Quantcast
Channel: Ask Puppet: Puppet DevOps Q&A Community - RSS feed
Viewing all articles
Browse latest Browse all 6104

realistic catalog testing

$
0
0
I would like to perform catalog tests using `puppet master --compile nb18.int.our --environment our_workstations` as a precondition to perform major refactorings in our huge puppet setup. Catalog compilation seems to be a good alternative to test drive the effects of major code refactorings. Why do i not use solutions like https://github.com/invadersmustdie/puppet-catalog-test? - i want to test the catalog compilation with the same facts like in production - i do not want to define duplicate definitions of hosts and facts in my catalog-test-suite - i want to discover problems like dependency cycles - i want to use the real puppet-agent - i want to get the json-catalog dump to analyze the characteristics of changes ... The fact that `puppet master --compile ...` fetches recent data from puppetdb is very attractive for me. So i tried to setup a automated process in my ci system. My state of implementing catalog-tests: - created a docker image (this allows me to run a setup, which is very similar to the production setup) - deployed a 4.10 puppet agent to this image - deployed all the needed files to this image (hiera, modules, config, ca-files, ...) - created and signed the certificate for the puppet-agent in the docker container - allowed the ci host/my workstation which runs the catalog tests to connect to puppetdb (network) Now i can run catalog tests on my workstation or my ci-host, but from a security view i am very unhappy with this: - you have to use the production puppet db for tests => there is potential that testdata is written to puppetdb although storeconfig=false is set => i haven't seem a possibility to restrict certain certificates read-access, limited data, ... - the ca-certificate have to distributed over developer and ci-systems => In theory/my understanding it should not be necessary to have the private ca-certificate to execute a `--compile`, because the process just needs to perform a connect to the puppetdb to create the catalog. (all i need is a certificate pair which is signed by the ca?) => In reality "puppet master --compile" needs the following files: - /etc/puppetlabs/puppet/ssl/ca/ca_key.pem (The private key of the CA *sigh*) - /etc/puppetlabs/puppet/ssl/crl.pem - /etc/puppetlabs/puppet/ssl/private_keys/puppet1.cloud-our.net.net.pem - /etc/puppetlabs/puppet/ssl/certs/puppet1.cloud-our.net.pem - /opt/puppetlabs/puppet/ssl/cert.pem => This is is not acceptable. What is the best way to run catalog tests with puppet 4.10 (puppet 5, in future)?

Viewing all articles
Browse latest Browse all 6104


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>