These manifests are used to more effectively manage ISE's infrastructure. Some reasons for this include:
-
Reproducible: If we lose a host or need to rebuild, Puppet enables us to rebuild to a known good state.
-
Distributable: With Puppet manifests stored in this repository, it is easier to accept infrastructure help from members of the ISE technical community, without necessarily giving root access out.
-
Accountable: By funneling as much infrastructure work through Puppet as possible, we ensure the infrastructure has a very clear audit trail for specific changes.
-
Scalable: By moving configuration options to parameters, we can add nodes quickly.
Puppet does not replace change management. Puppet supports the change management process and provides consistent implementation within the scope of ISE's RFC process. Specifically:
-
Every change that impacts Prod MUST have an RFC, regardless of whether the change is applied manually or via Puppet
-
Changes that do not impact Prod do not require an RFC
ISE uses Puppet to apply consistent, repeatable changes to hosts. Currently, this includes Linux and Windows. In the future, it may also include network devices. Nevertheless, ISE follows a consistent change management process for every change that impacts Prod, regardless of whether changes are applied manually or via Puppet.
The output from Puppet is a compiled catalog that represents a directed acyclic graph (DAG) of resources (configuration items) and is applied to each host via a process referred to at ISE as "host-enforce". Notably, host-enforce is orchestrated by Operations in Prod on-demand to perform a Puppet run.
The input to Puppet is a set of plain-text files written in the Puppet Domain-Specific Language (DSL), combined with flat-file data and referred to as the Source of Truth (SoT). ISE stores the input SoT in Git, a version control system that maintains an immutable history of all changes to all systems.
The Puppet admins ("maintainers") have a documented workflow within the Git repo for Puppet, and it is the detailed implementation. The following is a high-level overview to illustrate the boundaries and responsibilities of the workflow.
ISE has adopted a fork + branch workflow with Git such that changes via Puppet follow established Change Management policy.
-
A single production branch contains the cumulative history of all changes for every environment, including Dev, Test, DR, and Prod. The production branch therefore contains the complete configuration of every host as we know it (not just Prod).
The production branch is immutable; once published, the history within the production branch does not change. The integrity of the history is protected via cryptographic hashes. Immutability provides a strong audit trail of actual changes.
-
Each conceptual change is staged within a feature branch; the branch is referred to as a feature branch because its goal is to implement a feature or a change. A feature branch may be rewritten as many times as necessary until it's ready for implementation. Feature branches provide a safe environment in which to develop and test changes.
-
A special feature branch called the daily change branch is created if there are approved RFCs on a given day. The daily change branch extends the concept of a feature branch to include tracking via ISE's RFC approval process.
-
The maintainers have created a system known as host impersonation that enables ISE to test Prod-related feature branches outside of Prod. Host impersonation enables robust smoke tests.
-
Verification: Every feature branch must pass a battery of unit tests and smoke tests before it is considered ready for implementation.
a. A Continuous Integration server automatically runs the unit tests without user intervention. This is the first step of verification. Unit tests must pass before proceeding to the next step.
b. The change author documents the steps needed to check whether a change is considered successful. We refer to this as the smoke test, and the author must manually perform the smoke test via
host-enforce
.c. The change author adds their sign-off on the branch when the author thinks the branch is ready for implementation.
-
Code review: A feature branch is a collaborative effort across multiple teams and system "owners", so technical peers review all changes during or after the verification steps, but before the approval steps. Optionally, technical peers reproduce the smoke test. Code review is the final step before declaring a feature branch ready for implementation.
-
Approval: An RFC is submitted after a change is considered ready for implementation.
a. Each RFC is created and assigned to the person in charge of running host-enforce in Prod (i.e., daily change branch).
b. A maintainer stages approved RFC changes in a daily change branch that is used during a host-enforce to apply those changes to Prod. Non-approved RFC changes remain in a regular feature branch until approved.
c. A maintainer merges the daily change branch to production after the daily change branch is successfully applied and the immediate system check-out is good.
d. A maintainer merges non-RFC changes to production branch when proven good.
If you would like more detail or to author the puppet manifests, please read the documents in this repo: