Daniel Schaaff

Tackling Tech Debt in Puppet

I spent some time tackling technical debt in our Puppet code this week. The biggest outstanding item was implementing eyaml for protecting secrets in Hiera. I’d also been encouraging developers to contribute to the Puppet code base  for some time, but they were restricted from the control repo due to some secrets kept in Hiera. This put a big damper on collaboration as Hiera is the data engine for our roles and profiles. Separate git repos were also used for the profile and role modules due to this workflow.

Hiera-eyaml to the rescue! Props to voxpupuli as this was dead simple to implement. Once the secrets were encrypted I tidied up a few more things before collaboration could rain down !

We’ve now got a control repo with encrypted secrets open to contributions from across the org. I’m also enjoying the simplified workflow with environments now that hieradata, roles, and profiles are all in a single git repo.

comments powered by Disqus