

> Notice:Localenvironment:'production'doesn't match server

> specified node environment 'dkoleary', switching agent to
> 'dkoleary'.
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Loading facts
> Info: Caching catalog for nap1d030.multiplan.com

> <http://nap1d030.multiplan.com>

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/dfb92848-7713-4643-9690-1680c3e62348%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/dfb92848-7713-4643-9690-1680c3e62348%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Christopher Wood]

Same, all files here are eyaml.

> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/577FEB1B.5060001%40bardicgrove.org.