Workflow to replicate production environment locally using vagrant with puppetmaster
64 views
Skip to first unread message
JeremyCampbell
Oct 20, 2015, 8:18:00 AM10/20/15
to Puppet Users
We have our production servers fully puppetized and have a team of 12 developers who need to replicate the production environment locally on their workstations. We already have experience using vagrant with shared boxes, however the drift from production over time has become an issue. We use roles/profiles and use hiera_include to assign roles to machines with each machine having its own yaml file at the top of the hierarchy %{::clientcert} where the assignment is done e.g. 'role: app_server'. The plan to overcome this is to provision each vagrant machine using our production puppetmaster, however I'd really appreciate some help with the plan as it seems cumbersome.
Since each puppet client requires a unique certname, we need to pre-assign a name to each of our developers that they can use in their Vagrantfile e.g. www1.dev.acme.com, www2.dev.acme.com and then create a hiera yaml file for the certname and assign the the correct role. And since we are using the production puppetmaster we need to manually sign each cert request. Any configuration that is specific to the developers would go into the hiera data file with name of certname.yaml. The process for a new developer would be:
1. Clone the repo (which includes the Vagrantfile).
2. Contact devops to get a unique certname, edit Vagrantfile with assigned certname.
3. Run vagrant up, when puppet provisioning fails (because it is waiting for the signed certificate from the puppetmaster) contact devops again to manually sign the cert request on the puppetmaster.
4. ssh into the vagrant box and manually 'run puppet agent -t' to provision the vagrant machine.
I would imagine this scenario/use case for vagrant + puppetmaster is very common. I feel like we must be missing something. Does anyone have any advice on how to improve this process?
Since each puppet client requires a unique certname, we need to pre-assign a name to each of our developers that they can use in their Vagrantfile e.g. www1.dev.acme.com, www2.dev.acme.com and then create a hiera yaml file for the certname and assign the the correct role. And since we are using the production puppetmaster we need to manually sign each cert request. Any configuration that is specific to the developers would go into the hiera data file with name of certname.yaml. The process for a new developer would be:
1. Clone the repo (which includes the Vagrantfile).
2. Contact devops to get a unique certname, edit Vagrantfile with assigned certname.
3. Run vagrant up, when puppet provisioning fails (because it is waiting for the signed certificate from the puppetmaster) contact devops again to manually sign the cert request on the puppetmaster.
4. ssh into the vagrant box and manually 'run puppet agent -t' to provision the vagrant machine.
I would imagine this scenario/use case for vagrant + puppetmaster is very common. I feel like we must be missing something. Does anyone have any advice on how to improve this process?
Gavin Williams
Oct 20, 2015, 8:41:38 AM10/20/15
to Puppet Users
Jeremy
I've done the same for our developers here, and rather than pointing them at the Prod Puppetmaster, they use Vagrant to stand up a local Puppetmaster in the same way the Live master is deployed.
They can then stand-up any number of local machines against their local Puppetmaster without any impact on Prod...
HTH
Gav
Reply all
Reply to author
Forward
0 new messages