Does not work with Puppet 3.5.1 (Hiera 1.3.2) about hiera-eyaml HOT 10 CLOSED

Hi @justicel - can you provide more details including the versions of ruby and the contents of your hiera.yaml configuration file?

Thanks,
Simon

from hiera-eyaml.

Using the ubuntu precise version of ruby: 1.9.3p0 (ughh, but it works).

Contents of the configuration file:

---
:backends:
  - yaml
  - eyaml

:logger: console
:hierarchy:
  - "%{environment/%{calling_class}"
  - "%{environment}"
  - common

:yaml:
   :datadir: /etc/puppet/hieradata

That's enough to break it. I can also add the :eyaml configuration entries with key-file information and it doesn't change the error.

from hiera-eyaml.

And what does the 'secrets' key look like in your common.yaml / common.eyaml file?

from hiera-eyaml.

I use a block encode, so here's a bit off the top of the file:

ENC[PKCS7,MIIanQYJKoZIhvcNAQcDoIIajjCCGooCAQAxggEhMIIBHQIBADAFMAACAQAw
DQYJKoZIhvcNAQEBBQAEggEAkVTC18ceU2wPntcjmfuNA0NmfnRJzg/JENVp
FM7U04F0etknhlE61oS59hcupRITWHtg6iV87iOIiIdJ98nw6MRUStXWpA7w
wMDzItime+OsjbdteEZFRZUMEvkt/jTHmTEs8Y1npLlhIrxsSkQMMr0f0+i7
HsnkTGrXZfhyLPoQvRSPckLquVkhxlgEmyYY7hZv10D3aXpwD64v1JS6xvoP
J5Oe0vVWu26lym+Hoq0F8k9kswtgdO+l0VYrUyZY18HMeM68Otb6rcRb+bnG

And decoded here is some data:

---
secrets:
  check-ins:
    staging:
      fog:

from hiera-eyaml.

OK. I'm afraid I'm still not quite sure what you eyaml file looks like, but I get the impression that it is all encrypted? It should read like a normal YAML file but with only value sections of it encrypted. i.e.

---
secrets:
  check-ins:
    staging:
      fog: ENC[PKCS7,<encrypted value for secrets['check-ins']['staging']['fog']>]

The YAML parsing is done before any decryption is carried out, so the file must be valid YAML. Does that make sense? Have a look at the example encrypted file in the Hiera section of the readme: https://github.com/TomPoulton/hiera-eyaml#hiera

from hiera-eyaml.

I was under the impression that you could have a totally encrypted eyaml file? This was working okay before...

from hiera-eyaml.

Sorry @justicel - if it was working before, it was by accident rather than design. hiera-gpg provides whole file encryption, but the aim of hiera-eyaml was to only encrypt the parts that needed to be encrypted so that files make sense without having to decrypt them (and version control diffs make sense as well). The edit functionality makes this easy to manage without it becoming a burden.

I don't think there is a strong use case for entirely encrypted files, so personally I'd argue against fixing it so it works again.

Out of interest, do you know what combination of versions you were using when it worked?

from hiera-eyaml.

Unfortunately I don't. I'll try to figure it out. The reason I ended up encrypting the whole file was I couldn't figure out how to easily get specific fields to encrypt without a lot of editing trouble (this is a large secrets file).

from hiera-eyaml.

Experiment with the eyaml edit command (see https://github.com/TomPoulton/hiera-eyaml#editing-eyaml-files). This was built to make working with files with lots of small bits of encrypted text easy (and overcome the editing trouble that you mention).

Let us know if you think there are improvements that could be made to the edit mode.

from hiera-eyaml.

I'm going to close this as it's not a bug or a requirement

@justicel if your common.eyaml file is getting large and unwieldy you can always split it up into two and add them both into the hierarchy. We have a common.eyaml and a core.eyaml file, it makes it easier to manage, and the two files also contain slightly different sets of data so it makes it logically clearer as well

from hiera-eyaml.