Pre-prod testing


#1

The doc says:

After all tests pass, integration with online services must be verified manually with:

  • molecule create -s weblate
  • edit the gandi zone to set ns1-test to the IP of the bind-host VM
  • wait 1h for DNS propagation
  • ansible-playbook –private-key id_rsa –user debian -i openstack.py -e domain=test.securedrop.club securedrop-club-playbook.yml
  • manually verify weblate.test.securedrop.club etc. integration with online services such as GitHub authentication

Actually DNS delays are not due to propagation times, which are quicks. They are due to time-to-leave, i.e. the updates of an existing record is not took into account everywhere at the same time.

Imho we could dramatically reduce human intervention by creating a new test subdomain at each preprod test run. It could be something like test-hash.securedrop.club.

If such a domain is new at each run (the hash should help), then propagation is immediate and the domain/zone is usable immediately from everywhere on internet.

Btw this suppose that the ansible master as the right to update the main DNS zone when ansible run, which might induce coupling between tests and prod. To get rid of this, we could create a static intermediate subdomain (delegated) test.securedrop.club, hosted on bind-host and set with kind updates permissions (e.g. rndc run locally by the debian user). Then the Ansible master could setup a hash.test.securedrop.club domain and play there.


#2

That’s an excellent idea!


#3

So I work on it asap.

As a result, preprod will be a new molecule scenario, and the weblate one, only a weblate related scenario.


#4

Done here: http://lab.securedrop.club/main/securedrop-club/merge_requests/35