Our site is migrating from puppet6 to puppet8, and we've encountered an issue with storing binary data in hiera.
The original (binary) data file was encrypted with eyaml:
$ eyaml encrypt -f binary.data > binary.data.eyaml
and the resulted eyaml file was included in a Hiera yaml file as:
test::func::data: >
ENC[PKCS7,.....
...]
When using this code:
test::func{ 'hello':
data => lookup('binary::data')
}
with:
define test::func(
Binary $data
) {
}
results in an error:
Test::Func[hello]: parameter 'data' expects a Binary value, got String
however using type "String" (which works on puppet6)
define test::func(
String $data
) {
}
results in:
Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Failed to serialize Puppet::Resource::Catalog
for 'puppetserver': Could not render to
Puppet::Network::Format[rich_data_json]: source sequence is
illegal/malformed utf-8
This is a behavior change moving from 6 to 8.
Any suggestions as to how to get around this issue?
The YAML hiera backend only supports basic types, and Binary type value is created with a base64 encoded string.
Based on your use case, in the "common" control-repo hiera file add the following to ensure the lookup value is returned as Binary:
Then base64 encode the binary data and encrypt it:
The output should look something like:
Copy and paste one of those into your hiera yaml file.
Note: if you interpolate a Binary variable's value in puppet code as a string, it will return the base64 value (e.g.
notify { "${binary_var}": }
)