Feature: allow generation of secrets if missing in Vault

[hggh]

It would be nice to have some sort of a password generation option to the vault_lookup function.

some usecases:

• lookup key has the hostname of the server "root/password/${hostname}" if the key and the secrect does not exists. vault_lookup will generate a new password and save it to Vault. So every server has a different root password
• bootstrap a new MySQL/MariaDB Server with a new mysql root password

The idea of this feature request to have Vault with the features of trocla (https://github.com/duritong/trocla). Trocla allows autogenerating a password if it does not exist.

[petems]

This is actually pretty cool, but I feel like this might be pushing the boundries of the use-case for lookup...

I'm writing up some Vault helpers and other things as functions (eg. AWS credentials, fetching tokens etc) so I'll see if I can make a basic one for setting a password if i get the time 😄

[sircubbi]

We are using a separate lookup-function named vault_lookup::lookupgen which takes two parameters (lookupkey and passwordlength) to create a new password if not present at the location.

See attached patch for some ideas (note that this function also hardcodes the vault-path to the puppetmaster and also inserts the FQDN to the path.
lookupgen.txt