Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Way of Testing with Test Kitchen #31

Open
thheinen opened this issue Jun 8, 2020 · 3 comments
Open

Way of Testing with Test Kitchen #31

thheinen opened this issue Jun 8, 2020 · 3 comments

Comments

@thheinen
Copy link
Contributor

thheinen commented Jun 8, 2020

Detailed Description

As kitchen-inspec supports loading InSpec Input plugins now, these will also be using in the TestKitchen context. To avoid having TK instances connect to production Vault (isolation issue) or developer-run Vault (network config headache), it would be good to have a facility to mock Vault outputs. This is basically the same as the chef-vault databack fallback.

Context

Currently developing a number of Vault-connected cookbooks/InSpec tests for a customer and in need to test those properly.

Possible Implementation

If I get feedback for one of these options (or another one), I will do the coding as it's needed anyway:

JSON/YAML file exchange

Could use the upload/lifecycle mechanics to get a file onto the kitchen instance, then via new plugin config connect those and use as source for mocked inputs.

This has some usability issues, as the configuration in TK will have multiple steps.

TestKitchen introspection

Have the mock data as a databag, like chef-vault and connect via the TK API to retrieve those, combined with a TestKitchen autodetection.

This is probably best from a usability perspective and matches a known concept, but due to the lack of proper TK APIs between verifiers/provisioners, the code is borderline acceptable as it requires metaprogramming. I have done this for the inspec-chef plugin though:
@james-stocks
Copy link

TK introspection seems like the better option to me, but would it be possible to let the user control whether mocking or real vault access happens?
I would wonder how many people would like to (or assume) their TK suites will access a real vault.

@thheinen
Copy link
Contributor Author

thheinen commented Jun 8, 2020

If we added a plugin setting databag_fallback defaulting to true, assuming that using mock data in Kitchen is the common use case, sure.

Only issue with that is that kitchen-inspec does not allow plugin config yet. I had a feeling the other day, that we would hit that soon anyway.

If you're ok with it, I could whip up some implementation like this and we tackle the plugin config afterwards, as it extends from the supposed "main" case (using fallback in kitchen) to the "niche" case. As InSpec plugins in TK are pretty new, the impact should be negligible?

@james-stocks
Copy link

Having mock data be the default and needing config to signal that a real vault connection should be used sounds good.
I think it should be clearly documented though (perhaps in a totally new "Testing" section in the README of this repo).

Thanks again Thomas!

@thheinen thheinen mentioned this issue Aug 7, 2020
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@james-stocks @thheinen