Bug #16166: move secrets from nodes.pp to hiera

Bug #16166

move secrets from nodes.pp to hiera

Added by groente 2018-11-28 14:13:32 . Updated 2018-11-29 12:03:20 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Infrastructure

Target version:

Tails_3.11

Start date:

2018-11-28

Due date:

% Done:

100%

Feature Branch:

puppet-lizard-manifests:bugfix/16166-move-secrets-to-hiera

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Subtasks

History

#1 Updated by groente 2018-11-28 14:22:02

Assignee changed from groente to intrigeri
% Done changed from 0 to 20
QA Check set to Ready for QA
Feature Branch set to puppet-lizard-manifests:bugfix/16166-move-secrets-to-hiera

#2 Updated by intrigeri 2018-11-29 10:40:22

Assignee changed from intrigeri to groente
QA Check changed from Ready for QA to Dev Needed

Pushed a clean up commit.

Are you sure that ::bitcoind::rpcpassword will be picked up from hiera while querying bitcoind::rpcpassword? I think that the :: prefix only makes sense in Puppet code to disambiguate things, but I doubt it will be queried in hiera this way. I’ve tried locally with hiera -d -c hiera-debug.yaml bitcoind::rpcpassword ::fqdn=bitcoin.lizard and hiera -d -c hiera-debug.yaml ::bitcoind::rpcpassword ::fqdn=bitcoin.lizard, both of them return nil. I use this:

$ cat hiera-debug.yaml 
---
:backends:
- yaml
:yaml:
:datadir: ./hieradata
:hierarchy:
- "node/%{::fqdn}"
- "domain/%{::domain}"
- common

If I remove the :: prefix in ::bitcoind::rpcpassword then the former test command works as intended.

Finally, I am wary of passing some parameters explicitly via class { 'xyz': param1 => bla } while some other parameters are automatically retrieved from Hiera: maybe that’s only me, but class { 'xyz': param1 => bla } suggests to me that any parameter not set there will have the default value set in the class. So generally, when moving params to Hiera for a class, I prefer to move them all and then switch the declaration to include class.

#3 Updated by groente 2018-11-29 10:50:42

Assignee changed from groente to intrigeri
QA Check changed from Dev Needed to Ready for QA

thanks for the review! made some changes based on your comments.

#4 Updated by intrigeri 2018-11-29 10:54:44

Assignee changed from intrigeri to groente
QA Check changed from Ready for QA to Dev Needed

> made some changes based on your comments.

Yes, that’s the idea! Now apply it to tails::tester::support::{ssh,sftp} as well?

#5 Updated by groente 2018-11-29 11:30:18

Assignee changed from groente to intrigeri
QA Check changed from Dev Needed to Ready for QA

derp. done!

#6 Updated by intrigeri 2018-11-29 12:03:20

Status changed from In Progress to Resolved
Assignee deleted (~~intrigeri~~)
Target version set to Tails_3.11
% Done changed from 20 to 100
QA Check changed from Ready for QA to Pass

Deployed, run Puppet agent on the 2 affected nodes, no change; I’ve tried manually modifying a file managed by this code, run Puppet agent again, and the file was reset to its intended state.