From 0d9d3c529e059bef6715f7f9d56bd68036737811 Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Fri, 21 Jun 2024 15:52:37 +0200
Subject: [PATCH] document puppet subgroup

---
 admin-guide/deployment/sample.md      |  8 ++--
 admin-guide/operations/deployment.rst |  9 ++++-
 admin-guide/puppet/hiera.rst          | 57 ++++++++++++++++-----------
 3 files changed, 45 insertions(+), 29 deletions(-)

diff --git a/admin-guide/deployment/sample.md b/admin-guide/deployment/sample.md
index f98b77c6..94c6d2d6 100644
--- a/admin-guide/deployment/sample.md
+++ b/admin-guide/deployment/sample.md
@@ -9,12 +9,13 @@ The informations we need are:
 
   - the server name: `logging-ra.psi.ch`
   - the server MAC address: `23:3d:ef:33:11:22`
-  - static or dynamic IP: `static`
+  - optional static or dynamic IP: `static` (RHEL7 & RHEL8 only)
   - the OS installer: `rhel8install`
   - the server role: `role::logging_server`
-  - the server environment in puppet: `prod`
+  - optional the server environment in puppet: `prod`
   - the sysdb deployment environment: `daas`
   - optional the group inside the sysdb environment (`default` if not specified): `logging`
+  - optional the subgroup inside the group: `collector`
 
 ## Setting up bob
 
@@ -50,6 +51,7 @@ And we finally setup the puppet role and puppet environment:
     bob node set-attr logging-ra.psi.ch puppet_role=role::log_server
     bob node set-attr logging-ra.psi.ch puppet_env=prod
     bob node set-attr logging-ra.psi.ch puppet_group=logging
+    bob node set-attr logging-ra.psi.ch puppet_subgroup=collector
 
 
 ## Example
@@ -58,7 +60,7 @@ Full example:
 
     bob node add lx-test-02.psi.ch lx netboot
     bob node add-mac lx-test-02 00:50:56:9d:19:76
-    bob node set-attr lx-test-02.psi.ch ipxe_installer=rhel8install puppet_env=prod puppet_group=default puppet_role=role::server
+    bob node set-attr lx-test-02.psi.ch ipxe_installer=rhel8install puppet_role=role::server
     bob node netboot lx-test-02.psi.ch
     bob node list -v lx-test-02
 
diff --git a/admin-guide/operations/deployment.rst b/admin-guide/operations/deployment.rst
index 964c1136..d0b6af8e 100644
--- a/admin-guide/operations/deployment.rst
+++ b/admin-guide/operations/deployment.rst
@@ -37,10 +37,15 @@ Finally we need to configure the installer to use, and the Puppet-related
 parameters::
 
   bob node set-attr $FQDN ipxe_installer=rhel8install
+  bob node set-attr $FQDN puppet_role=role::server
+
+and optional::
+
+  bob node set-attr $FQDN puppet_group=cluster
+  bob node set-attr $FQDN puppet_subgroup=compute
   bob node set-attr $FQDN network=static
   bob node set-attr $FQDN puppet_env=prod
-  bob node set-attr $FQDN puppet_role=role::server
-  bob node set-attr $FQDN puppet_group=default
+
 
 
 Redeployment
diff --git a/admin-guide/puppet/hiera.rst b/admin-guide/puppet/hiera.rst
index 9d27272e..257371a8 100644
--- a/admin-guide/puppet/hiera.rst
+++ b/admin-guide/puppet/hiera.rst
@@ -4,25 +4,36 @@ Hiera
 Look `here <https://docs.puppet.com/hiera/3.1/>`_ for a general Hiera
 introduction.
 
-The current hierarchy has four levels (first will be considered first
+The current hierarchy has seven levels (first will be considered first
 during value lookup):
 
 - nodes (FQDN)
+- subgroup (optional, ``puppet_subgroup`` attribute in sysdb)
 - group (``puppet_group`` attribute in sysdb)
 - sysdb environments
+- Puppet server specific
+- global
 - common
     
-and values can be stored as classical YAML values or with `encrypted yaml
+The first four layers can be edited by the admin in the respective hiera git repository.
+The common layer (default values) and the server specific layer (differences between test and prod) are part of the Puppet code repository.
+Finally the global layer contains a few configurations which are managed by the Core Linux Group outside of the normal Puppet release process, eg. for license management.
+
+The values can be stored as classical YAML values or with `encrypted yaml
 <https://github.com/TomPoulton/hiera-eyaml>`_ for secrets.
 The filesystem structure is as follows:
 
