Configuration
Foreman: 3.13
Puppet: 8.10
Problem:
The hiera_vault lookup function defines a hierarchy in which to look for a secret. This hierarchy interpolates variables during catalog compilation, one of which is %{hostgroup}.
Running the puppet agent fails when the node has no hostgroup.
P.S: The configuration is the same as on another Puppet 6 server on which we don’t have the issue.
How can we write the hiera_vault lookup hierarchy to handle nodes with no hostgroup ?
error
Undefined variable 'hostgroup' (file: /etc/puppetlabs/code/environments/preview/hiera.yaml, line 21)
/etc/puppetlabs/code/environment/preview/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Vault Lookup"
lookup_key: hiera_vault
options:
confine_to_keys:
- "^.*_secret$"
address: https://vault.foo.com
token: /etc/puppetlabs/puppet/vault.token
default_field: value
mounts:
a1:
- "nodes/%{trusted.certname}"
- "hostgroup/%{hostgroup}"
- "domain/%{domain}"
- "common"
I also tried this but it won’t work either:
mounts:
a1:
- "nodes/%{trusted.certname}"
- "hostgroup/%{lookup('hostgroup', default_value => '')}"
- "domain/%{domain}"
- "common"
error
Syntax error in string: hostgroup/%{lookup('hostgroup', default_value => '')}
troubleshooting
Testing the lookup function on its own we can see that it’s targeting the proper environment (not the global) hiera.yaml configuration using Hiera 5.
puppet lookup vault_secret --node foo --facts foo.json --explain --environment preview
Environment Data Provider (hiera configuration version 5)
Using configuration "/etc/puppetlabs/code/environments/preview/hiera.yaml"
Syntax error in string: hostgroup/%{lookup('hostgroup', default_value => '')}