-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Salt minion didn't decrypt GPG encrypted pillar when using SaltClass #54145
Comments
Here is a workaround I use (it is slower than decrypting individual keys, but at least it works):
https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.gpg.html#module-salt.pillar.gpg /cc @a-a-abramov Possible feature idea for SaltClass |
@max-arnold , Thanks a lot for the tip! |
Hi @dmurphy18 With such ext_pillar configuration GPG pillar didn't decrypt:
With this configuration all works fine:
Salt version:
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Bump |
Thank you for updating this issue. It is no longer marked as stale. |
@pavel-z1 Is this still an issue with Salt 2019.2.2 ? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Hi @dmurphy18 , I've checked with latest version:
Without "- gpg:" in ext_pillar GPG still doesn't work. |
Thank you for updating this issue. It is no longer marked as stale. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Issue is actual. |
Thank you for updating this issue. It is no longer marked as stale. |
This is still an issue; is there no update from Salt? This seems rather lax. I have replicated my setup on an Ubuntu dev environment which comes with a later version of gpg {{ gpg (GnuPG) 2.2.4 Using the "--full-generate-key" option, you an add the /home/dir option which then - i haven't had the time to fully explore why, yet - seems to allow for pillar to decrypt the data. Again though; this only appears to be available with Ubuntu. |
@pavel-z1 The main problem is related to not using ext_pillar in order to get saltclass rendered, as documented in https://docs.saltproject.io/en/latest/ref/pillar/all/salt.pillar.saltclass.html#saltclass-pillar-module. taking your example of pass.sls but with the gpg issues removed and crypted_secret a text string 'dog'.
With #|jinja|yaml|gpg, rendering is
The SaltClass code has functions for render_yaml and render_jinja but none for render_gpg, presuming the need for gpg from Salt. SaltClass is part of the current process of moving some modules into salt.extensions, and investigating the porting the PR into the code after that process, with a lot of additional tests (pytest) the above issue with pillar.get will be investigated. But as other have pointed out in the comments and documented, use ext_pillar. If this explanation is satisfactory, please consider closing this issue, unless there is some other point to raise. |
Closing this since working as expected. Please re-open if there is other information to consider or the explanation is unsatisfactory |
Description of Issue
I have installed Salt with enabled SaltClass module.
Salt minion didn't decrypt GPG encrypted pillar.
Setup
Configured parameter in /etc/salt/master.d/f_defaults.conf
Configured Node Yaml file /srv/salt/saltclass/nodes/server1.yml:
Content of file /srv/salt/saltclass/classes/roles/pass.yml:
Steps to Reproduce Issue
salt server1 pillar.get settings:crypted_secret
server1:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Versions Report
Salt Master version:
Salt minion version:
salt-call --versions-report
The text was updated successfully, but these errors were encountered: