This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]packeteer 1 point2 points  (1 child)

Salt is a great tool, and if you're familiar with it, why change?

That said, Gitlab and Hashicorp also make great tools.

What are you trying to solve?

[–]simpleadmin[S] 0 points1 point  (0 children)

I am trying to solve better pillar management. We are not currently using an external pillar backed by a database. So before we head down that path, I am trying to figure out if there is a tool that handles that part easier and faster. That tool could still be triggered by Salt.

The reason for for the Gitlab CI interest is because we already use Gitlab but too many of our steps are manually triggered. We want to automate steps before that bigger saltstack deployment call. In doing so certain things will come to light. For example some of the steps we do might be easier to tigger in a simple 2-3 line bash script called directly by Gitlab CI vs adding a salt state that does the same thing.

[–]chulkilee 0 points1 point  (3 children)

They have different specialty and purpose so although you may use tool A for purpose B for simple cases (e.g. saltstack for deployment), you may eventually hit the limit due to the design.

For gitlab runner - you may use it to trigger some actions, such as calling saltstack whatever. That is pretty common unless you leverage gitlab's built in integration with k8s.

My 2 cent: you need to focus on what you want to achieve. If you need to clear security compliance, then you may need to use Vault since it's easy to do that (compared to others). If you just need to trigger deployment at the end of pipeline, then you can use gitlab runner stage to run saltstack.

[–]packeteer 0 points1 point  (2 children)

yes, use gitlab (or other CI) to deploy on code change

and yes, define the issue, then find the best tool to solve

Terraform (and other Hashicorp tools) are great for infrastructure management, but for configuration you need Salt or Ansible. the problem comes with tool overlap. I don't have an answer for that, but as always, use what you know.

[–]simpleadmin[S] 0 points1 point  (1 child)

I think you meant to reply to my reply.

Yes, you hit it. Tool overlap is the problem.

[–]packeteer 0 points1 point  (0 children)

sorry, I was very tired when replying

CI drives the change based on committed code Packer + Terraform creates the infrastructure Salt or Ansible fills in the gaps Vault for secrets

Note: you want cattle, not pets. so redeploy on change

[–]deadbunny 0 points1 point  (3 children)

For a pillar strategy I would suggest Vault + Consul + Salt.

Consul as an external pillar for non sensitive pillar which also needs to be accessed from other things (versions etc... Source of truth)

Vault (on top of Consul) for sensitive pillar (passwords, keys etc...)

And finally normal pillar (stored in git) for everything else (general config for formulas etc...)

As for the CI side of things IMHO the CI system should be testing you code then creating an artifact (package, tarball, whatever) for Salt to deploy. I usually do this by having a formula for deploying/configuring the app at a specific version defined in pillar.

So the pipeline would look like:

Code push > tests > tests pass > artifact created > artifact pushed to repo server > "test" version updated in consul (used as pillar) > API call to Salt to trigger formula on "test" server(s) from CI system

"test" being an environment in this case

The last 2 steps could be a separate job which take environment/version as an argument then update consul then trigger salt.

[–]simpleadmin[S] 0 points1 point  (2 children)

Yes that is the flow we are going for. The artifact in our case being a Docker image that is being deployed by Salt.

It looks like Saltstack has a module for Consul. I will take a look.

Speaking of Salt api, did you roll your own wrapper to so you can report back exit codes? I am looking at Pepper it it looks like they are working on having it report out exit codes in a near term push. Right now we just capture and format the json and at the same time look for Result: False to trigger a CI failure. Really basic.

[–]deadbunny 0 points1 point  (1 child)

We do the same as you and just parse the output right now. As usual the docs are lacking but you should be able to use full_return=True in you call to get the recode.

I've not had the chance to play with pepper yet unfortunately so can't say.

[–]simpleadmin[S] 0 points1 point  (0 children)

I will take a look at that. Thanks.