jsok / hiera-vault Goto Github PK

A Hiera backend to retrieve secrets from Hashicorp's Vault

License: Apache License 2.0

Ruby 100.00%

hiera-vault's Introduction

hiera-vault

A Hiera backend to retrieve secrets from Hashicorp's Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Configuration

You should modify hiera.yaml as follows:

:backends:
    - vault

:vault:
    :addr: http://127.0.0.1:8200
    :token: fake

Alternatively (and recommended) you can specify your vault client configuration via the same environment variables read by vault-ruby, e.g.

VAULT_TOKEN=secret hiera -c hiera.yml foo

Lookups

Hash - default

Since vault stores data in Key/Value pairs, this naturally lends itself to returning a Hash on lookup. For example:

vault write secret/foo value=bar other=baz

The hiera lookup for foo will return a Hash:

{"value"=>"bar","other"=>"baz"}

Single Value - optional

If you use just a single field to store data, eg. "value" - you can request that just this is returned as a string, instead of a hash.

To do this, set:

:vault:
    :default_field: value

For example:

vault write secret/foo value=bar other=baz

The hiera lookup for foo will return just "bar" as a string.

In case foo does not have the value field, a Hash is returned as normal. In versions <= 0.1.4 an error occurred.

Default field behavior - optional

When using :default_field, by default, additional fields are ignored, and if the field is not present, nil will be returned.

To only return the value of the default field if it is present and the only one, set:

:vault:
    :default_field: value
    :default_field_behavior: only

Then, when foo contains more fields in addition to value, a Hash will be returned, just like with the default behaviour. And, in case foo does not contain the value field, a Hash with the actual fields will be returned, as if :default_field was not specified.

JSON parsing of single values - optional

Only applicable when :default_field is used. To use JSON parsing, set, for example:

:vault:
    :default_field: json_value
    :default_field_parse: json

Then, for example, when:

vault write secret/foo json_value='["bird","spider","fly"]'

the hiera lookup for foo will return an array. When used in Array lookups (hiera_array), all occurences of foo will be merged into a single array.

When, for example:

vault write secret/foo json_value='{"user1":"pass1","user2":"pass2"}'

the hiera lookup for foo will return a hash. This is the same behavior as when:

vault write secret/foo user1='pass1' user2='pass2'

Both will result in a hash:

{"user1"=>"pass1","user2"=>"pass2"}

In case the single field does not contain a parseable JSON string, the string will be returned as is. When used in Hash lookups, this will result in an error as normal.

Lookup type behavior

In case Array or Hash lookup is done, usual array or hash merging takes place based on the configured global :merge_behavior setting.

Backends and Mounts

The mounts config attribute should be used to customise which secret backends are interrogated in a hiera lookup.

Currently only the generic secret backend is supported. By default the secret/ mount is used if no mounts are specified.

Inspect your vault mounts output, e.g.:

> vault mounts
Path        Type     Description
staging/    generic  generic secret storage for Staging data
production/ generic  generic secret storage for Production data
secret/     generic  generic secret storage
sys/        system   system endpoints used for control, policy and debugging

For the above scenario, you may wish to separate your per-environment secrets into their own mount. This could be achieved with a configuration like:

:vault:
    # ...
    :mounts:
        :generic:
            - %{environment}
            - secret

Since version 0.2.0, the :hierarchy source paths from the hiera configuration are used on top of each mount. This makes the behavior of the vault backend the same as other backends. Additionally, this enables usage of the third parameter to the hiera functions in puppet, the so-called 'override' parameter. See http://docs.puppetlabs.com/hiera/1/puppet.html#hiera-lookup-functions

Example: In case we have the following hiera config:

:backends:
    - vault
    - yaml

:hierarchy:
  - "nodes/%{::fqdn}"
  - "hostclass/%{::hostclass}"
  - ...
  - common

:yaml:
  :datadir: "/var/lib/hiera/%{::environment}/"

:vault:
    :addr: ...
    :mounts:
        :generic:
            - "%{::environment}"
            - secret

Each hiera lookup will result in a lookup under each mount, honouring the configured :hierarchy. e.g.:

%{::environment}/nodes/%{::fqdn}
%{::environment}/hostclass/${::hostclass}
%{::environment}/...
%{environment}/common
secret/nodes/%{::fqdn}
secret/hostclass/%{::hostclass}
secret/...
secret/common

With the third argument to the hiera functions, the override parameter, the call

$val = hiera('thekey', 'thedefault', 'override_path/look_here_first')

will result in lookups through the following paths in vault:

