Publish our Puppet manifests
Ideally, all secrets should be in dedicated, private Puppet modules, and we could publish our Puppet manifests.
I propose we give up on publishing our full set of manifests, reject this ticket, and instead do this:
- When we do #16958, if we use the roles/profiles/classes design pattern, most likely we will create new public Puppet classes that include the bits and pieces we already have published. This will de facto move stuff from our private manifests to public repos and provide the higher-level view of how bits and pieces are glued together, that is currently missing for the greatest part in our public Puppet code.
- Furthermore, while doing #6922, we will surely notice pain points that are caused by information or code being available only in our private manifests. And then we can figure out a good way to solve each such problem, be it via documentation or by moving more code to public Puppet modules (and doing whatever refactoring it takes).
Rationale: IMO, publishing our manifests should not be a goal in itself. It's a mean to reach other goals, i.e.:
- Make it easier for our sysadmins to develop improvements and new features locally instead of doing that in our production environment.
- Make it easier for other folks to contribute to the code that drives our infra, be it by auditing it or improving it.
I believe the alternate strategy I'm proposing will bring us closer to these goals than simply publishing our Puppet manifests. Thoughts?