Version information
This version is compatible with:
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'crayfishx-hiera_http', '3.4.0'Learn more about managing modules with a PuppetfileDocumentation
hiera_http : a HTTP data provider function (backend) for Hiera 5
Description
This is a back end function for Hiera 5 that allows lookup to be sourced from HTTP queries. The intent is to make this backend adaptable to allow you to query any data stored in systems with a RESTful API such as CouchDB or even a custom store with a web front-end
Compatibility
- The 3.x series of hiera-http is only compatible with Hiera 5, that ships with Puppet 4.9+
- Users looking for older implementations for Hiera 1,2 and 3 should use hiera-http 2.x
- hiera-http 3 ships within the crayfishx/hiera_http
- hiera-http 2 (legacy) ships as a Rubygem "hiera-http"
Requirements
The lookup_http gem must be installed and loadable from Puppet
# /opt/puppetlabs/puppet/bin/gem install lookup_http
# puppetserver gem install lookup_http
Installation
The data provider is available by installing the crayfishx/hiera_http module into your environment.
# puppet module install crayfishx/hiera_http
Configuration
See The official Puppet documentation for more details on configuring Hiera 5.
The following is an example Hiera 5 hiera.yaml configuration for use with hiera-http
---
version: 5
hierarchy:
- name: "Hiera-HTTP lookup"
lookup_key: hiera_http
uris:
- http://localhost:5984/host/%{trusted.certname}
- http://localhost:5984/dc/%{facts.location}
- http://localhost:5984/role/%{facts.role}
options:
output: json
ignore_404: true
The following mandatory Hiera 5 options must be set for each level of the hierarchy.
name: A human readable name for the lookup
lookup_key: This option must be set to hiera_http
uris or uri: An array of URI's passed to uris or a single URI passed to uri. This option supports interpolating special tags, see below.
The following are optional configuration parameters supported in the options hash of the Hiera 5 config
Lookup options
output: : Specify what handler to use for the output of the request. Currently supported outputs are plain, which will just return the whole document, or YAML and JSON which parse the data and try to look up the key
http_connect_timeout: : Timeout in seconds for the HTTP connect (default 10)
http_read_timeout: : Timeout in seconds for waiting for a HTTP response (default 10)
confine_to_keys: : Only use this backend if the key matches one of the regexes in the array
confine_to_keys:
- "application.*"
- "apache::.*"
failure: : When set to graceful will stop hiera-http from throwing an exception in the event of a connection error, timeout or invalid HTTP response and move on. Without this option set hiera-http will throw an exception in such circumstances
ignore_404: : If failure is not set to graceful then any error code received from the HTTP response will throw an exception. This option makes 404 responses exempt from exceptions. This is useful if you expect to get 404's for data items not in a certain part of the hierarchy and need to fall back to the next level in the hierarchy, but you still want to bomb out on other errors.
dig: : (true or false) When the output is parsed YAML or JSON, whether or not to dig into the hash and return the value defined by the dig_key option below. This option defaults to true
dig_key : When the dig option is true (default), this option specifies what key is looked up from the results hash returned by the HTTP endpoint. See Digging values below for more information
HTTP options
use_ssl:: When set to true, enable SSL (default: false)
ssl_ca_cert: Specify a CA cert for use with SSL
ssl_cert: Specify location of SSL certificate
ssl_key: Specify location of SSL key
ssl_verify: Specify whether to verify SSL certificates (default: true)
use_auth:: When set to true, enable basic auth (default: false)
auth_user:: The user for basic auth
auth_pass:: The password for basic auth
headers:: Hash of headers to send in the request
Interpolating special tags
Previous versions of this backed allowed the use of variables such as %{key} and %{calling_module} to be used in the URL, this has changed with Hiera 5. To allow for similar behaviour you can use a number of tags surrounded by __ to interpolate special variables derived from the key into the uri or uris option in hiera.yaml. Currently you can interpolate __KEY__, __MODULE__, __CLASS__ and __PARAMETER__, these tags are derived from parsing the original lookup key.
