[Puppet Users] How to deal w/ mutually exclusive classes in roles/profiles

[Alan Evans]

I have run into the problem of mutually exclusive classes in the past and I 
have not found a great way to work it out.  Consider the module 
https://forge.puppet.com/wazuh/wazuh/readme which defines wazuh::agent and 
wazuh::manager.  The way the software is designed a node can be either an 
agent or a manager and the puppet module is setup similarly.

In short , all nodes must have the agent configured unless the node is a 
manager.

What is the best way to make the distinction?

*Background*

   - Using Puppet 6 OSS
   - Using a control repo
   - Using hiera
   - (Trying to) use roles/profiles methodology
   - Classification via manifests/site.pp

*In the role?*
node /^qqq/ { include role::qqq }
node /^wazuh-manager/ {include role::wazuh::manager }

class profile::wazuh::agent {}
class profile::wazuh::manager {}
class role::qqq            { include profile::wazuh::agent } # every role 
must explicitly include one or the other, we can't just put it in 
profile::base
class role::zzz            { include profile::wazuh::agent }
class role::wazuh::manager { include::wazuh::manager }

This is the "proper" way I think, but it makes extra work.

*In hiera? (Configuration)*
# given a hierarchy:
#   - node/%{trusted.certname}.yaml
#   ...
#   - common.yaml

# nodes/wazuh-server.example.com.yaml
profile::wazuh::manager: true
profile::wazuh::manager::ossec_emailnotification: true
... more settings

# common.yaml
profile::wazuh::agent::wazuh_reporting_endpoint: wazuh-manager.example.com
... more settings

# site-modules/{profile,role}/manifests/*
class profile::base { include profile::wazuh }

class profile::wazuh (
  Boolean $manager = False
) {
  unless $manager { include profile::wazuh::manager }
}

class profile::wazuh::agent { # do agent things }
class profile::wazuh::manager { # do manager things }
class role::wazuh::manager { include profile::wazuh::manager }

This way seems really readable to me and does not make a lot of extra 
work.  But I don't think it really fits w/ the idea that one node should 
have exactly one role.  In fact it doesn't really use roles at all and 
instead the "role" is replaced with configuration data in the profile.

*Thoughts?*

Have you had to decide how to implement this kind of thing before?  If so, 
how did you go about it?

Thanks,
-Alan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f2605f63-36cd-43d6-84eb-8ab8c5aaee94%40googlegroups.com.