git + POSIX sh + ssh forced commands Each app is its own repo in git. If I'm lucky, I'm using gitlab which allows me to have folder hierarchy to identify apps by function (e.g. apps for the CM, apps for the SHD, apps for the DS to push to the UFs). Then, I built a shell script that is attached to a forced command in ~splunk/.ssh/authorized_keys so when you authenticate to that account, you pass the name of a repo. It validates that is a valid repo, git pulls the main branch of that repo, then uses a token attached to a local Splunk user that only has the deployment permissions to deploy the update (e.g. `splunk reload deploy-server` or the SHD deployment command sequence). Repos intended to be updated by non-admins, I lock the repo so it can't get administrative config files (e.g. authentication.conf) by push rules.
... View more