In the case of a lookup key matching foo::bar::tango the following tags are available;
__KEY__: The original lookup key unchanched;foo::bar::tango__MODULE__: The first part of the lookup key;foo__CLASS__: All but the last parts of the lookup key;foo::bar__PARAMETER__: The last part of they key representing the class parameter;tango
Example using this backend to interact with the Puppet Enterprise Jenkins Pipeline plugin
---
version: 5
defaults:
datadir: hieradata
data_hash: yaml_data
hierarchy:
- name: 'Jenkins data source'
lookup_key: hiera_http
uris:
- "http://jenkins.example.com:8080/hiera/lookup?scope=%{trusted.certname}&key=__KEY__"
- "http://jenkins.example.com:8080/hiera/lookup?scope=%{environment}&key=__KEY__"
options:
output: json
failure: graceful
Digging values
Hiera-HTTP supports options to automatically dig into the returned data structure to find a corresponding key. Puppet lookup itself supports similar dig functionality but being able to specify it at the backend means that where an API wraps the required data up in a different way, we can always lookup the desired value before passing it to Puppet to ensure that class parameter lookups work without having to hard code the lookup function and dig down into the data for each request. The dig functionality in Puppet is intended to enable you to parse your data more effectivly, the dig functionality in hiera-http is intended to make the API of the endpoint you are talking to compatible.
By default, when a hash is returned by the HTTP endpoint (eg: JSON) then hiera-http will attempt to lookup the key corresponding with the lookup key. For example, when looking up a key apache::port we would expect the HTTP endpoint to return something like;
{
"apache::port": 80
}
Returned value would be 80
Depending on what HTTP endpoint we are hitting, the returned output may contain other data with the key that we want to look up nested below it. This behaviour can be overriden by using the options dig and dig_key.
The dig_key option can be used to change the key that is looked up, it also supports a dot-notation for digging values in nested hashes. Special tags can also be used in the dig_key option. Consider the following example output from our HTTP endpoint;
{
"document": {
"settings": {
"apache::port": 80
}
}
}
In this scenario we wouldn't be able to use class parameter lookups out-of-the-box, even if we just returned the whole structure, because we always need to drill down into document.settings to get the correct value, so In order to map the lookup to find the correct value, we can interpolate the KEY tag into lookup_key and tell hiera-http to always dig into the hash with the following option;
options:
dig_key: document.settings.__KEY__
A more complicated example;
{
"document": {
"settings": {
"apache": {
"port": 80
}
}
}
}
Can be looked up with;
options:
dig_key: document.settings.__MODULE__.__PARAMETER__
In both examples, the returned value to Puppet will be 80
Returning the entire data structure
The dig option can be used to disable digging altogether and the entire data hash will be returned with no attempt to resolve a key
Author
- Craig Dunn craig@craigdunn.org
- @crayfishX
- IRC (freenode) crayfishx
- http://www.craigdunn.org
3.4.0
- Enhancement: Backend now utilizes Hiera's context.interpolate function to add interpolation of values in results.
3.3.2
- Bugfix: nil values returned from HTTP lookup caused exception when trying to dig into the hash - this behaviour has been corrected to return
:not_foundin this scenario. See comment on #66 (https://github.com/crayfishx/hiera-http/pull/69)
3.3.1 (3.3.0 pulled due to forge package error)
-
Feature: New parameters
diganddig_valuegive greater control over dealing with APIs that return data in different formats by allowing hiera-http to dig down into the returned data hash to find the corresponding key. Read more about this feature in the documentation (https://github.com/crayfishx/hiera-http/pull/66) -
Enhnacement: Hiera-HTTP can now distinguish between a nil value and an undefined value. If a hash contains the key for the lookup with no data, this is assumed to be a key set to nil and is returned to Hiera as nil. Where there is no key found this is assumed to be undefined and the
context.not_found()method of Hiera is called. This allows data to contain keys explicitly set to nil. -
Enhancement: Better caching of the lookuphttp object in between requests.
3.2.0
- Feature: Added the tags
__MODULE__,__PARAMETER__and__CLASS__for URL interpolation - Bugfix: lookup_http was still being called even when Hiera had a cached value for the lookup path
3.1.0
-
Fix: Hiera 5 no longer allows us to pass
%{key}through from the configuration to be interpolated by the backend, as was documented examples for hiera-http 2.x - to get around this issue the keyword__KEY__can be used in URI paths to interpolate the key into the URL (https://github.com/crayfishx/hiera-http/pull/53) -
Fix: URI Escaping of paths with parameters (&foo=bar) caused the parameters to be dropped (https://github.com/crayfishx/hiera-http/pull/53) this has now been fixed.
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2014 Craig Dunn <craig@craigdunn.org>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.