In the context of journalist email notification there is a need to test if the notification reaches the intended mailbox. For that to work we need integration tests able to provision mon and app servers that can then be targeted by testinfra scripts.
It could be done by adding to the existing testinfra subdirectory and use the mon and app servers available in the CI or spawned via vagrant up /staging/ and using the output of make build-deps.
However, since we’re trying to move away from vagrant, I propose to create a molecule staging scenario based on docker instead. It would mean less manual steps for the development trying locally and would not rely on vagrante. With the caveat that it would only be suitable for functional testing that do not involve kernel changes (iptables, grsec, sysctl, apparmor).
It is not meant to replace the staging tests currently running in the CI: they use real virtual machines and can verify all kernel changes are working as expected. It would complement it with a staging environment suitable for application level integration tests. We don’t have enough of those currently and making it easier to write and run them may change this for the best.
Before proposing this I tried to adapt the securedrop-staging ansible playbooks so it works on docker targets, to verify if it was doable without too much work. The diff is not too big and not too complex either.