On Thursday, May 9, 2013 10:18:21 AM UTC-5, Aaron Mills wrote: > > Hmm..it seems like a pretty basic use case is an accompanying gpg file for > each level of a hierarchy, just to store things like passwords, or > sensitive data. Minimizing the use of things like hiera's 3.x data bindings > to gain speed in hiera-gpg lookups feels like throwing the baby out with > the bathwater. > > I wonder how difficult (read: secure) it would be to cache the data across > calls. An md5sum could be used to determine whether the contents of a .gpg > file have changed since the last lookup. Instead of decrypting each file > for every call, hiera-gpg can do something like: > > - Calculate an md5sum of the .gpg files, and the data from these files > stored in memory, redis, or wherever. > - When asked for a variable, do an md5sum of the .gpg file and, if the > values are the same, return the data from memory > - If the hash values don't match, reload the data from the .gpg file. > > Seems like this would be slightly faster than having to fully decrypt the > contents of each file for every parameter lookup. >
I think caching might be a viable way to go, but there is the issue of recognizing when to invalidate cache entries. I don't like the md5 approach very well, because it's still a fairly expensive computation to perform so frequently. Better, I think, would be to simply clear the cache once at the beginning of each catalog compilation. I would not be worried about changes between two lookups during the same catalog run, because it is not a clear win to always pull the very freshest value for each item at the cost of possibly getting inconsistent data by pulling items from different versions of the same file. Indeed, my inclination would be to prefer consistency. I don't use the :gpg: backend myself, but if someone cares enough to write it up, this looks like a viable enhancement request. I'm not sure where that would need to go, however, since hiera-gpg is not a PuppetLabs project. Craig hangs around here, so maybe he'll see this, but I would not assume he will. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
