Merge "Multiple Data Dirs proposal"

specs/public_hiera.rst

@@ -0,0 +1,103 @@
+::
+
+  Copyright (c) 2014 Spencer Krum <spencer.krum@hp.com>
+  for Hewlett-Packard Development Company, L.P.
+  This work is licensed under a Creative Commons Attribution 3.0
+  Unported License.
+  http://creativecommons.org/licenses/by/3.0/legalcode
+
+======================
+Public Hiera directory
+======================
+
+This is a specification for creating a new public directory embeded in the
+openstack-infra/config project to hold public hiera data.
+
+Problem description
+===================
+
+Puppet code in openstack-infra/config, referred to hereafter as config,
+currently uses the hiera data backend. The advantage to using hiera in a puppet
+environment is to separate the presentation of data from the function of code.
+An obvious consequence of this is that the secret data can be put into hiera
+and hidden, making the puppet code sanitized for public viewing. This is
+exactly what has happened with config.
+
+The disadvantage to the current system is that non-secret data is currently
+very awkwardly managed. There are some instances, where non-secret data is
+pushed into the secret hiera. We also have instances, such as the long list
+of jenkins plugins, where the data is embedded into the Puppet code. We also
+have variables set at top scope, such as elasticsearch_nodes, that can be
+moved into hiera. This also makes use of hiera limited to core contributors.
+
+Proposed change
+===============
+
+The proposed solution is to create a second hiera directory, embedded into
+the config git repository, for public data to live in. Hiera will have to be
+reconfigured to work with both directories, preferring the secure
+directory. This should make consuming openstackci as a downstream easier.
+Since variables set in this hiera directory can be used or overridden as
+necessary.
+
+Alternatives
+------------
+
+Status quo.
+Create a 1:1 copy of the secret hiera git repository containing only fake
+data.
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  Spencer Krum (nibalizer)
+
+
+Work Items
+----------
+
+* Move the puppet working dir out of /opt into /etc
+
+  This is required because the hiera yaml backend doesn't really
+  support multiple data dirs. We can hack it by setting the
+  hiera data dir to be a common superior directory of both dirs.
+  We don't want to use / so we will use /etc/puppet and move
+  the puppet working dir out of /opt into /etc/puppet.
+
+* Configure a second data directory in the infra/config git repo
+* Set hiera.yaml appropriately to source both dirs in order
+
+  Puppet will do this by managing the config file.
+
+* Symlink /etc/hiera.yaml to /etc/puppet/hiera.yaml
+
+  This ensures that the hiera lookups performed by Puppet and
+  the hiera lookups performed by the 'hiera' command line tool
+  use the same configuration.
+
+* Seed with data
+
+
+Repositories
+------------
+
+No new repositories
+
+Servers
+-------
+
+No new servers
+
+DNS Entries
+-----------
+
+No DNS changes
+
+Dependencies
+============
+
+None