This is the talk I gave at Config Management Camp 2016 in Ghent introducing Jerakia as a lookup tool that can be used in place of, or along side of hiera to solve some of the edge cases around data separation
AWS Community Day CPH - Three problems of Terraform
Solving real world data problems with Jerakia
1. Solving real world data
problems with Jerakia
Craig Dunn, Config Management Camp, Ghent 2016
2. • Best practice
• Code base design
• Workflow mangement
• Scaling Puppet
• Installation and support
• Module writing
• Throughout Europe
www.enviatics.com
3. • Puppet user since 2008
• IT consultant for 15+ years
• Active community member
• The “Roles and Profiles” guy
• Problem solver
• Lives in Málaga, Spain.
• …. and hotels
• Daddy!
www.craigdunn.org
Craig Dunn
@crayfishx
9. • Separation of data from code
• Module authors could write sharable re-usable code
• Code was less complex and more readable
• The Forge became useful
• Managing data became a lot easier
16. • Different teams and customers require different hierarchies
• A particular application needs to source data from a different place
• Control access to sub-sets of data for teams within an organisation
• Dynamically generate the lookup hierarchy at runtime
• Group together application specific data into separate files
• Manage encrypted data from any data source
• Global hiera.yaml file creates restrictions
26. • A request is received containing a key and a namespace
• A policy is chosen to perform the request
• One or more lookups are called to act on the request
• A response is sent back to the requestor
• Container for lookups
• Written in Ruby DSL
• Different policies for different apps
Policy File
27. An Example Jerakia Policy File
policy :main do
lookup :default do
datasource :file, {
:docroot => "/var/jerakia/data",
:format => :yaml,
:searchpath => [
"host/#{scope[:hostname]}",
"env/#{scope[:env]}",
"common",
]
}
end
end
28. An Example Jerakia Policy File
policy :main do
lookup :default do
datasource :file, {
:docroot => "/var/jerakia/data",
:format => :yaml,
:searchpath => [
"host/#{scope[:hostname]}",
"env/#{scope[:env]}",
"common",
]
}
end
end
29. An Example Jerakia Policy File
policy :main do
lookup :default do
datasource :file, {
:docroot => "/var/jerakia/data",
:format => :yaml,
:searchpath => [
"host/#{scope[:hostname]}",
"env/#{scope[:env]}",
"common",
]
}
end
end
30. An Example Jerakia Policy File
policy :main do
lookup :default do
datasource :file, {
:docroot => "/var/jerakia/data",
:format => :yaml,
:searchpath => [
"host/#{scope[:hostname]}",
"env/#{scope[:env]}",
"common",
]
}
end
end
31. • Lookups are contained within policies
• A policy can contain multiple lookups
• A lookup always contains at least a data source
Lookups
39. confine / exclude
Invalidates a lookup unless/if the criteria is met
confine request.namespsace[0], "apache"
confine request.namespsace[0], [
/website_.*/,
"apache",
"php"
]
40. Stop
Do not proceed to the next lookup if this lookup is valid
lookup :special do
…
confine request.namespsace[0], "apache"
stop
end
lookup :main do
…
50. lookup :main, :use => :mything do
plugin.mything.do_something
…
end
Using plugins
• Plugins are loaded into the lookup
• Referenced as plugin.name.method
lookup :main, :use => [ :mything, :foo ] do
…
end
51. lookup :main, :use => :hiera do
plugin.hiera.rewrite_lookup
datasource :file, {
:docroot => "/var/lib/jerakia",
:format => :yaml,
:searchpath => [
"env/#{scope[:environment]}",
"common",
]
end
The hiera plugin
• Provides compatibility to hiera filesystem layouts
• Shipped with Jerakia
# cat /var/lib/jerakia/env/dev.yaml
—-
apache::port: 80
56. Example User Story
• Team in Ireland manage PHP/Apache
• Autonomous team that don’t manage infra
• Their optimal hierarchy is different from “ours”
• “We” need to service them from Puppet
• They must not modify infra services
• “We” also manage PHP/Apache for other clients
57. policy :default do
lookup :main, do
datasource :file, {
:format => :yaml,
:docroot => "/var/lib/jerakia",
:searchpath => [
"hostname/#{scope[:fqdn]}",
"environment/#{scope[:environment]}",
"common"
],
}
end
end
Our main lookup is
responsible for the entire
infrastructure
58. policy :default do
lookup :ireland do
datasource :file, {
:format => :yaml,
:docroot => "/var/external/data/ie",
:searchpath => [
"project/#{scope[:project]}",
"common",
]
}
end
lookup :main, do
datasource :file, {
:format => :yaml,
:docroot => "/var/lib/jerakia",
:searchpath => [
"hostname/#{scope[:fqdn]}",
"environment/#{scope[:environment]}",
"common"
],
}
end
end
Lookup for the Ireland
team added above the
main lookup with
separate docroot and
searchpath
59. policy :default do
lookup :ireland do
datasource :file, {
:format => :yaml,
:docroot => "/var/external/data/ie",
:searchpath => [
"project/#{scope[:project]}",
"common",
]
}
confine scope[:location], "ie"
confine request.namespace[0], [
"apache",
"php",
]
end
lookup :main, do
datasource :file, {
:format => :yaml,
:docroot => "/var/lib/jerakia",
:searchpath => [
"hostname/#{scope[:fqdn]}",
"environment/#{scope[:environment]}",
"common"
],
}
end
end
Only use this lookup if the
requestor location is IE
and the namespace is
apache or php
60. policy :default do
lookup :ireland do
datasource :file, {
:format => :yaml,
:docroot => "/var/external/data/ie",
:searchpath => [
"project/#{scope[:project]}",
"common",
]
}
confine scope[:location], "ie"
confine request.namespace[0], [
"apache",
"php",
]
stop
end
lookup :main, do
datasource :file, {
:format => :yaml,
:docroot => "/var/lib/jerakia",
:searchpath => [
"hostname/#{scope[:fqdn]}",
"environment/#{scope[:environment]}",
"common"
],
}
end
end
If this lookup is valid then
do not proceed to the
main lookup, even if data
is not found.
61. Command line
$ jerakia lookup port —namespace apache
$ jerakia help lookup
Usage:
jerakia lookup [KEY]
Options:
c, [--config=CONFIG] # Configuration file
p, [--policy=POLICY] # Lookup policy
# Default: default
n, [--namespace=NAMESPACE] # Lookup namespace
t, [--type=TYPE] # Lookup type
# Default: first
s, [--scope=SCOPE] # Scope handler
# Default: metadata
[--scope-options=key:value] # Key/value pairs to be passed to the scope handler
m, [--merge-type=MERGE_TYPE] # Merge type
# Default: array
l, [--log-level=LOG_LEVEL] # Log level
v, [--verbose], [--no-verbose] # Print verbose information
D, [--debug], [--no-debug] # Debug information to console, implies --log-level debug
d, [--metadata=key:value] # Key/value pairs to be used as metadata for the lookup
Lookup [KEY] with Jerakia