Skip to content
/ petems-hiera_vault Public
forked from petems/petems-hiera_vault

A hiera backend for access to secrets being stored in HashiCorp Vault

License

Apache-2.0 license
0 stars 48 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kokovikhinkv/petems-hiera_vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
lib/puppet/functions
lib/puppet/functions
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
metadata.json
metadata.json
 
 

Repository files navigation

hiera_vault : a vault data provider function (backend) for Hiera 5

Description

This is a back end function for Hiera 5 that allows lookup to be sourced from Hashicorp's Vault.

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Compatibility

  • The 3.x series of hiera-http is only compatible with Hiera 5, that ships with Puppet 4.9+
  • Users looking for older implementations for Hiera 1,2 and 3 should use hiera-http 2.x
  • hiera-http 3 ships within the crayfishx/hiera_http
  • hiera-http 2 (legacy) ships as a Rubygem "hiera-http"

Requirements

The vault gem must be installed and loadable from Puppet

# /opt/puppetlabs/puppet/bin/gem install vault
# puppetserver gem install vault

Installation

The data provider is available by installing the davealden/hiera_vault module into your environment.

# puppet module install davealden/hiera_vault

Configuration

See The official Puppet documentation for more details on configuring Hiera 5.

The following is an example Hiera 5 hiera.yaml configuration for use with hiera-vault

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      token: <insert-your-vault-token-here>
      default_field: value
      mounts:
        generic:
          - secret/puppet/%{::trusted.certname}/
          - secret/puppet/common/

The following mandatory Hiera 5 options must be set for each level of the hierarchy.

name: A human readable name for the lookup lookup_key: This option must be set to hiera_http

The following are optional configuration parameters supported in the options hash of the Hiera 5 config

address: The address of the Vault server, also read as ENV["VAULT_ADDR"]

token: The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"]

:confine_to_keys: : Only use this backend if the key matches one of the regexes in the array

  confine_to_keys:
    - "application.*"
    - "apache::.*"

:ssl_verify: Specify whether to verify SSL certificates (default: true)

Author

About

A hiera backend for access to secrets being stored in HashiCorp Vault

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages

  • Ruby 100.0%