%{::environment}/override_path/look_here_first
%{::environment}/nodes/%{::fqdn}
%{::environment}/hostclass/%{::hostclass}
%{::environment}/...
%{::environment}/common
secret/override_path/look_here_first
secret/nodes/%{::fqdn}
secret/hostclass/%{::hostclass}
secret/...
secret/common

SSL

SSL can be configured with the following config variables:

:vault:
    :ssl_pem_file: /path/to/pem
    :ssl_ca_cert: /path/to/ca.crt
    :ssl_ca_path: /path/to/ca/
    :ssl_verify: false
    :ssl_ciphers: "MY:SSL:CIPHER:CONFIG"

hiera-vault's People

Contributors

Stargazers

Watchers

hiera-vault's Issues

[Question] Should ENV vars take precendence over hiera.yaml values?

I can not run hiera-vault without a token - it throws an error then. I can add a token in hiera.yaml, but if this is a real token I can't commit it. If this is a fake token, I can not override it.

In my mind, I should be able to add a fake token (or no token, without error) to my hiera.yaml file, and pass the token via the ENV:

VAULT_TOKEN=mytoken hiera -c hiera.yaml mykey

This means that all sanity tests will succeed (with empty values for secrets, which should be fine), and in production the real vault token will be used and thus the real secrets.

Does my story make sense? If so, I have proof-of-concept code to have ENV variables for address and token take precedence over whatever is in hiera.yaml

VAULT_TOKEN is not being used when :token: removed from hiera config

I'm probably missing something since I'm new to the vault world...

But I had to add an IF check to line 18 to get the VAULT_TOKEN env to work:

config.token = @config[:token] if @config[:token]

I'm also not a Ruby programmer.

hiera vault lookups slowing down puppet runs

I have vault setup and installed the hiera-vault gem on my puppetserver. When I enable the vault backend, my puppet apply runs go from a few seconds to a few minutes. The client is suck on Info: Loading facts. The puppetserver logs show hundreds of api calls to vault by every hiera enabled module multiplied by how many hierarchy I have listed. Is this normal?

Here is my hiera.yaml:


---
:backends:
  - yaml
#  - vault
:vault:
  :addr: https://vault.xxx.io
  :token: xxx
  :default_field: value
  :default_field_behavior: only
  :mounts:
    :generic:
      - secret
:yaml:
  :datadir: /etc/puppetlabs/code/
:hierarchy:
  - environments/%{environment}/hieradata/"nodes/%{::trusted.certname}"
  - environments/%{environment}/hieradata/common
  - environments/%{environment}/hieradata/users
  - workspace/%{environment}/hieradata/"nodes/%{::trusted.certname}"
  - workspace/%{environment}/hieradata/common
  - workspace/%{environment}/hieradata/users
  -

Here is a excerpt of the puppetserver logs:

2016-06-17 14:02:40,721 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/ntp::service_name: permission denied
2016-06-17 14:02:40,773 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/ntp::service_name: permission denied
2016-06-17 14:02:40,882 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//ntp::stepout: permission denied
2016-06-17 14:02:40,933 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/ntp::stepout: permission denied
2016-06-17 14:02:40,985 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/ntp::stepout: permission denied
2016-06-17 14:02:41,094 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//ntp::tinker: permission denied
2016-06-17 14:02:41,145 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/ntp::tinker: permission denied
2016-06-17 14:02:41,198 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/ntp::tinker: permission denied
2016-06-17 14:02:41,306 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//ntp::udlc: permission denied
2016-06-17 14:02:41,357 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/ntp::udlc: permission denied
2016-06-17 14:02:41,410 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/ntp::udlc: permission denied
2016-06-17 14:02:41,518 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//ntp::udlc_stratum: permission denied
2016-06-17 14:02:41,569 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/ntp::udlc_stratum: permission denied
2016-06-17 14:02:41,622 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/ntp::udlc_stratum: permission denied
2016-06-17 14:02:41,901 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//resolv_conf::searchpath: permission denied
2016-06-17 14:02:41,954 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/resolv_conf::searchpath: permission denied
2016-06-17 14:02:42,005 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/resolv_conf::searchpath: permission denied
2016-06-17 14:02:42,114 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//resolv_conf::options: permission denied
2016-06-17 14:02:42,166 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/environments/production/hieradata/users/resolv_conf::options: permission denied
2016-06-17 14:02:42,220 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret/workspace/production/hieradata/users/resolv_conf::options: permission denied
2016-06-17 14:02:42,486 INFO  [qtp643197702-62] [puppet-server] Puppet hiera(): [hiera-vault] Could not read secret secret//firewall::ensure: permission denied

Upgrade to vault-ruby 0.3.0

The new listing functionality is useful, however still nice to track the latest version.

https://github.com/hashicorp/vault-ruby/tree/v0.3.0

importing existing YAML files

has anyone done this before? the problem looks tricky enough for me to look around before I implement a solution myself.

