The Labs puppetmaster did not and does not support exported resources, and it is technically impossible to do so in a multi-project environment. This led to the current setup where for example each host writes its ssh host key into a file on NFS, grid hosts identify themselves in the same way, etc.
However, now all Toolforge instances are served by a project-specific puppetmaster. If (AFAIUI) PuppetDB is set up on this puppetmaster, exported resources should work and could be used for example for:
- Sharing ssh host keys natively,
- using simple puppetry to identify submit hosts, execution nodes, etc., and
- sharing credentials for Kubernetes, i. e. no cherry-picks on labs/private necessary.
At the moment, role::puppetmaster::standalone does not seem to have an easy option to enable PuppetDB, so this needs to be done first.