Pre-prod testing

The doc says:

After all tests pass, integration with online services must be verified manually with:

  • molecule create -s weblate
  • edit the gandi zone to set ns1-test to the IP of the bind-host VM
  • wait 1h for DNS propagation
  • ansible-playbook –private-key id_rsa –user debian -i -e securedrop-club-playbook.yml
  • manually verify etc. integration with online services such as GitHub authentication

Actually DNS delays are not due to propagation times, which are quicks. They are due to time-to-leave, i.e. the updates of an existing record is not took into account everywhere at the same time.

Imho we could dramatically reduce human intervention by creating a new test subdomain at each preprod test run. It could be something like

If such a domain is new at each run (the hash should help), then propagation is immediate and the domain/zone is usable immediately from everywhere on internet.

Btw this suppose that the ansible master as the right to update the main DNS zone when ansible run, which might induce coupling between tests and prod. To get rid of this, we could create a static intermediate subdomain (delegated), hosted on bind-host and set with kind updates permissions (e.g. rndc run locally by the debian user). Then the Ansible master could setup a domain and play there.

1 Like

That’s an excellent idea!

So I work on it asap.

As a result, preprod will be a new molecule scenario, and the weblate one, only a weblate related scenario.

Done here:

1 Like