Ask Your Question

realistic catalog testing

asked 2017-06-22 03:45:27 -0600

Marc Schöchlin gravatar image

I would like to perform catalog tests using puppet master --compile --environment our_workstations as a precondition to perform major refactorings in our huge puppet setup. Catalog compilation seems to be a good alternative to test drive the effects of major code refactorings.

Why do i not use solutions like

  • i want to test the catalog compilation with the same facts like in production
  • i do not want to define duplicate definitions of hosts and facts in my catalog-test-suite
  • i want to discover problems like dependency cycles
  • i want to use the real puppet-agent
  • i want to get the json-catalog dump to analyze the characteristics of changes ...

The fact that puppet master --compile ... fetches recent data from puppetdb is very attractive for me. So i tried to setup a automated process in my ci system.

My state of implementing catalog-tests:

  • created a docker image (this allows me to run a setup, which is very similar to the production setup)
  • deployed a 4.10 puppet agent to this image
  • deployed all the needed files to this image (hiera, modules, config, ca-files, ...)
  • created and signed the certificate for the puppet-agent in the docker container
  • allowed the ci host/my workstation which runs the catalog tests to connect to puppetdb (network)

Now i can run catalog tests on my workstation or my ci-host, but from a security view i am very unhappy with this:

  • you have to use the production puppet db for tests => there is potential that testdata is written to puppetdb although storeconfig=false is set => i haven't seem a possibility to restrict certain certificates read-access, limited data, ...
  • the ca-certificate have to distributed over developer and ci-systems => In theory/my understanding it should not be necessary to have the private ca-certificate to execute a --compile, because the process just needs to perform a connect to the puppetdb to create the catalog. (all i need is a certificate pair which is signed by the ca?) => In reality "puppet master --compile" needs the following files:
    • /etc/puppetlabs/puppet/ssl/ca/cakey.pem (The private key of the CA sigh)
    • /etc/puppetlabs/puppet/ssl/crl.pem
    • /etc/puppetlabs/puppet/ssl/privatekeys/
    • /etc/puppetlabs/puppet/ssl/certs/
    • /opt/puppetlabs/puppet/ssl/cert.pem => This is is not acceptable.

What is the best way to run catalog tests with puppet 4.10 (puppet 5, in future)?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2017-06-26 10:12:05 -0600

natemccurdy gravatar image

The Catalog Preview tool was designed for similar use cases:

edit flag offensive delete link more

answered 2017-06-22 09:09:11 -0600

DarylW gravatar image

Github came up with an interesting process for this called octocat-diff

It allows you to compile catalogs and diff them against canned facter data, data from other nodes, etc... I'm not sure if they integrated it into puppetdb.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-06-22 03:45:27 -0600

Seen: 169 times

Last updated: Jun 26 '17