Skip to main content

17. Test Kitchen - Converge

Aaron Lippold1/5/24About 1 min

Learning Objectives

By the end of this section, you will understand:

  • The purpose and function of Test Kitchen's converge stage
  • How to use different infrastructure configurations
  • The differences between vanilla and hardened environments

Test Kitchen Converge Stage

The converge stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration.

Let 'em cook

Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system).

Supported configuration tools include:

  • Ansible Playbooks (used in this course)
  • Puppet
  • Chef
  • Terraform
  • Shell scripts

EC2 and Vagrant Converge

We implement two distinct configurations using 'wrapper playbooks':

  1. Vanilla Environment

    • Purpose: Establishes baseline test environment
    • Implementation: Basic configuration playbook

  2. Hardened Environment

    • Purpose: Creates security-enhanced environment
    • Components:
      • Base vanilla configuration
      • RHEL8-STIG security controls
      • Ansible Galaxy dependencies
      • Custom roles and requirements

While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals.

Hands-on Practice

Container Converge

Our container strategy utilizes two Red Hat UBI9 (Universal Base Image) variants. Take a look at the SAF's RHEL9 InSpec profile which also includes our Test Kitchen and Ansible code that we use to test that our InSpec tests work properly.

  1. Vanilla Container

This container uses the registry.access.redhat.com/ubi9/ubi:9.3-1610 image from RedHat's community repositories.

It represents a standard, out-of-the-box configuration.

  • Community maintained
  • Standard configuration
  1. Hardened Container

This container uses the registry1.dso.mil/ironbank/redhat/ubi/ubi9 image from Red Hat's Platform One Iron Bank project.

It represents a security-enhanced configuration.

  • STIG-compliant
  • Regular security updates
  • Platform One certified

Try these exercises:

  1. Compare the contents of vanilla and hardened playbooks
  2. Identify key security configurations in the RHEL9-STIG role
  3. Examine the wrapper playbook structure in the spec/ directory

Summary

  • Converge stage implements your desired system configurations
  • Multiple implementation tools available (Ansible, Puppet, Chef, etc.)
  • Two primary configurations: vanilla (baseline) and hardened (security-enhanced)
  • Container implementations use different images with different security postures

Next Steps

Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes.

Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2025 Aaron Lippold