diff --git a/specs/public_hiera.rst b/specs/public_hiera.rst new file mode 100644 index 0000000..d04f2d1 --- /dev/null +++ b/specs/public_hiera.rst @@ -0,0 +1,103 @@ +:: + + Copyright (c) 2014 Spencer Krum + for Hewlett-Packard Development Company, L.P. + This work is licensed under a Creative Commons Attribution 3.0 + Unported License. + http://creativecommons.org/licenses/by/3.0/legalcode + +====================== +Public Hiera directory +====================== + +This is a specification for creating a new public directory embeded in the +openstack-infra/config project to hold public hiera data. + +Problem description +=================== + +Puppet code in openstack-infra/config, referred to hereafter as config, +currently uses the hiera data backend. The advantage to using hiera in a puppet +environment is to separate the presentation of data from the function of code. +An obvious consequence of this is that the secret data can be put into hiera +and hidden, making the puppet code sanitized for public viewing. This is +exactly what has happened with config. + +The disadvantage to the current system is that non-secret data is currently +very awkwardly managed. There are some instances, where non-secret data is +pushed into the secret hiera. We also have instances, such as the long list +of jenkins plugins, where the data is embedded into the Puppet code. We also +have variables set at top scope, such as elasticsearch_nodes, that can be +moved into hiera. This also makes use of hiera limited to core contributors. + +Proposed change +=============== + +The proposed solution is to create a second hiera directory, embedded into +the config git repository, for public data to live in. Hiera will have to be +reconfigured to work with both directories, preferring the secure +directory. This should make consuming openstackci as a downstream easier. +Since variables set in this hiera directory can be used or overridden as +necessary. + +Alternatives +------------ + +Status quo. +Create a 1:1 copy of the secret hiera git repository containing only fake +data. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + Spencer Krum (nibalizer) + + +Work Items +---------- + +* Move the puppet working dir out of /opt into /etc + + This is required because the hiera yaml backend doesn't really + support multiple data dirs. We can hack it by setting the + hiera data dir to be a common superior directory of both dirs. + We don't want to use / so we will use /etc/puppet and move + the puppet working dir out of /opt into /etc/puppet. + +* Configure a second data directory in the infra/config git repo +* Set hiera.yaml appropriately to source both dirs in order + + Puppet will do this by managing the config file. + +* Symlink /etc/hiera.yaml to /etc/puppet/hiera.yaml + + This ensures that the hiera lookups performed by Puppet and + the hiera lookups performed by the 'hiera' command line tool + use the same configuration. + +* Seed with data + + +Repositories +------------ + +No new repositories + +Servers +------- + +No new servers + +DNS Entries +----------- + +No DNS changes + +Dependencies +============ + +None