[Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?

[Chris Dagdigian]

Thanks to support from folks on this list I have a 3-node multi-site 
replicating FreeIPA system supporting a number of 1-way trusts to 
various AD Forests. Testing has gone well and it's clear that this "POC" 
will soon transition to production.

Because of the importance of this system to our environment I'm trying 
to flesh out a proper strategy for testing upgrades and updates in a way 
that lets us keep our system highly available and online.

And seeing how rapidly this software is being developed w/ new features 
and how dependent we are on the most recent version (or how badly I want 
to try the version in RHEL-BETA-3) I think this is a system we will 
possibly be upgrading somewhat often ...

I understand that replicas can run newer versions of IPA/IDM than the 
master so that is one path by which we can carefully test updates and 
patches but I don't think that covers all the scenarios ...

Can anyone share strategies or war stories for how testing is done in 
support of production IPA/IDM environments? Especially when Trusts need 
to be set up with many external AD systems?

Do people run discrete standalone dev/test IPA domains/realms to create 
isolated  environments or is there some other good strategy that allows 
testing to be done within the same domain/realm?

Thanks!

-Chris