-1. ``%{::sysdb_env}/%{::group}/%{::fqdn}``
-2. ``%{::sysdb_env}/%{::group}``
-3. ``%{::sysdb_env}/%{::sysdb_env}``
-4. ``%{::environment}/data/common``
+1. ``%{::sysdb_env}/%{::group}/%{::fqdn}.yaml`` or ``%{::sysdb_env}/%{::group}/%{::subgroup}/%{::fqdn}.yaml``
+2. ``%{::sysdb_env}/%{::group}/%{::subgroup}.yaml``
+3. ``%{::sysdb_env}/%{::group}.yaml``
+4. ``%{::sysdb_env}/%{::sysdb_env}.yaml``
+5. ``%{::environment}/data/server_%{server_facts.servername}.yaml``
+6. ``/srv/puppet/data/global/global.yaml``
+7. ``%{::environment}/data/common.yaml``
 
-The ``%{variable}`` notation is hiera specific and each path represents a ``.yaml``
-file.
+Depending if a subgroup is defined, the node specific YAML is at a different level in the filesysystem hierarchy.
+
+The ``%{variable}`` notation is hiera specific.
 
 Hiera repositories
 ------------------
@@ -63,36 +74,34 @@ Example
 
 Assuming two sysdb environments ``hpc`` and ``sls``, as well as:
 
-- group ``merlin4`` in ``hpc`` with ``merlinc10`` and ``merlinc11`` in it;
-- group ``merlin5`` in ``hpc`` with ``merlin-c001`` and ``merlin-c002`` in it;
-- group ``mx`` in ``sls`` with ``mxcn-1`` and ``mxcn-2`` in it;
+- group ``merlin4`` in ``hpc`` with ``merlin4l`` and in subgroup ``compute`` ``merlinc10`` and ``merlinc11``
+- group ``mx`` in ``sls`` with ``mxcn-1`` and ``mxcn-2``
 - host ``xbl-gateway`` in no explicit group (will take the implicit ``default``)
 
 the Hiera structure would look like this::
 
-   data/hpc/merlin4/merlinc10.psi.ch.yaml
-   data/hpc/merlin4/merlinc11.psi.ch.yaml
+   data/hpc/merlin4/merlin4l.psi.ch.yaml
+   data/hpc/merlin4/compute/merlinc10.psi.ch.yaml
+   data/hpc/merlin4/compute/merlinc11.psi.ch.yaml
    data/hpc/merlin4.yaml
-   data/hpc/merlin5/merlin-c001.psi.ch.yaml
-   data/hpc/merlin5/merlin-c002.psi.ch.yaml
-   data/hpc/merlin5.yaml
    data/hpc.yaml
    data/sls/mx/mxcn-1.psi.ch.yaml
    data/sls/mx/mxcn-2.psi.ch.yaml
    data/sls/mx.yaml
    data/sls/default/xbl-gateway.psi.ch.yaml
    data/sls.yaml
-   code/environments/{prod,preprod}/common.yaml
+   code/{prod,preprod}/server_$SERVERNAME.yaml
+   data/global/global.yaml
+   code/{prod,preprod}/common.yaml
 
 While the output of bob would be something like (some unneeded attributes have been removed)::
 
-   merlinc10.psi.ch             hpc       local    puppet_group=merlin4
-   merlinc11.psi.ch             hpc       local    puppet_group=merlin4
-   merlin-c001.psi.ch           hpc       local    puppet_group=merlin5
-   merlin-c002.psi.ch           hpc       local    puppet_group=merlin5
-   mxcn-1.psi.ch                sls       local    puppet_group=mx
-   mxcn-2.psi.ch                sls       local    puppet_group=mx
-   xbl-gateway.psi.ch           sls       local    
+   merlin4l.psi.ch       hpc    local    puppet_group=merlin4
+   merlinc10.psi.ch      hpc    local    puppet_group=merlin4    puppet_subgroup=compute
+   merlinc11.psi.ch      hpc    local    puppet_group=merlin4    puppet_subgroup=compute
+   mxcn-1.psi.ch         sls    local    puppet_group=mx
+   mxcn-2.psi.ch         sls    local    puppet_group=mx
+   xbl-gateway.psi.ch    sls    local    
    
 Secret values
 -------------