Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
This work is licensed under a Creative Commons Attribution 3.0
Unported License.

Public Hiera directory

This is a specification for creating a new public directory embeded in the openstack-infra/config project to hold public hiera data.

Problem description

Puppet code in openstack-infra/config, referred to hereafter as config, currently uses the hiera data backend. The advantage to using hiera in a puppet environment is to separate the presentation of data from the function of code. An obvious consequence of this is that the secret data can be put into hiera and hidden, making the puppet code sanitized for public viewing. This is exactly what has happened with config.

The disadvantage to the current system is that non-secret data is currently very awkwardly managed. There are some instances, where non-secret data is pushed into the secret hiera. We also have instances, such as the long list of jenkins plugins, where the data is embedded into the Puppet code. We also have variables set at top scope, such as elasticsearch_nodes, that can be moved into hiera. This also makes use of hiera limited to core contributors.

Proposed change

The proposed solution is to create a second hiera directory, embedded into the config git repository, for public data to live in. Hiera will have to be reconfigured to work with both directories, preferring the secure directory. This should make consuming openstackci as a downstream easier. Since variables set in this hiera directory can be used or overridden as necessary.


Status quo. Create a 1:1 copy of the secret hiera git repository containing only fake data.



Primary assignee:

Spencer Krum (nibalizer)

Work Items

  • Move the puppet working dir out of /opt into /etc

    This is required because the hiera yaml backend doesn’t really support multiple data dirs. We can hack it by setting the hiera data dir to be a common superior directory of both dirs. We don’t want to use / so we will use /etc/puppet and move the puppet working dir out of /opt into /etc/puppet.

  • Configure a second data directory in the infra/config git repo

  • Set hiera.yaml appropriately to source both dirs in order

    Puppet will do this by managing the config file.

  • Symlink /etc/hiera.yaml to /etc/puppet/hiera.yaml

    This ensures that the hiera lookups performed by Puppet and the hiera lookups performed by the ‘hiera’ command line tool use the same configuration.

  • Seed with data


No new repositories


No new servers

DNS Entries

No DNS changes