Ask Your Question

How do you support multi tenant hiera data using an environments per tenant or something?

asked 2013-04-30 17:11:13 -0600

illsci gravatar image

So you can separate modules and manifests per environment like:

:yaml: :datadir: /etc/puppet/hieradata/%{::environment}/

But how can you do the same for the hierarchy?

:hierarchy: ... ...

How do I not make people have to use the same hierarchy from the same puppet master? I could easily setup a bunch of puppet masters but how do I do it on the same one per environment? Is this possible?

edit retag flag offensive close merge delete


Can you give an example of when this would be necessary?

Ancillas gravatar imageAncillas ( 2013-05-01 16:09:11 -0600 )edit

Imagine a bunch of teams who are responsible for different sets of servers managed by a single puppet master. I was thinking the groups could have their own puppet environments ...(more)

illsci gravatar imageillsci ( 2013-05-01 16:31:05 -0600 )edit

But the hierarchies are generally generic, and very flexible. Can you give a specific scenario where not being able to override the hierarchy would prevent someone from adding a config ...(more)

Ancillas gravatar imageAncillas ( 2013-05-01 16:50:53 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2013-05-05 04:41:50 -0600

Daenney gravatar image

updated 2013-05-05 04:46:33 -0600

We do this by splitting up stuff in business units but call them whatever you want:

- business_unit/%{business_unit}/node/%{hostname}
- global/node/%{hostname}
- global/users
- global/common

So on global/node/HOSTNAME the variable business_unit is defined which gets fetched in our site.pp, $business_unit = hiera('business_unit'). From there on out Hiera/Puppet will first search through business units and then go down to the global scope to find variables.

You can just add layers like so:

- business_unit/%{business_unit}/%{environment}/node/${hostname}

You can even make those business_unit submodules in git so people can't mess with stuff in ... (more)

edit flag offensive delete link more

answered 2013-05-01 03:16:28 -0600

Ancillas gravatar image

updated 2013-05-01 16:47:11 -0600

I use %{::environment} in my hierarchy, and then use prd-environment1.yaml, tst-environment2.yaml, etc... This way, access controls are granted by environment to the hiera file so that the right people can make changes to their respective environments.

In my setup, one application cluster maps directly to one puppet environment. To join a server to an app cluster, I call puppet with --environment.


It looks like some people have cheated by copying the yaml backend, allowing for two hierarchies to be defined for yaml files.!topic/puppet-users/nZLIFzw4ajI

You could also utilize the ... (more)

edit flag offensive delete link more

answered 2013-05-01 08:12:29 -0600

illsci gravatar image

Yeah but that doesn't allow people to customize their hierarchy per environment does it? If you use %{::environment} in the hierarchy there is still only one hierarchy thats the same for every environment correct?

edit flag offensive delete link more


Just use %{::environment} as a namespace on your current hierarchy items. So if your hierarchy is hostname, common; it now becomes %{::environment}/hostname, %{::environment}/common, common. Now you can have ...(more)

Ancillas gravatar imageAncillas ( 2013-05-01 10:44:08 -0600 )edit

Also, you should either respond to answers with a comment, or edit your original post to add details. This site works like stackoverflow, and not like a forum. Folks vote ...(more)

Ancillas gravatar imageAncillas ( 2013-05-01 10:47:22 -0600 )edit

Gotcha.... I understand I can use the ::environment variable to allow many environments to exist with the exact same hierarchy. How can each environment have a completely different hierarchy? That ...(more)

illsci gravatar imageillsci ( 2013-05-01 11:55:36 -0600 )edit

You can't define that from hiera.yaml, but you could achieve the same result by defining a verbose hierarchy in hiera.yaml, and then only using the config files ...(more)

Ancillas gravatar imageAncillas ( 2013-05-01 12:12:49 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-04-30 17:11:13 -0600

Seen: 10,315 times

Last updated: May 05 '13