Skip to main content
  1. Posts/

Puppet 4 lookup & hiera node classification

·457 words·3 mins·
Puppet blogposts Puppet blogposts

As i was working with some of the new puppet 4 functions, i noticed that most documentation for node classification still refers to hiera_include for the purpose of node classification and class inclusion. However, as there are some issues with the old hiera format and for the purpose of removing dependence on specific backends, puppet 4 now also supports a new hiera.yaml format. This new format allows for some great features such as mixing backends per hierarchy source and per-environment hiera.yaml files, which is great if you’re using r10k for multiple non-homogeneous environments. Using this new hiera format does require one to classify nodes differently.

Previously, one would use hiera_include('classes') in your site.pp, which doesn’t work with a per-environment hiera.yaml. The replacement for this is as simple as adding lookup('classes', Array[String], 'unique').include to your site.pp, allowing you to loop over your hiera-defined array of classes and include then in your node. The unique merge behavior will merge all lookups of classes into a single flat array, which is what you’d want to add classes from multiple hierarchies in hiera.

In addition, the lookup function supports some interesting features such as knockout prefixes which allows you to remove results from the resulting set of hiera data. While usually this’d be the result of a flawed hierarchy, sometimes - for whatever reason - you just need to override settings on specific hosts

As an example, assume you’d have the following two node classifications for sets of servers to allow specific groups access through ssh:

#managed.yaml
ssh::server::groupallow
  - team::administrators
  - team::operators
  - team::security

and

#unmanaged.yaml
ssh::server::groupallow
  - team::administrators
  - team::operators
  - team::developers
  - team::security

Now, if you’d want to override access for the operators team on a very specific set of servers, previous one would have to use a separate class of excluded groups and substract that from the resulting set in hiera.

With puppet 4 lookup however, we can use the knockout-prefix to remove specific results from the resulting set. Let’s assume we have a specific group of servers which - for all intents and purposese - are part of the unmanaged group of servers, but have specific requirements to not allow daily operations access to these machines. We’d use the following hiera for this set of servers

#unmanaged-confidential.yaml
  - !!team::operators

and the following lookup:

lookup({
  'name' => 'groupallow'
  'merge' => {
    'strategy'        => 'deep',
    'knockout_prefix' => '!!',
  }, 
})

The resulting set of classes for our snowflake servers would become:

ssh::server::groupallow
  - team::administrators
  - team::developers
  - team::security

Keep in mind the puppet lookup function is still experimental, but as far as i can see this would be the way forward to provide backend-agnostic data lookup and classification. For more information on puppet lookup, see https://docs.puppet.com/puppet/latest/lookup_quick.htm . Happy puppeting!