Versions Compared

Old Version 6

changes.mady.by.user Chris Tessmer

Saved on

compared with

New Version 7

changes.mady.by.user Chris Tessmer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira Legacy
serverSystem JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId45e63be1-2551-37a6-b050-86a38172f71d
keySIMP-3479

Managing Multiple Puppet environments (without SIMP)

Control repositories

Outside of SIMP, Git-based control repositories have been the dominant technology to manage and deploy Puppet code since 2015.  At a high-level, this workflow involves:

...

  • (r10k, Code Manager:) Deploy consistent Puppet environments across Puppet architectures that involve multiple masters  
  • (Bolt:) Manage remote "agentless" hosts by checking out an environment's modules (using bolt puppetfile install) before running bolt apply

...

SIMP + Multiple Puppet environments

...

Limitations and conflicts

Although it has been technically possible to manage use multiple Puppet environments from a and control repository repositories since SIMP 5.0 (

Status
colourGrey
titleSIMP 5.0-6.3
).  However, in practice this has been cumbersome, risky, and easy to get wrong.Starting with the .  Getting it right requires an in-depth knowledge of Puppet environments and SIMP's "extra" environments, and there are still significant limitations.

The recent 6.4.0 release (

Status
colourBlue
titleSIMP 6.4
) , SIMP has been retooled enough to retooled SIMP so it can safely support single-environment Puppetfile deployments (e.g., r10k puppetfile install from a Puppet environment directory) out of the box.  However, there are still two major sources of conflicts with multiple Puppet environments and  SIMP:

Conflicts with Control Repositories

Issue 1: SIMP automation

...

alters files under the Puppet and SIMP environment

...

directories 

  1. Status
    colour

...

  1. Red
    titleSIMP 5.0-6.3
     RPM

...

  1. updates and simp_rpm_helper

...

  1.  could modify existing files Puppet and SIMP environment directories
  2. Status
    colourRed
    titleSIMP 5.0-6.3
     User-initiated tools like simp config could modify existing files Puppet and SIMP environment directories
  3. Status
    colour

...

  1. Green
    titleSIMP 6.4

...

  1.  
    Status
    colourYellow
    titlePARTIALLY FIXED
     The user-initiated tool simp environment new

...

  1. can ensure that there is a corresponding secondary and writable environments
    1. This is

...

    1. a safety improvement from earlier releases, because it

...

Conflicts with Multiple Puppet Environments

...

    1. will only alter environment files

...

    1. when the user initiates it
    2. However, the simp environment tool is only partially implemented, and the rest cannot be implemented safely.
    3. As things stand, this means SIMP 6.4.0:
      1. Safely supports SIMP extra data with the Local (Puppetfile-only) deployment scenario with a single environment (production)
      2. Does not safely support SIMP extra data with the Control Repository deployment scenarios (without additional conventions and limitations)

Issue 2: SIMP expects there to be separate Secondary and Writable assets to complement each Puppet environment

Image Added

SIMP has always assumed that there will be two SIMP-specific "environment" data directories to complement each Puppet environment directory

Earlier SIMP releases

In earlier SIMP releases (5.0–6.3), it was technically possible to deploy multiple environments from a control repository—but in practice, it was  cumbersome and risky:

  • Whenever a new Puppet environment was deployed, (manual) follow-on actions were required to ensure the appropriate SIMP data was available for that environment
  • RPM updates and simp_rpm_helper could modify existing files Puppet and SIMP environment directories
  • It assumed an in-depth knowledge of Puppet and SIMP
  • It still suffered from significant limitations and risks
  1. Status
    colourRed
    titleSIMP (ALL)
     "Secondary" data/assets under /var/simp/environments/$environment/.  
    These are files too sensitive and/or too large to check into git in plaintext, maintained by site admins.
    1. "Site Files" modules, like pki_files (keydist) and krb3_files
    2. The FakeCA support script, including the FakeCA's private key
    3. RSync directories, used by the simp::server::rsync_shares profile to serve files for various modules.

  2. Status
    colourRed
    titleSIMP (ALL)
     "Writable" data/assets under under /opt/puppetlabs/server/data/puppetserver/simp/environments/$environment/

...


  1. These are secrets, read by certain Puppet functions while compiling catalogs (and automatically generated if they are missing).
    There are only two Puppet functions in SIMP that use the writeable environment directory:
    1. simplib::passgen()
      • a popular function, used to generate secret passwords
      • Used in 14 SIMP modules—usually (but not always) exposed as a parameter default
      • Secrets read by this function can also be generated by the simp passgen CLI tool
    2. ssh::autokey()—this function is unused by the stock SIMP modules, but is provided to allow local admins to automatically set up SSH keys as needed.



SIMP 6.4.0: Deploy single environment from a Puppetfile

...

During the development of SIMP 6.4.0, it became apparent that the simp environment workflow would have problems down the road:

  • Making a new SIMP writable and secondary environment for ever Puppet environment was arbitrary 
    • The dependence on $environment made it necessary to adopt workarounds like `simp environment new [--copy|--link]` when environments used the same (or similar) resources
    • Linked 
  • It would be too easy to permanently lose data from linked environments with the proposed simp environment rm command

Puppet Environments and SIMP Assets

...





Proposed SIMP 6.5+



Legacy 6.4 assets in SIMP 6.5+

...