In order to use impact analysis, you must configure both your Puppet Enterprise (PE) and Continuous Delivery for PE instances. This process involves generating a new certificate, installing a dedicated module, updating classification of your Puppet master, and adding credentials to Continuous Delivery for PE.
For best results, work through the configuration process in the order presented here.
What is impact analysis?
Impact analysis is a Continuous Delivery for PE tool that lets you see the potential impact that new Puppet code will have on your PE-managed infrastructure, even before the new code is merged. When you add impact analysis to a control repo's pipeline, Continuous Delivery for PE automatically generates a report on every proposed code change to that control repo.
See Previewing the impact of code changes for more on impact analysis.
Impact analysis is auto-configured for PE versions in the 2019.x series
If you are running a PE version in the 2019.x series and have integrated your PE instance with Continuous Delivery for PE, you do not need to complete the configuration steps on this page. Impact analysis was automatically configured for you during the integration.
Before you begin
Make sure you're ready to get started by completing the following:
Generate a dedicated Puppet Enterprise certificate
A dedicated PE certificate is required to authenticate with the endpoints used for impact analysis. For security purposes, make sure you generate a new certificate.
For PE version 2018.1:
puppet cert generate <CERTIFICATE_NAME>
For all PE 2019.x versions:
puppetserver ca generate --certname <CERTIFICATE_NAME>
<CERTIFICATE_NAME> with the
name you wish to give the certificate, such as
Impact analysis requires you to install the
puppetlabs-cd4pe module and its dependent modules.
puppetlabs-cd4pe module must be used with eight dependent
modules. The nine modules and their required versions are as follows:
||1.1.0 or later|
||4.19.0 or later|
||0.9.3 or later in the 0.x or 1.x series|
||1.1.1 or later in the 1.x, 2.x, 3.x, or 4.x series|
||3.3.0 or later|
||4.4.1 or later|
||1.1.0 or later|
||1.0.1 or later in the 1.x series|
Add the nine modules listed above to the Puppetfile for each environment against which
your compilers compile catalogs.
A sample Puppetfile entry:
mod 'puppetlabs-cd4pe', '1.4.0' # Requirements for cd4pe mod 'puppetlabs-concat', '4.2.1' mod 'puppetlabs-hocon', '1.1.0' mod 'puppetlabs-puppet_authorization', '0.5.0' mod 'puppetlabs-stdlib', '6.2.0' mod 'puppetlabs-docker', '3.9.0' mod 'puppetlabs-apt', '7.3.0' mod 'puppetlabs-translate', '2.1.0' mod 'puppetlabs-pipelines', '1.0.1'
Deploy the updated code to the relevant environments by running
puppet code deploy <ENVIRONMENT>.Remember: Continuous Delivery for PE performs this step for you if you've configured it to deploy code changes automatically to the relevant environments.
puppetlabs-cdpe and its dependencies have been deployed, you
must update classification of your nodes and whitelist the certificate you generated for
- In the PE console, click Classification and open the PE Infrastructure group.
- Select the PE Master group and click Configuration.
In the Add new class field, select
cd4pe::impact_analysis and click Add
class, then commit your change.
If you don't find cd4pe::impact_analysis in the class list, click Refresh to update class definitions.
- In the newly added cd4pe::impact_analysis class, select the whitelisted_certnames parameter.
In the Value field, enter an array containing the name
of the certificate you generated earlier, using the following format:
["<CERTIFICATE_NAME>"].CAUTION: Do not include angle brackets (< and >) in the array.
Run Puppet on the nodes in the PE
Important: This Puppet run restarts the pe-puppetserver service.
Add credentials to Continuous Delivery for PE
The final step in the impact analysis configuration process is to update your PE instance's credentials in the Continuous Delivery for PE web UI.
- In the Continuous Delivery for PE web UI, click Settings.
- Click Puppet Enterprise. Click Edit for the PE instance you're adding impact analysis to.
- Click Impact Analysis Credentials to display the configuration controls.
Enter the endpoint for the Puppet Server service. You
can locate this endpoint with the PE console.
- In the PE console, click Overview, then click Puppet Services status.
- Copy the Puppet Server endpoint from the Puppet Services status monitor.
- In the Continuous Delivery for PE web UI, paste the endpoint into the Puppet Server Service field.
Retrieve the new PE certificate you generated
earlier and its private key from your Puppet Server
certificate authority service by running the following:
cat /etc/puppetlabs/puppet/ssl/certs/<CERTIFICATE_NAME>.pem cat /etc/puppetlabs/puppet/ssl/private_keys/<CERTIFICATE_NAME>.pem
- Copy the certificate in its entirety (including the header and footer) and paste it in the Impact Analysis Certificate field. Then copy the private key in its entirety (including the header and footer) and paste it in the Impact Analysis Private Key field.
- Click Save Changes.
Continuous Delivery for PE validates that everything is configured correctly. Once you receive a success message, you're ready to use impact analysis.
To get started, see Previewing the impact of code changes.