Re: [Puppet Users] Role vs hiera

Mon, 21 Nov 2016 09:36:46 -0800 

On Sat, Nov 19, 2016 at 2:27 PM, Martijn <mart...@heemels.com> wrote:
> Op dinsdag 18 oktober 2016 21:50:37 UTC+2 schreef Matt Zagrabelny:
>>
>>
>> If you use an ENC, then you can return the role as a top scope
>> variable and your hiera configs can leverage those top scope
>> variables.
>>
>
>>
>> Let me know if you want the hiera configs.
>>
>> -m
>
>
> Hi Matt,
>
> That's interesting. What are you using for ENC?

Custom python script that uses a custom database to hold node names,
roles, and "production" vs "testing" status.

Since puppet has already claimed the "environment" noun for the
filesystem serving space, I use "context" as the variable name that
holds the "production" vs. "testing" status.

In hiera, we have the following hierarchy, which is repeated in the
hiera.yaml config further down.

1. Node specific hiera data is closest to the node.
2. Whatever role a node is has the next priority for hiera data.
3. The "context" (production vs. testing) is closer to the global
(common) hiera space - so context comes after role.
4. Lastly, the global (common) hiera lookup file.

The 3rd item on the list allows us to have a single place for
application/database passwords with different passwords for testing
and production systems without having to duplicate the password in
some.fqdn.node.yaml files.

Pretend that the following 2-D grid are nodes that have their
respective roles and contexts.

Context
        prod | test
role    app_0_server | app_0_server
role    db_0_server | db_0_server
role    app_1_server | app_1_server
role    db_1_server | db_1_server
role    .  |  .
role    .  |  .
role    .  |  .

Thus the production app_0_server and db_0_server can easily have a
shared password that is different from the testing app_0_server and
db_0_server due to the vertical slicing of the hierarchy.

> And I'd love to see your hiera configs, please.

% cat /etc/puppet/hiera.yaml
---
:backends:
    - yaml
:yaml:
    :datadir: /etc/puppet/hiera
:hierarchy:
    - "environments/%{::environment}/node/%{clientcert}"
    - "environments/%{::environment}/role/%{role}"
    - "environments/%{::environment}/context/%{context}"
    - "environments/%{::environment}/common"

-m

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAOLfK3VN0-_LpkWAtAzpOrLLzYa92cGvh-b3z_36hp_ivHGkOA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to