Opened 5 months ago

Last modified 3 months ago

#31226 new enhancement

add validation checks in puppet

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

we often do "YOLO" (You Only Live Once) commits in Puppet because of silly syntax errors and typos that could be caught by automated systems. even just a simple git hook checking for syntax errors in manifests would be an improvement, but we could also run tests and so on.

Child Tickets

Change History (5)

comment:2 Changed 4 months ago by anarcat

after reviewing koumbit's hook, i figured i would give drwahl's hooks a try. they are similar, but the latter is better designed and modular.

I've audited the source and cloned it on pauli, stopping just shy of hooking it into the normal git hooks. instead, i've configured it locally, as a pre-commit hook, to see how it behaves. when I'm satisfied by that, i'll deploy it in production.

Last edited 4 months ago by anarcat (previous) (diff)

comment:3 Changed 4 months ago by anarcat

The following packages are used by the check:

  • librarian-puppet
  • puppet-strings
  • ruby-rspec
  • r10k

... and probably more, those were just the ones missing on my machine.

one big downside with such a check is that it will fail if the modified file has *any* linting error, even if it wasn't introduced by the commit. this means deploying this will lead to significant churn in the codebase as we'll need to lint each file we touch in the future...

kind of annoying, but i can't think of a way around that without disabling linting. but maybe it's a good way to start: even without linting, we would catch other syntax errors, run tests, etc...

comment:4 Changed 4 months ago by anarcat

the workaround I've found is to set this in puppet-git-hooks/commit_hooks/config.cfg:

CHECK_PUPPET_LINT="permissive" # enabled, permissive or disabled (permissive runs but return code is ignored)
CHECK_PUPPET_DOCS="permissive" # enabled, permissive or disabled (permissive runs but return code is ignored)

That keeps the warnings, but makes them "soft".

comment:5 Changed 3 months ago by anarcat

update: i'm using this fork of the validator: https://github.com/cmeissner/puppet-git-hooks

it has a few improvements, most notably a better handling of missing yaml-lint requirements.

Note: See TracTickets for help on using tickets.