A Hiera backend to retrieve secrets from Hashicorp's Vault
Ruby
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Gem Version Badge Build Status

hiera-vault

A Hiera backend to retrieve secrets from Hashicorp's Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Configuration

You should modify hiera.yaml as follows:

:backends:
    - vault

:vault:
    :addr: http://127.0.0.1:8200
    :token: fake

Alternatively (and recommended) you can specify your vault client configuration via the same environment variables read by vault-ruby, e.g.

VAULT_TOKEN=secret hiera -c hiera.yml foo

Lookups

Hash - default

Since vault stores data in Key/Value pairs, this naturally lends itself to returning a Hash on lookup. For example:

vault write secret/foo value=bar other=baz

The hiera lookup for foo will return a Hash:

{"value"=>"bar","other"=>"baz"}

Single Value - optional

If you use just a single field to store data, eg. "value" - you can request that just this is returned as a string, instead of a hash.

To do this, set:

:vault:
    :default_field: value

For example:

vault write secret/foo value=bar other=baz

The hiera lookup for foo will return just "bar" as a string.

In case foo does not have the value field, a Hash is returned as normal. In versions <= 0.1.4 an error occurred.

Default field behavior - optional

When using :default_field, by default, additional fields are ignored, and if the field is not present, nil will be returned.

To only return the value of the default field if it is present and the only one, set:

:vault:
    :default_field: value
    :default_field_behavior: only

Then, when foo contains more fields in addition to value, a Hash will be returned, just like with the default behaviour. And, in case foo does not contain the value field, a Hash with the actual fields will be returned, as if :default_field was not specified.

JSON parsing of single values - optional

Only applicable when :default_field is used. To use JSON parsing, set, for example:

:vault:
    :default_field: json_value
    :default_field_parse: json

Then, for example, when:

vault write secret/foo json_value='["bird","spider","fly"]'

the hiera lookup for foo will return an array. When used in Array lookups (hiera_array), all occurences of foo will be merged into a single array.

When, for example:

vault write secret/foo json_value='{"user1":"pass1","user2":"pass2"}'

the hiera lookup for foo will return a hash. This is the same behavior as when:

vault write secret/foo user1='pass1' user2='pass2'

Both will result in a hash:

{"user1"=>"pass1","user2"=>"pass2"}

In case the single field does not contain a parseable JSON string, the string will be returned as is. When used in Hash lookups, this will result in an error as normal.

Lookup type behavior

In case Array or Hash lookup is done, usual array or hash merging takes place based on the configured global :merge_behavior setting.

Backends and Mounts

The mounts config attribute should be used to customise which secret backends are interrogated in a hiera lookup.

Currently only the generic secret backend is supported. By default the secret/ mount is used if no mounts are specified.

Inspect your vault mounts output, e.g.:

> vault mounts
Path        Type     Description
staging/    generic  generic secret storage for Staging data
production/ generic  generic secret storage for Production data
secret/     generic  generic secret storage
sys/        system   system endpoints used for control, policy and debugging

For the above scenario, you may wish to separate your per-environment secrets into their own mount. This could be achieved with a configuration like:

:vault:
    # ...
    :mounts:
        :generic:
            - %{environment}
            - secret

Since version 0.2.0, the :hierarchy source paths from the hiera configuration are used on top of each mount. This makes the behavior of the vault backend the same as other backends. Additionally, this enables usage of the third parameter to the hiera functions in puppet, the so-called 'override' parameter. See http://docs.puppetlabs.com/hiera/1/puppet.html#hiera-lookup-functions

Example: In case we have the following hiera config:

:backends:
    - vault
    - yaml

:hierarchy:
  - "nodes/%{::fqdn}"
  - "hostclass/%{::hostclass}"
  - ...
  - common

:yaml:
  :datadir: "/var/lib/hiera/%{::environment}/"

:vault:
    :addr: ...
    :mounts:
        :generic:
            - "%{::environment}"
            - secret

Each hiera lookup will result in a lookup under each mount, honouring the configured :hierarchy. e.g.:

%{::environment}/nodes/%{::fqdn}
%{::environment}/hostclass/${::hostclass}
%{::environment}/...
%{environment}/common
secret/nodes/%{::fqdn}
secret/hostclass/%{::hostclass}
secret/...
secret/common

With the third argument to the hiera functions, the override parameter, the call

$val = hiera('thekey', 'thedefault', 'override_path/look_here_first')

will result in lookups through the following paths in vault:

%{::environment}/override_path/look_here_first
%{::environment}/nodes/%{::fqdn}
%{::environment}/hostclass/%{::hostclass}
%{::environment}/...
%{::environment}/common
secret/override_path/look_here_first
secret/nodes/%{::fqdn}
secret/hostclass/%{::hostclass}
secret/...
secret/common

SSL

SSL can be configured with the following config variables:

:vault:
    :ssl_pem_file: /path/to/pem
    :ssl_ca_cert: /path/to/ca.crt
    :ssl_ca_path: /path/to/ca/
    :ssl_verify: false
    :ssl_ciphers: "MY:SSL:CIPHER:CONFIG"