Upgrade to vault-ruby 0.2.0

Includes some handy retry/backoff logic.

Open up project ownership

At this point I'm merely the original author, most of the code as it exists now has been contributed by the community (thanks all! 🎉 🎈)

I'm keen to add another contributor or two to both the GitHub repo and the rubygems project.

Reference:

http://help.rubygems.org/discussions/questions/151-adding-another-owner

"undefined method `require_relative' for Vault:Module" [probably cent6/ruby187 issue]

here's a fairly minimal test case to reproduce:

# launch your container
docker run --rm --link vault:vault -it centos:6 /bin/bash

# inside your container...
yum install -y ruby rubygems
gem install hiera
gem install hiera-vault

# verify connection to vault
curl http://vault:8200/v1/secret

# drop config file
cat << EOF > /hiera.yaml
:backends:
    - vault

:vault:
    :addr: http://vault:8200
    :token: REDACTED
EOF

hiera -c /hiera.yaml foo

/usr/lib/ruby/gems/1.8/gems/vault-0.1.3/lib/vault.rb:2: undefined method `require_relative' for Vault:Module (NoMethodError)
    from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require'
    from /usr/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
    from /usr/lib/ruby/gems/1.8/gems/hiera-vault-0.1.1/lib/hiera/backend/vault_backend.rb:8:in `initialize'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:205:in `new'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:205:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:203:in `each'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:203:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera.rb:60:in `lookup'
    from /usr/bin/hiera:225

the test case assumes you have a Docker container running vault named "vault". I did something like this to create my "test vault container".

# Dockerfile
FROM cgswong/vault
COPY vault.cfg /vault.cfg

docker build -t neoice/vault Dockerfile
docker run --privileged --name vault --rm -p 8200:8200 neoice/vault server -config=/vault.cfg

I was also able to reproduce the same error message on a CentOS6.6 virtual machine (no Docker, good old fashioned Puppet and PXE).

Example to use this in a puppet master-client and puppet masterless architecture ?

Hi,
We are using puppet hiera with json backend and looks like this could fit our needs to encrypt passwords and other sensitive data. If possible Could you please share an example on how to use this when using in a puppet master-client architecutre or puppet masterless setup. How to point to the vault value in a puppet module?

Thanks your help !!

Use CI to release to rubygems

Use CI to create gems and publish to rubygems.org when a new tag is pushed.

Feature request: Fetching PKI certificates?

Apparently, if I understood the documentation for this module correctly, it is currently only possible to fetch secrets from the 'generic' backend.

How much work would it be to implement fetching certificates from the/a PKI backend?

@abooitt Since you've been doing a lot/some work on this module, any chance you could add this functionality as well?

Notice: Scope(Class[main]): atrap
Notice: Compiled catalog for server.domain.be in environment production in 0.47 seconds
Notice: Applied catalog in 0.09 seconds

but when running the same hiera parameter in a manifest like this

$hieratest = hiera('its',"nothing")
notify { "${hieratest}": }

I get this result

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for lnx-iapuppet01.iconos.be
Info: Applying configuration version '1471610452'
Notice: nothing
Notice: /Stage[main]/Main/Node[server.domain.be]/Notify[nothing]/message: defined 'message' as 'nothing'
Notice: Applied catalog in 7.74 seconds

Puppetserver can't seem to find the its vault item, but puppet apply can

TLS 1.2 Support

Hello,
I have setup hiera-vault 0.1.6 (+ vault 0.2.0) on my Ubuntu 14.04.

Our vault server uses TLS to encrypt connections to port 8200 (HTTPS)

If I now test a hiera-vault call it fails with:
WARN: 2016-01-25 16:59:10 +0000: [hiera-vault] Skipping backend. Configuration error: unknown SSL method `TLSv1_2'.

In hiera.yaml I set:
:vault:
:addr: https://hostdomain.net:8200
:token: verysecret
:ssl_ca_path: /etc/ssl/certs/

Does hiera-vault support TLS1.2?

Installation instructions

Could you update the readme to include some installation instructions?