I would like to perform catalog tests using `puppet master --compile nb18.int.our --environment our_workstations` as a precondition to perform major refactorings in our huge puppet setup.
Catalog compilation seems to be a good alternative to test drive the effects of major code refactorings.
Why do i not use solutions like https://github.com/invadersmustdie/puppet-catalog-test?
- i want to test the catalog compilation with the same facts like in production
- i do not want to define duplicate definitions of hosts and facts in my catalog-test-suite
- i want to discover problems like dependency cycles
- i want to use the real puppet-agent
- i want to get the json-catalog dump to analyze the characteristics of changes
...
The fact that `puppet master --compile ...` fetches recent data from puppetdb is very attractive for me.
So i tried to setup a automated process in my ci system.
My state of implementing catalog-tests:
- created a docker image
(this allows me to run a setup, which is very similar to the production setup)
- deployed a 4.10 puppet agent to this image
- deployed all the needed files to this image
(hiera, modules, config, ca-files, ...)
- created and signed the certificate for the puppet-agent in the docker container
- allowed the ci host/my workstation which runs the catalog tests to connect to puppetdb (network)
Now i can run catalog tests on my workstation or my ci-host, but from a security view i am very unhappy with this:
- you have to use the production puppet db for tests
=> there is potential that testdata is written to puppetdb although storeconfig=false is set
=> i haven't seem a possibility to restrict certain certificates read-access, limited data, ...
- the ca-certificate have to distributed over developer and ci-systems
=> In theory/my understanding it should not be necessary to have the private ca-certificate to execute a `--compile`, because the process just needs to perform a connect to the puppetdb to create the catalog.
(all i need is a certificate pair which is signed by the ca?)
=> In reality "puppet master --compile" needs the following files:
- /etc/puppetlabs/puppet/ssl/ca/ca_key.pem (The private key of the CA *sigh*)
- /etc/puppetlabs/puppet/ssl/crl.pem
- /etc/puppetlabs/puppet/ssl/private_keys/puppet1.cloud-our.net.net.pem
- /etc/puppetlabs/puppet/ssl/certs/puppet1.cloud-our.net.pem
- /opt/puppetlabs/puppet/ssl/cert.pem
=> This is is not acceptable.
What is the best way to run catalog tests with puppet 4.10 (puppet 5, in future)?
↧