Ask Your Question
0

Group nodes in hiera by hiera-defined fact

asked 2015-06-09 02:25:26 -0500

sinned gravatar image

I have a hierachy like this:

- "nodes/%{::certname}"
- (what is here is my question)
- common

I'd like to assign a group to my nodes in their individual configuration in hiera, like this in nodes/hostname.yaml:

---
group: alpha

Now, I'd like to have a file alpha.yaml, where I state group-specific settings.

So my question is how do I write the hierachy to ask hiera for the filename of the group definition?

Is there another way to achieve this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2015-06-10 18:58:39 -0500

cbarbour gravatar image

updated 2015-06-10 19:01:01 -0500

There are a few ways to accomplish this. The direct answer to your question is to use site.pp to define a global group variable from hiera:

site.pp:

$group = hiera('group', 'default')

hiera.yaml:

- "nodes/%{::clientcert}"
- "groups/${::group}"
- "common"

Alternatively, you can use Puppet to define a 'group' fact on each node. A static fact would be fine for this purpose. If you use this approach, Puppet will no longer be truly idempotent; you'll need to invoke Puppet twice to reach a converged state, because group won't be defined the first time Puppet runs (facts are evaluated before the catalog is compiled.)

With that said, what you're trying to do violates a bunch of best practices. It would be better to use an ENC to supply node data. The ENC can set the group, and group data can be stored in Hiera.

You could also define a group static fact manually, as part of provisioning.

Be aware that static facts and $c::lientcert are untrusted variables; the node can override these values. Do not use these values to protect sensitive information such as passwords.

I recommend against using Hiera as an node classifier, unless your needs are very basic. This is an example of why using a real ENC is the better approach.

edit flag offensive delete link more

Comments

Actually, until yesterday I thought hiera is a poor mans ENC, additionally to a way to get constants out of the code... so those are different concepts. Thanks for the clarification. Actually, thanks for the hint that I am on the wrong path. And for the security implications as well.

sinned gravatar imagesinned ( 2015-06-11 02:45:19 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-06-09 02:25:26 -0500

Seen: 681 times

Last updated: Jun 10 '15