We’re in the process of incorporating Chef into our existing CI pipeline based on Jenkins for application development. During a CI build of our chef-repo’s we’re injecting version constraints into our environment.json file’s stored in version control using a similar approach described here with Berksfile.lock. Those environments and cookbooks are uploaded into a Chef Server that is dedicated towards testing. We call this our “CI Chef Server”. This chef server will be populated with many cookbooks originating from many chef-repo’s. We want to have a suite of automated tests fire off - some based on Test Kitchen and some more application centric. We want to be able to promote a build to a production Chef Server. once the test suite passes We need to have separate Chef Servers for various reasons - PCI compliance and network segmentation being one of the biggest, but also a strong desire to ensure only tested changes touch our production systems.
I think we have a pretty solid approach in mind, but was curious if there were any existing tools that handle the physical promotion of cookbooks and environments (we’re staying clear of roles, and have successfully avoided the need for data bags). It seems like writing something custom to promote these things with calls to knife wouldn’t be too hard, but seems like it might also have some hidden complexities once I get into the thick of it. How are other people doing this?
On the application development side, our pipeline has never hand to worry about this type of thing because applications are made up of a single, atomic package file where promotion is a single step. Chef when used with a Chef Server isn’t that simple sadly.