(gh-26) Add a GHA workflow to test the configure task

jpartlow · jpartlow · commit 58798002314a · 2025-07-11T16:39:37.000-07:00
diff --git a/.github/workflows/pr_testing_configure.yaml b/.github/workflows/pr_testing_configure.yaml
@@ -0,0 +1,134 @@
+---
+name: 'PR Testing the configure task'
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test-configure-task:
+    strategy:
+      matrix:
+        os:
+          - [almalinux, '9']
+          - [ubuntu, '24.04']
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - id: install-bolt
+        uses: ./.github/actions/bolt
+        with:
+          os-codename: jammy
+      - id: vm-cluster
+        uses: jpartlow/nested_vms@v1
+        with:
+          os: ${{ matrix.os[0] }}
+          os-version: ${{ matrix.os[1] }}
+          os-arch: ${{ matrix.os[2] || 'x86_64' }}
+          host-root-access: true
+          ruby-version: '3.3'
+          install-openvox: false
+          vms: |-
+            [
+              {
+                "role": "primary",
+                "cpus": 4,
+                "mem_mb": 8192
+                "cpu_mode": "host-model"
+              },
+              {
+                "role": "agent",
+                "cpus": 2,
+                "mem_mb": 4096,
+                "cpu_mode": "host-model"
+              }
+            ]
+      - name: Capture dereferenced inventory for use with openvox_bootstrap
+        working-directory: kvm_automation_tooling
+        run: |-
+          bolt inventory --inventory terraform/instances/inventory.test.yaml show --format json --detail | \
+            jq '.inventory | with_entries(select(.key == "targets")) | del(.targets[0].groups)' | \
+            yq -P > ../inventory.yaml
+      - name: Install openvox
+        run: |-
+          bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1,test-agent-1
+      - name: Install openvox-server
+        run: |-
+          bolt task run openvox_bootstrap::install --inventory inventory.yaml --targets test-primary-1 package=openvox-server
+      - name: Configure openvox-server
+        env:
+          PUPPET_CONF: |-
+          SIGN_SH: |-
+        run: |-
+          cat > /etc/puppetlabs/puppet/puppet.conf <<EOF
+          [main]
+          server = test-primary-1.vm
+          [server]
+          autosign = /etc/puppetlabs/puppet/sign.sh
+          EOF
+          chown puppet:puppet /etc/puppetlabs/puppet/puppet.conf
+          cat > /etc/puppetlabs/puppet/sign.sh <<'EOF'
+          #!/bin/bash
+          csr_pem=$(cat)
+          csr_text=$(openssl req -text <<<"$csr_pem")
+          password=$(awk -F: -e '/challengePassword/ { print $2 }' <<<"$csr_text")
+          [[ "${password}" == 'password' ]]
+          EOF
+          cat /etc/puppetlabs/puppet/sign.sh
+          chmod 750 /etc/puppetlabs/puppet/sign.sh
+          chown puppet:puppet /etc/puppetlabs/puppet/sign.sh
+
+          /opt/puppetlabs/server/bin/puppetserver ca setup
+          systemctl start puppetserver
+      - name: Write configure params
+        run: |-
+          cat > agent-params.yaml <<EOF
+          {
+            "puppet_conf": {
+               "main": {
+                  "server": "test-primary-1.vm"
+               }
+            },
+            "csr_attributes": {
+               "custom_attributes": {
+                  "1.2.840.113549.1.9.7": "password"
+               },
+               "extension_requests": {
+                  "pp_role": "tomato"
+               }
+            },
+            "puppet_service_running": true,
+            "puppet_service_enabled": false
+          }
+          EOF
+          jq 'del(.puppet_conf)' agent-params.yaml > server-params.yaml
+      - name: Disable agents to prevent background service runs
+        run: |-
+          bolt command run '/opt/puppetlabs/bin/puppet agent --disable "OpenVox PR testing"' --inventory inventory.yaml --targets test-agent-1,test-primary-1
+      - name: Run openvox_bootstrap::configure task
+        run: |-
+          echo "On the primary:"
+          bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @agent-params.yaml
+          echo "On the agent:"
+          bolt task run openvox_bootstrap::configure --inventory inventory.yaml --targets test-agent-1 --params @server-params.yaml
+      - name: Validate agent run on the primary
+        run: |-
+          bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-primary-1 --stream
+      - name: Validate agent run on the agent
+        run: |-
+          bolt command run '/opt/puppetlabs/bin/puppet agent --agent_disabled_lockfile=/dev/null --test' --inventory inventory.yaml --targets test-agent-1 --stream
+      - name: Validate certificate extensions
+        run: |-
+          cat > check_cert_extensions.pp <<'EOF'
+          notify { "Trusted Facts"
+            message => $trusted,
+          }
+          if $trusted['extensions']['pp_role'] != 'tomato' {
+            fail("Certificate extension 'pp_role' should be 'tomato', but is ${$trusted['extensions']['pp_role']}")
+          }
+          EOF
+          bolt apply check_cert_extensions.pp --inventory inventory.yaml --targets test-primary-1,test-agent-1
