Quantcast
Channel: Ask Puppet: Puppet DevOps Q&A Community - RSS feed
Viewing all articles
Browse latest Browse all 6104

realistic catalog testing

June 22, 2017, 1:45 am
$
0
0
I would like to perform catalog tests using `puppet master --compile nb18.int.our --environment our_workstations` as a precondition to perform major refactorings in our huge puppet setup. Catalog compilation seems to be a good alternative to test drive the effects of major code refactorings. Why do i not use solutions like https://github.com/invadersmustdie/puppet-catalog-test? - i want to test the catalog compilation with the same facts like in production - i do not want to define duplicate definitions of hosts and facts in my catalog-test-suite - i want to discover problems like dependency cycles - i want to use the real puppet-agent - i want to get the json-catalog dump to analyze the characteristics of changes ... The fact that `puppet master --compile ...` fetches recent data from puppetdb is very attractive for me. So i tried to setup a automated process in my ci system. My state of implementing catalog-tests: - created a docker image (this allows me to run a setup, which is very similar to the production setup) - deployed a 4.10 puppet agent to this image - deployed all the needed files to this image (hiera, modules, config, ca-files, ...) - created and signed the certificate for the puppet-agent in the docker container - allowed the ci host/my workstation which runs the catalog tests to connect to puppetdb (network) Now i can run catalog tests on my workstation or my ci-host, but from a security view i am very unhappy with this: - you have to use the production puppet db for tests => there is potential that testdata is written to puppetdb although storeconfig=false is set => i haven't seem a possibility to restrict certain certificates read-access, limited data, ... - the ca-certificate have to distributed over developer and ci-systems => In theory/my understanding it should not be necessary to have the private ca-certificate to execute a `--compile`, because the process just needs to perform a connect to the puppetdb to create the catalog. (all i need is a certificate pair which is signed by the ca?) => In reality "puppet master --compile" needs the following files: - /etc/puppetlabs/puppet/ssl/ca/ca_key.pem (The private key of the CA *sigh*) - /etc/puppetlabs/puppet/ssl/crl.pem - /etc/puppetlabs/puppet/ssl/private_keys/puppet1.cloud-our.net.net.pem - /etc/puppetlabs/puppet/ssl/certs/puppet1.cloud-our.net.pem - /opt/puppetlabs/puppet/ssl/cert.pem => This is is not acceptable. What is the best way to run catalog tests with puppet 4.10 (puppet 5, in future)?
Search
Viewing all articles
Browse latest Browse all 6104
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>