Puppet (apply) provisioning plugin

bsdci / libioc

A Python library to manage jails with ioc{age,ell}

https://bsd.ci/libioc

Other

38 stars 11 forks source link

Puppet (apply) provisioning plugin #629

Closed igalic closed 5 years ago

igalic commented 5 years ago

This patch introduces Puppet (apply) as provisioning method, addressing #625

So far the design requires a (unique) name, a source (the control-repo) and an optional list of packages to be pre-installed. By default that List of packages is puppet6, and if the source is a git repo, rubygem-r10k.

To begin the provisioning, we

install puppet
optionall install r10k
(optionally) clone the control repo
mount the control-repo
(optionally, if the repo was cloned) run r10k
run puppet

we could also consider to run puppet more than once, to guarantee idempotence.

gronke commented 5 years ago

@igalic we still have to test remote repositories. Also it would be nice to provide authentication information for remote sources. Any ideas?

igalic commented 5 years ago

@gronke wrote:

@igalic we still have to test remote repositories. Also it would be nice to provide authentication information for remote sources. Any ideas?

so, right now, the repo i'm using is on gitlab and is only accessible with the correct SSH keys

however, it has no secretes and i could expose it publicly

as for authentication:

the easiest way would be to mount an (root's?) ~/.ssh/? It would also be nice if this could happen temporarily — i.e.: only during provisioning.

gronke commented 5 years ago

the easiest way would be to mount an (root's?) ~/.ssh/?

Nein! We need proper key management to allow authenticated sources. How about an .ssh directory in a jails dataset (next to the config.json file) and the provisioning.key=gronke with .ssh/gronke and .ssh/gronke.pub as the key files.