Jake Lundberg
2013-Dec-09 19:27 UTC
[Puppet Users] Hiera + GPG: If GPG first backend, yaml (non-gpg) entries cause failure
I''m able to get Hiera + GPG working fine, but am running into an issue when I want to use GPG as the primary backend. We want to do this to make sure any secrets are realized first. However, it seems when a value in GPG backend also exists in a YAML backend, hiera dies with a message: Debug: Automatically imported puppet::client from puppet/client into>> DEVENV_20131205_2000 > > Debug: hiera(): [gpg_backend]: Loaded gpg_backend > > Debug: hiera(): [gpg_backend]: Lookup called, key >> puppet::client::runinterval resolution type is > > Debug: hiera(): [gpg_backend]: GNUPGHOME is /etc/puppet/gpgkeys > > Debug: hiera(): [gpg_backend]: loaded cipher: >> /etc/puppet/hiera/DEVENV_20131205_2000/adhoc.gpg > > Debug: hiera(): [gpg_backend]: result is a String ctx >> #<GPGME::Ctx:0x2b191de61458> txt --- > > >> encryption_key: ''HIERA + GPG ROCKS!'' > > integrity_key: ''HIERA + GPG ROCKS!'' > > >> <SNIP> > > Debug: hiera(): Looking for data source env/ec2-labs/lab3 > > Error: undefined method `read_file'' for #<Hiera::Filecache:0x2b191dd93760 >> @cache={}> at >> /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 >> on node <node> > > Wrapped exception: > > undefined method `read_file'' for #<Hiera::Filecache:0x2b191dd93760 >> @cache={}> > > Error: undefined method `read_file'' for #<Hiera::Filecache:0x2b191dd93760 >> @cache={}> at >> /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 >> on node <node> > > Error: undefined method `read_file'' for #<Hiera::Filecache:0x2b191dd93760 >> @cache={}> at >> /etc/puppet/modules/DEVENV_20131205_2000/base_server/manifests/init.pp:12 >> on node <node> > > >adhoc.gpg is higher in the hierarchy, env/ec2-labs/lab3 is lower, but holds values for the node the catalog is being built for. In this particular case, the "encryption_key" and "integrity_key" values have been commented out of lab3.yaml. If I switch to have YAML as the primary provider, everything works, but I get the YAML value as opposed to the GPG value (if both are defined). If the value doesn''t exist in the YAML, everything works perfectly if GPG is the secondary backend, however, since our repository is shared between teams, we want to make GPG the primary value. Is there some sort of cache collision if GPG values are created for a node''s variables in the catalog first? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2736927d-5f7a-4026-99ff-da6f510ade4f%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.