We currently have a basic mechanism that allows us to use puppet to store a file containing a secret on HDFS.
This mechanism is used several times within the profile::analytics::cluster::secrets class.
However, there is an issue in that it only creates the file on HDFS if it is not present. It does not update the file if and when the password in the private repository changes. This will inevitably lead to configuration drift and/or a reticence to rotate the passwords.
It would be helpful if we could have a new hdfs::file defined type in puppet, which would let us keep these secrets in sync and delete them once they are no longer required.
We have a number of places where this functionality would prove useful in the near future.