... | ... | @@ -1793,15 +1793,6 @@ This is the data that needs to be moved into Trocla at the time of writing: |
|
|
|
|
|
A full audit should be redone before this is completed.
|
|
|
|
|
|
The actual issues that need to be resolved to close this ticket are
|
|
|
really just 1 and 2, however: it just means we would need to push to
|
|
|
two repositories to get our code public. So as a temporary measure, we
|
|
|
would push the public repositories twice: once to the public git
|
|
|
repository (ie. here) and once to the private one. Eventually, we
|
|
|
would push directly with Puppet which, with access keys, would push
|
|
|
public repositories here. But that's not essential to close this
|
|
|
ticket, which is just about publishing our darn source code.
|
|
|
|
|
|
### Use a control repository
|
|
|
|
|
|
The base of the infrastructure is a [control-repo](https://puppet.com/docs/pe/latest/control_repo.html) ([example](https://github.com/puppetlabs/control-repo),
|
... | ... | @@ -1836,15 +1827,11 @@ job. |
|
|
|
|
|
In other words, this is the checklist:
|
|
|
|
|
|
* [x] convert everything to hiera (#30020) - this requires creating `roles` for each machine (more or less) -- effectively done as far as this issue is concerned
|
|
|
* [ ] move current `modules/` into `site-modules/` and audit for private data
|
|
|
* [ ] move any private data into `hiera/`, currently known private data:
|
|
|
* `modules/postfix/files/virtual` - email addresses
|
|
|
* `modules/postfix/files/access-1-sender-reject` and related - email addresses
|
|
|
* sudoers configurations?
|
|
|
* secrets in /etc/puppet (hopefully not in git, but just in case)
|
|
|
* [x] convert everything to hiera (tpo/tpa/team#30020) - this
|
|
|
requires creating `roles` for each machine (more or less) --
|
|
|
effectively done as far as this issue is concerned
|
|
|
* [ ] sanitize repository (tpo/tpa/team#29387)
|
|
|
* [ ] move `3rdparty` modules into `modules/`
|
|
|
* [ ] publish everything but `hiera/` as a new (secret) repository
|
|
|
|
|
|
Once this is done, the final picture will look like this in `/etc/puppet`:
|
|
|
|
... | ... | @@ -1975,7 +1962,7 @@ would not matter because of the checksums in the control repository. |
|
|
### Use a role account
|
|
|
|
|
|
To avoid permission issues, use a role account (say `git`) to accept
|
|
|
pushes and enforce git hooks.
|
|
|
pushes and enforce git hooks (tpo/tpa/team#29663).
|
|
|
|
|
|
### Use local test environments
|
|
|
|
... | ... | |