Puppet 查找失败,需要一个敏感值,得到字符串

Puppet lookup fails with expects a Sensitive value, got String

我正在尝试在 Hiera 5 的 yaml 中实现加密值,以通过自动查找将密码安全地注入 Puppet(企业)5.3。 Puppet blog and PUP-7284 提供了有关必要设置的出色指导。

但是,我似乎无法 lookup_options 正确地确保转换为敏感类型(以匹配 class 参数)。

使用 puppet lookup 命令断言失败:

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --type Sensitive[String]
Error: Could not run: Found value has wrong type, expects a Sensitive value, got String 

似乎也找到了 lookup_options,它们看起来很合理:

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test --explain-options
Hierarchy entry "Passwords"
        Path "/etc/puppetlabs/code/environments/test/modules/my_module/data/secrets.eyaml"
          Original path: "secrets.eyaml"
          Found key: "lookup_options" value: {
            "^my_module::.*pass$" => {
              "convert_to" => "Sensitive"
            }
          }

解密工作正常(不幸的是明文 - 不确定这是否符合预期?)

[user@rhel7 ~]$ puppet lookup my_module::db_pass --environment test
Found key: "my_module::db_pass" value: "password_is_taco"

设置如下:

[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat hiera.eyaml
---
version: 5
defaults:
  data_hash: yaml_data
  datadir: data

hierarchy:
  - name: "Passwords"
    lookup_key: eyaml_lookup_key
    paths:
      - "secrets.eyaml"
    options:
        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
[user@rhel7 /etc/puppetlabs/puppet/environment/test/modules/my_module]$ cat ./data/secrets.eyaml
---
lookup_options:
  '^my_module::.*pass$':
    convert_to: "Sensitive"

my_module::db_pass: >
    ENC[PKCS7,MIIBqQYJKoZ...snip]

我也没有成功使用不同的正则表达式 and/or 只是直接使用键:

lookup_options:
  my_module::db_pass:
    convert_to: "Sensitive"

对于混淆代码的任何轻微复制粘贴问题提前致歉:)

我从来没有完全弄清楚为什么我尝试过的上面的特定测试设置从来没有奏效,但这是我最终实现的:

---
lookup_options:
  "^my_module::.*(password|token)$":
    convert_to: Sensitive

模式匹配会将以下任何内容适当地转换为 Sensitive[String]:

my_module::password
my_module::service_password
my_module::api_token
my_module::any_number::of_subclasses::token_or_password

如果您正在考虑经历同样的过程,您可能会考虑: