103 lines
2.8 KiB
ReStructuredText
103 lines
2.8 KiB
ReStructuredText
::
|
|
|
|
Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
|
|
This work is licensed under a Creative Commons Attribution 3.0
|
|
Unported License.
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
======================
|
|
Public Hiera directory
|
|
======================
|
|
|
|
This is a specification for creating a new public directory embeded in the
|
|
openstack-infra/config project to hold public hiera data.
|
|
|
|
Problem description
|
|
===================
|
|
|
|
Puppet code in openstack-infra/config, referred to hereafter as config,
|
|
currently uses the hiera data backend. The advantage to using hiera in a puppet
|
|
environment is to separate the presentation of data from the function of code.
|
|
An obvious consequence of this is that the secret data can be put into hiera
|
|
and hidden, making the puppet code sanitized for public viewing. This is
|
|
exactly what has happened with config.
|
|
|
|
The disadvantage to the current system is that non-secret data is currently
|
|
very awkwardly managed. There are some instances, where non-secret data is
|
|
pushed into the secret hiera. We also have instances, such as the long list
|
|
of jenkins plugins, where the data is embedded into the Puppet code. We also
|
|
have variables set at top scope, such as elasticsearch_nodes, that can be
|
|
moved into hiera. This also makes use of hiera limited to core contributors.
|
|
|
|
Proposed change
|
|
===============
|
|
|
|
The proposed solution is to create a second hiera directory, embedded into
|
|
the config git repository, for public data to live in. Hiera will have to be
|
|
reconfigured to work with both directories, preferring the secure
|
|
directory. This should make consuming openstackci as a downstream easier.
|
|
Since variables set in this hiera directory can be used or overridden as
|
|
necessary.
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
Status quo.
|
|
Create a 1:1 copy of the secret hiera git repository containing only fake
|
|
data.
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
Spencer Krum (nibalizer)
|
|
|
|
|
|
Work Items
|
|
----------
|
|
|
|
* Move the puppet working dir out of /opt into /etc
|
|
|
|
This is required because the hiera yaml backend doesn't really
|
|
support multiple data dirs. We can hack it by setting the
|
|
hiera data dir to be a common superior directory of both dirs.
|
|
We don't want to use / so we will use /etc/puppet and move
|
|
the puppet working dir out of /opt into /etc/puppet.
|
|
|
|
* Configure a second data directory in the infra/config git repo
|
|
* Set hiera.yaml appropriately to source both dirs in order
|
|
|
|
Puppet will do this by managing the config file.
|
|
|
|
* Symlink /etc/hiera.yaml to /etc/puppet/hiera.yaml
|
|
|
|
This ensures that the hiera lookups performed by Puppet and
|
|
the hiera lookups performed by the 'hiera' command line tool
|
|
use the same configuration.
|
|
|
|
* Seed with data
|
|
|
|
|
|
Repositories
|
|
------------
|
|
|
|
No new repositories
|
|
|
|
Servers
|
|
-------
|
|
|
|
No new servers
|
|
|
|
DNS Entries
|
|
-----------
|
|
|
|
No DNS changes
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None
|