This hiera backend replaces the default yaml backend, but will resend queries to other hiera backends based on the value returned by the yaml files.
When hiera-router gets a string matching backend[otherbackendname], it will resend the same query to otherbackendname.
Documentation has to be expanded a lot, but the gist is here.
Big caveat: you can use every class of backend only once (so only one hiera-vault, one hiera-http, etc). We have a plan for this, but this has not yet been implemented.
Note the necessary backend configuration key vaultconf defined within vault backend definition above it. The provided examples here for heira.yaml throw an unexpected key error.
For an implementation defaulting to a yaml backend and optionally deferring to vault, this works:
---
:backends:
- router
:router:
:datadir: "./hieradata/"
:backends:
:vault:
:backend_class: vault
:backend_key: vaultconf
:vaultconf:
:addr: "http://<VAULT ADDRESS>"
# Other Vault config
# :token: "<TOKEN>"
# :default_field: "<FIELD>"
# :default_field_behavior: "<FIELD BEHAVIOUR>"
:mounts:
:generic:
- "hiera"
:hierarchy:
- level1
- level2
:merge_behavior: deeperI now support hiera v5 with v0.3.0; this meant I had to make some deep changes, and I chose to make a breaking change in the configuration. This makes it a bit more flexible at the same time..
Basically, replace the following style:
:router:
:backends:
- vault
:vault:
:backend_class: mockWith this one:
:router:
:backends:
:vault:
:backend_class: mockvault and mock are two hiera backends, and in the example I tell the router to use the mock backend instead of the real vault one, eg. for integration testing purposes.
If you want the configuration used for the mock backend not to come from the mock top level key, you can specify backend_key too, eg.:
:router:
:backends:
:vault:
:backend_class: mock
:backend_key: othermock
:vault:
:ssl_verify: false
:addr: https://active.vault.service.svcd:8200
:mounts:
:generic:
- secret/puppet
:mock:
:datafile: ./test.yaml
:othermock:
:datafile: ./othertest.yamlContent of ./hiera.yaml:
:backends:
- router
:logger: console
:hierarchy:
- level1
- level2
:router:
:datadir: ./hieradata/
:backends:
:vault:
:backend_class: mock
:mock:
:datafile: ./test.yaml
:vault:
:ssl_verify: false
:addr: https://active.vault.service.svcd:8200
:mounts:
:generic:
- secret/puppetContent of ./hieradata/level1.yaml:
mykey: backend[vault]
mykey2: backend[vault]Content of ./hieradata/level2.yaml:
mykey:
hiera-value: 25
other-hiera-value: xyz
mykey2: some_valueAnd a vault server setup so that mytoken has read access to secret/puppet, and contains a key
secret/puppet/level1/mykey with values:
vault-value: a
other-vault-value: 2This example will find 'look in vaul' value in level1.yaml, try to look in vault, will return empty handed and thus
look further in the yaml tree and find some_value in level2.yaml:
$ hiera -c hiera.yaml mykey2
some_value
Request a string, so no merging will happen. First value found is 'look in vault', which has a value for this key:
$ hiera -c hiera.yaml mykey
{"vault-value"=>"a", "other-vault-value"=>"2"}
Request a hash, so merging will happen. First value found is 'look in vault', which has a value for this key. Another set of values is found in level2.yaml, which are added:
$ hiera -c hiera.yaml -h mykey # Request a hash, so merging will happen
{"hiera-value"=>25, "other-hiera-value"=>"xyz", "vault-value"=>"a", "other-vault-value"=>"2"}
In Ruby code:
require 'hiera'
backend = Hiera.new(:config => 'hiera.yaml')
puts backend.lookup("mykey", "mydefault", {}, nil, :string).inspect
# result: {"vault-value"=>"a", "other-vault-value"=>"2"}
puts backend.lookup("mykey", "mydefault", {}, nil, :hash).inspect
# result: {"hiera-value"=>25, "other-hiera-value"=>"xyz", "vault-value"=>"a", "other-vault-value"=>"2"}
puts backend.lookup("mykey2", "mydefault", {}, nil, :string).inspect
# result: "some_value"