Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetching mongodb password from vault not working #609

Open
reschandreas opened this issue Apr 16, 2021 · 1 comment
Open

Fetching mongodb password from vault not working #609

reschandreas opened this issue Apr 16, 2021 · 1 comment

Comments

@reschandreas
Copy link

reschandreas commented Apr 16, 2021
edited

Hi!

I am currently working on adding this module to our puppet infrastucture and I am having a hard time to use it. We manage our secrets with vault and thus we would also like to fetch the mongodb password from vault and not store it in plain text in our puppet repository for obvious security reasons.

I am searching for a way that allows me to read the password either from a file or another parameter which is able to get a Deferred value for evaluation on the agent, not the puppetserver itself since those have no access to these secrets.

Is there already a solution I am not finding/overlooking or else is there a plan to support Deferred values?

Thank you very much! 🙂

How to reproduce (e.g Puppet code you use)

This is currently my code:

  $vars = {
    'password'  => Deferred('vault_lookup::lookup',['[keystore]',"[/path/to/secret/password]",'[key]',"[certificate]"]),
  }

  mongodb::db { $db:
    user     => $user,
    password => Deferred('inline_epp', ['<%= $password.unwrap %>', $vars])
    roles    => ['readWrite', 'dbAdmin'],
  }

What are you seeing

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Mongodb::Db[Users]: parameter 'password' expects a value of type Undef or String, got Deferred

What behaviour did you expect instead

No error

Output log

Any additional information you'd like to impart
@Robbie558
Copy link

Robbie558 commented Apr 15, 2024
edited

This is only an issue when referencing a deferred result through a deferred function. The following use of the mongodb_password function works (puppet-mongodb: 5.0.0, puppet: 7.29.1):

$admin_username='administrator'
$admin_password_path=secret/mongodb/integration/<hostname>/admin_password
$deferred_admin_password_hash = Deferred('mongodb_password', [$admin_username, vault_lookup::lookup($admin_password_path, { 'vault_addr' => lookup('vault_addr'), 'field' => 'value' })])
...
class { 'mongodb::server':
    create_admin        => true,
    admin_username      => $admin_username,
    admin_password_hash => $deferred_admin_password_hash,
   ...
  }
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reschandreas @Robbie558