Environmental wrapper cookbooks vs policy files


#1

Hi,

a question to fellow Chefs that used cookbooks across multiple environments.

I’m using environment wrapper cookbooks to cater for DEV TST STG and PROD but its been mentioned that policy files are a new better process.

If we plan to use Automate with workflows whats the best approach and does anyone have experience they can share on what works / doesn’t work.

many thanks

David


#2

Sadly policyfile support is no longer being actively developed by Chef - it’s now a community project. That being said, there was a great Food Fight podcast episode on the topic if you want to know more about the state of policyfiles when the project transitioned back in 2016: http://foodfightshow.org/2016/12/policy-files.html I don’t think policyfiles really helped with environment management beyond reducing the number of files that you needed to maintain.

IMHO environment wrappers, environments, role cookbooks, roles are the way to go. The real purpose of all these things is to virtually group together a set of servers/nodes for an intended purpose. Workflow has great support for environments (and the other variants).

One thing that you may want to consider is using feature flags - that can greatly reduce the number of necessary environments. This may or may not fit in your current workflow, but I would say this is something to consider evolving your workflow to - https://readwrite.com/2016/01/22/staging-servers/ Any language that supports conditional statements supports feature flags, and you can easily use attributes to represent feature toggles/feature flags in your Chef code. Feature flags are another way to virtually group together a set of servers/nodes - and in Chef this can be something attribute-driven.


#3

Also Jez Humble gave a great ChefConf presentation on the use of feature flags at a previous ChefConf: https://www.youtube.com/watch?v=oX8af9kLhlk


#4

This is incorrect. Chef does not have plans to add major new functionality to the feature, but it’s basically complete already. Support for policyfiles has been added to the visibility/insights portion of Automate somewhat recently. In addition, Chef has recently added support for a few new features in policyfiles, as defined in these RFCs:

The workflow portion of automate does not support policyfiles out of the box, and some custom development (expert) would be required to add it yourself, so if you are very interested in using Chef Workflow then the easiest path would be to follow the patterns that the delivery-truck cookbook assumes.


#5

Thanks Daniel - there you have it from the creator of policyfiles. Yeah, that’s why I don’t use them, because Workflow/Chef Delivery doesn’t support policyfiles.


#6

Many thanks for both your responses @kallistec & @misheska.

@kallistec you mention that policy files don’t work natively with Automate out of the box - is Chef planning to update your platform to cater for this?

Just to confirm, I’ve not learnt the “patterns that the delivery-truck cookbook assumes” yet so I’m just trying to do as much learning up front before we upgrade Chef to Chef Automate and ensure we move in the right direction.

Sounds like I need to investigate how wrapper cookbooks work with the Chef delivery-truck process and if in the future Policy files work with Chef Automate out of the box … revisit it then.

many thanks


#7

FYI: When you generate a cookbook with the ChefDK it also generates a .delivery directory for Workflow - that is the thing that references delivery-truck - in .delivery/build-cookbook/Berksfile. That is basically hardcoded to look for a Berksfile.

Listen to the Food Fight podcast on policyfiles, I mentioned. I think that will provide you with all the information you need about the pros and cons of using policyfiles. (Daniel is even on that show talking about policyfiles grin).