One thing we do a lot of at Puppet Labs is release product. And every time we make a major product release, I have to go through and update our training material. I validate all the exercises and examples and code snippets. And when we make UI refreshes I have to take all new screenshots. That doesn't sound like much--it's just taking some pictures, right? Well, yeah... but what am I going to take pictures of? Just firing up a master and screenshotting away isn't very interesting or informing.
If you've used Puppet for anything non-trivial, you've almost certainly used it to configure something secret. Perhaps you've configured an application with a database password. Perhaps you've configured a local maintenance user account with a private SSH key. Something that might seem obvious in retrospect is that these secrets exist in the catalog--and by extension all reports and any other tooling that uses them. Anyone with access to the catalog or raw reports also has access to your secrets. All your secrets.
You may have read some docs, or stopped by the #puppet IRC channel. You've likely read a blog post or two. You've probably run across the word idempotence or have been chastised for writing non-idempotent Puppet code with
exec resources. But what exactly does that mean? Here's a definition that you might see in a calculus class.
Welcome back; gather 'round. Today we're going to talk about a topic we've all been wondering how to bring up. We'll be talking about leakage--no, not that kind of leakage! (Those of you too young to get that joke are highly encouraged to not go look up the history of Olestra.)
Update: In many cases, environments no longer leak on Puppet 4.8 and above.