From b390aae7bec14fbe63975ebe8448feed206307f6 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 19 Aug 2017 17:21:49 +0100 Subject: [PATCH 1/4] add vault_filter option to allow vault lookups to limited by a prefix key --- README.md | 10 ++++++++++ hiera-vault.gemspec | 2 +- lib/hiera/backend/vault_backend.rb | 7 +++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 82476e1..d0e2ba7 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,16 @@ In case the single field does not contain a parseable JSON string, the string wi When used in Hash lookups, this will result in an error as normal. +#### Vault Filter - optional +Only applicable when `:vault_filter` is used. +To use Vault Filter, set, for example: + + :vault: + :vault_filter: vault + +This will result on only keys starting with the key `vault` being looked up against vault, all other lookups will skip the vault backend. + + ### Lookup type behavior In case Array or Hash lookup is done, usual array or hash merging takes place based on the configured global `:merge_behavior` setting. diff --git a/hiera-vault.gemspec b/hiera-vault.gemspec index cb94306..fc776c5 100644 --- a/hiera-vault.gemspec +++ b/hiera-vault.gemspec @@ -3,7 +3,7 @@ require 'rubygems/package_task' spec = Gem::Specification.new do |gem| gem.name = "hiera-vault" - gem.version = "0.2.2" + gem.version = "0.2.2.1" gem.license = "Apache-2.0" gem.summary = "Module for using vault as a hiera backend" gem.email = "jonathan.sokolowski@gmail.com" diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb index 8cba891..16aa62b 100644 --- a/lib/hiera/backend/vault_backend.rb +++ b/lib/hiera/backend/vault_backend.rb @@ -35,6 +35,11 @@ def initialize() config.ssl_ca_cert = @config[:ssl_ca_cert] if config.respond_to? :ssl_ca_cert config.ssl_ca_path = @config[:ssl_ca_path] if config.respond_to? :ssl_ca_path config.ssl_ciphers = @config[:ssl_ciphers] if config.respond_to? :ssl_ciphers + if @config[:vault_filter].nil? + @vault_filter = nil + else + @vault_filter = @config[:vault_filter] + end end fail if @vault.sys.seal_status.sealed? @@ -47,6 +52,8 @@ def initialize() def lookup(key, scope, order_override, resolution_type) return nil if @vault.nil? + filter = @config[:vault_filter] + return nil if not (key[/^#{filter}/]) Hiera.debug("[hiera-vault] Looking up #{key} in vault backend") From 900acdc39fa1b29faafba40cb7b4679d4ed5c98c Mon Sep 17 00:00:00 2001 From: root Date: Sat, 19 Aug 2017 17:27:45 +0100 Subject: [PATCH 2/4] ensure previous behaviour is maintained if vault_filter is not set --- lib/hiera/backend/vault_backend.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb index 16aa62b..d5617c3 100644 --- a/lib/hiera/backend/vault_backend.rb +++ b/lib/hiera/backend/vault_backend.rb @@ -52,8 +52,10 @@ def initialize() def lookup(key, scope, order_override, resolution_type) return nil if @vault.nil? - filter = @config[:vault_filter] - return nil if not (key[/^#{filter}/]) + if not @config[:vault_filter].nil? + filter = @config[:vault_filter] + return nil if not (key[/^#{filter}/]) + end Hiera.debug("[hiera-vault] Looking up #{key} in vault backend") From b60a459bea8cd3ee6f6204c9794e3f0de4565986 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 20 Aug 2017 20:57:24 +0100 Subject: [PATCH 3/4] rework documentation --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d0e2ba7..86d5b8c 100644 --- a/README.md +++ b/README.md @@ -102,14 +102,19 @@ In case the single field does not contain a parseable JSON string, the string wi When used in Hash lookups, this will result in an error as normal. -#### Vault Filter - optional -Only applicable when `:vault_filter` is used. -To use Vault Filter, set, for example: +#### Filter Prefix - optional +Only applicable when `:filter_prefix` is used. +To use Filter by prefix, set, for example: :vault: - :vault_filter: vault + :filter_prefix: 'vault::' + :filter_mode: 0 -This will result on only keys starting with the key `vault` being looked up against vault, all other lookups will skip the vault backend. +This will cause only keys prefixed with `vault::` to be looked up against vault, all other keys will skip the vault backend. + +`filter_mode` option `1` will remove your given `filter_prefix` from the key prior to the look up against the vault backend, this +could be useful in some cases to avoid rewriting keys in vault to meet the requirements of your filter, if unset or set to `0` the exact +key name used in the hiera function will be used in the vault lookup. ### Lookup type behavior From 1176fdbf0a7ba51ff746586eaa616e5398c24a3b Mon Sep 17 00:00:00 2001 From: root Date: Sun, 20 Aug 2017 20:58:09 +0100 Subject: [PATCH 4/4] renaming variable for filter_prefix and added filter_mode to allow removal of prefix from query --- lib/hiera/backend/vault_backend.rb | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/hiera/backend/vault_backend.rb b/lib/hiera/backend/vault_backend.rb index d5617c3..160b2f2 100644 --- a/lib/hiera/backend/vault_backend.rb +++ b/lib/hiera/backend/vault_backend.rb @@ -35,10 +35,15 @@ def initialize() config.ssl_ca_cert = @config[:ssl_ca_cert] if config.respond_to? :ssl_ca_cert config.ssl_ca_path = @config[:ssl_ca_path] if config.respond_to? :ssl_ca_path config.ssl_ciphers = @config[:ssl_ciphers] if config.respond_to? :ssl_ciphers - if @config[:vault_filter].nil? - @vault_filter = nil + if @config[:filter_prefix].nil? + @filter_prefix = nil else - @vault_filter = @config[:vault_filter] + @filter_prefix = @config[:filter_prefix] + end + if @config[:filter_mode].nil? + @filter_mode = 0 + else + @filter_mode = @config[:filter_mode] end end @@ -52,9 +57,12 @@ def initialize() def lookup(key, scope, order_override, resolution_type) return nil if @vault.nil? - if not @config[:vault_filter].nil? - filter = @config[:vault_filter] + if not @config[:filter_prefix].nil? + filter = @config[:filter_prefix] return nil if not (key[/^#{filter}/]) + if @config[:filter_mode] > 0 + key = key.sub(/^#{filter}/, '') + end end Hiera.debug("[hiera-vault] Looking up #{key} in vault backend")