Bug #16166

move secrets from nodes.pp to hiera

Added by groente 2018-11-28 14:13:32 . Updated 2018-11-29 12:03:20 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
2018-11-28
Due date:
% Done:

100%

Feature Branch:
puppet-lizard-manifests:bugfix/16166-move-secrets-to-hiera
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description


Subtasks


History

#1 Updated by groente 2018-11-28 14:22:02

  • Assignee changed from groente to intrigeri
  • % Done changed from 0 to 20
  • QA Check set to Ready for QA
  • Feature Branch set to puppet-lizard-manifests:bugfix/16166-move-secrets-to-hiera

#2 Updated by intrigeri 2018-11-29 10:40:22

  • Assignee changed from intrigeri to groente
  • QA Check changed from Ready for QA to Dev Needed

Pushed a clean up commit.

Are you sure that ::bitcoind::rpcpassword will be picked up from hiera while querying bitcoind::rpcpassword? I think that the :: prefix only makes sense in Puppet code to disambiguate things, but I doubt it will be queried in hiera this way. I’ve tried locally with hiera -d -c hiera-debug.yaml bitcoind::rpcpassword ::fqdn=bitcoin.lizard and hiera -d -c hiera-debug.yaml ::bitcoind::rpcpassword ::fqdn=bitcoin.lizard, both of them return nil. I use this:

$ cat hiera-debug.yaml 
---
:backends:
- yaml
:yaml:
:datadir: ./hieradata
:hierarchy:
- "node/%{::fqdn}"
- "domain/%{::domain}"
- common

If I remove the :: prefix in ::bitcoind::rpcpassword then the former test command works as intended.

Finally, I am wary of passing some parameters explicitly via class { 'xyz': param1 => bla } while some other parameters are automatically retrieved from Hiera: maybe that’s only me, but class { 'xyz': param1 => bla } suggests to me that any parameter not set there will have the default value set in the class. So generally, when moving params to Hiera for a class, I prefer to move them all and then switch the declaration to include class.

#3 Updated by groente 2018-11-29 10:50:42

  • Assignee changed from groente to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

thanks for the review! made some changes based on your comments.

#4 Updated by intrigeri 2018-11-29 10:54:44

  • Assignee changed from intrigeri to groente
  • QA Check changed from Ready for QA to Dev Needed

> made some changes based on your comments.

Yes, that’s the idea! Now apply it to tails::tester::support::{ssh,sftp} as well?

#5 Updated by groente 2018-11-29 11:30:18

  • Assignee changed from groente to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

derp. done!

#6 Updated by intrigeri 2018-11-29 12:03:20

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • Target version set to Tails_3.11
  • % Done changed from 20 to 100
  • QA Check changed from Ready for QA to Pass

Deployed, run Puppet agent on the 2 affected nodes, no change; I’ve tried manually modifying a file managed by this code, run Puppet agent again, and the file was reset to its intended state.