This message was deleted.
# puppet
s
This message was deleted.
b
That should work, but I have not had a chance to validate it. Is
$vmagent_args
a Sensitive type?
and what module version?
n
This is almost certainly related to that bug I filed.
b
ooooooo
n
The preprocess-deferred option, which is on by default now, breaks file's
content
when it's a Deferred and Sensitive value.
I worked around it by deferring the
unwrap
then re-wrapping in Sensitive. I think there's a bug in how the file type handles checksuming... but not sure. I haven't tracked it down.
b
@natemccurdy++
d
natemccurdy is on the rise! (Karma: 11)
b
I will have to noodle on it, but not sure that's a thing I could reasonably handle in the module.
c
module version is 2.0.0 and yes
$vmagent_args
is
Sensitive
.
b
what happens with
Copy code
content => $vmagent_args.unwrap.node_encrypt::secret
that should work and I think that it will still be omitted from logs.
c
I lied. It is not
$vmagent_args
which is
Sensitive
. It was actually
$sensitive_password
which is
Sensitive
. Usage was as below:
Copy code
$vmagent_args = @("EOT")
    # Set the command-line arguments to pass to the server.
    ARGS="-promscrape.config=/opt/victoriametrics/conf/prometheus-scrape.yaml \
-remoteWrite.basicAuth.password=${sensitive_password.unwrap} \
      -remoteWrite.tmpDataPath=/opt/victoriametrics/tmp-data
    |EOT
So, I'm not too sure about using another
.unwrap
call. But will try it and report back.
Pragmatic fix would be to use
--preprocess_deferred
for now. Does that need to go in the agent
puppet.conf
or on the puppetserver side, or both?
And the default value should be fixed in the docs: https://www.puppet.com/docs/puppet/8/configuration.html#preprocess-deferred
b
it's an agent side setting. I don't believe that it changes the catalog.
✔️ 1
c
For now, I pushed
preprocess_deferred: true
in
puppet.conf
to all the agents (nodes). Issue should fix itself within 2 successive runs.
j
Does the issue only crop up when passing a
Sensitive
to the
content
parameter of a
file
resource?
n
@josh Checkout https://tickets.puppetlabs.com/browse/PUP-11846?focusedCommentId=887906&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-887906
Copy code
# This works.
#$secret = new(Sensitive, "hello world\n")
 
# This works.
#$secret = Deferred('new', [String, "hello world\n"])
 
# This does not work.
$secret = Deferred('new', [Sensitive, "hello world\n"])
 
file { '/tmp/test.txt':
  ensure  => 'file',
  content => $secret,
}
I've only noticed this problem with the
file
resource and its
content
parameter.
And only when using a Deferred Sensitive value combined with
--no-preprocess_deferred
.