feat: add E2E tests with real Puppet agent runs and code deployment

Add openvox-code OCI image with production/staging/broken Puppet
environments, openvox-mock server (ENC + report + PuppetDB receiver),
Helm ReportProcessor template, and 7 Chainsaw E2E test scenarios
covering the full Puppet lifecycle (basic, concurrent, idempotent,
broken catalog, ENC integration, report forwarding, full stack).

Closes #60

Author: slauger

.github/workflows/container-build-test.yaml

@@ -0,0 +1,42 @@
+name: Container Build (Test Images)
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'images/openvox-agent/**'
+      - 'images/openvox-code/**'
+      - 'images/openvox-mock/**'
+      - 'cmd/mock/**'
+  workflow_dispatch:
+
+jobs:
+  openvox-agent:
+    uses: ./.github/workflows/container-build.yaml
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image_name: openvox-agent
+      dockerfile: images/openvox-agent/Containerfile
+      context: 'images/openvox-agent'
+
+  openvox-code:
+    uses: ./.github/workflows/container-build.yaml
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image_name: openvox-code
+      dockerfile: images/openvox-code/Containerfile
+      context: '.'
+
+  openvox-mock:
+    uses: ./.github/workflows/container-build.yaml
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image_name: openvox-mock
+      dockerfile: images/openvox-mock/Containerfile
+      context: '.'

.github/workflows/e2e.yaml

@@ -0,0 +1,68 @@
+name: E2E
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          config: tests/e2e/kind-config.yaml
+
+      - name: Build images
+        run: |
+          LOCAL_TAG=$(git describe --always)
+          docker build -t openvox-operator:${LOCAL_TAG} -f images/openvox-operator/Containerfile .
+          docker build -t openvox-server:${LOCAL_TAG} -f images/openvox-server/Containerfile .
+          docker build -t openvox-code:latest -f images/openvox-code/Containerfile .
+          docker build -t openvox-agent:latest -f images/openvox-agent/Containerfile images/openvox-agent/
+          docker build -t openvox-mock:latest -f images/openvox-mock/Containerfile .
+
+      - name: Load images into kind
+        run: |
+          LOCAL_TAG=$(git describe --always)
+          kind load docker-image openvox-operator:${LOCAL_TAG}
+          kind load docker-image openvox-server:${LOCAL_TAG}
+          kind load docker-image openvox-code:latest
+          kind load docker-image openvox-agent:latest
+          kind load docker-image openvox-mock:latest
+
+      - name: Install operator
+        run: |
+          LOCAL_TAG=$(git describe --always)
+          helm upgrade --install openvox-operator charts/openvox-operator \
+            --namespace openvox-system --create-namespace \
+            --set image.repository=openvox-operator \
+            --set image.tag=${LOCAL_TAG} \
+            --set image.pullPolicy=Never
+          kubectl wait --for=condition=Available deployment/openvox-operator \
+            -n openvox-system --timeout=2m
+
+      - name: Run E2E tests
+        run: go tool chainsaw test tests/e2e/
+
+      - name: Collect debug info
+        if: failure()
+        run: |
+          echo "=== Operator logs ==="
+          kubectl logs -n openvox-system deploy/openvox-operator --tail=100 || true
+          echo "=== All pods ==="
+          kubectl get pods -A || true
+          echo "=== Events ==="
+          kubectl get events -A --sort-by=.lastTimestamp || true

Makefile

@@ -1,5 +1,8 @@
 IMG ?= ghcr.io/slauger/openvox-operator:latest
 OPENVOX_SERVER_IMG ?= ghcr.io/slauger/openvox-server:latest
+OPENVOX_CODE_IMG ?= ghcr.io/slauger/openvox-code:latest
+OPENVOX_AGENT_IMG ?= ghcr.io/slauger/openvox-agent:latest
+OPENVOX_MOCK_IMG ?= ghcr.io/slauger/openvox-mock:latest
 NAMESPACE ?= openvox-system
 CONTAINER_TOOL ?= $(shell which podman 2>/dev/null || which docker 2>/dev/null)
 CONTROLLER_GEN = go tool controller-gen
@@ -58,8 +61,14 @@ LOCAL_TAG ?= $(shell git describe --always)
 local-build: ## Build all images for local development (Docker Desktop K8s).
 	$(CONTAINER_TOOL) build -t openvox-operator:$(LOCAL_TAG) -f images/openvox-operator/Containerfile .
 	$(CONTAINER_TOOL) build -t openvox-server:$(LOCAL_TAG) -f images/openvox-server/Containerfile .
+	$(CONTAINER_TOOL) build -t openvox-code:latest -f images/openvox-code/Containerfile .
+	$(CONTAINER_TOOL) build -t openvox-agent:latest -f images/openvox-agent/Containerfile images/openvox-agent/
+	$(CONTAINER_TOOL) build -t openvox-mock:latest -f images/openvox-mock/Containerfile .
 	@echo "Built openvox-operator:$(LOCAL_TAG)"
 	@echo "Built openvox-server:$(LOCAL_TAG)"
+	@echo "Built openvox-code:latest"
+	@echo "Built openvox-agent:latest"
+	@echo "Built openvox-mock:latest"
 
 .PHONY: local-deploy
 local-deploy: local-build local-install ## Build images and deploy operator via Helm.

charts/openvox-stack/ci/agent-basic-values.yaml

@@ -0,0 +1,38 @@
+signingPolicies:
+  - name: autosign-any
+    any: true
+
+config:
+  code:
+    image: openvox-code:latest
+    imagePullPolicy: Never
+
+servers:
+  - name: ca
+    ca: true
+    server: true
+    poolRefs: [ca, server]
+    certificate:
+      certname: puppet
+      dnsAltNames:
+        - e2e-agent-basic-server
+        - e2e-agent-concurrent-server
+        - e2e-agent-idempotent-server
+        - e2e-agent-broken-server
+    replicas: 1
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+
+pools:
+  - name: ca
+    service:
+      type: ClusterIP
+      port: 8140
+  - name: server
+    service:
+      type: ClusterIP
+      port: 8140

charts/openvox-stack/ci/agent-enc-values.yaml

@@ -0,0 +1,44 @@
+signingPolicies:
+  - name: autosign-any
+    any: true
+
+config:
+  code:
+    image: openvox-code:latest
+    imagePullPolicy: Never
+
+nodeClassifier:
+  enabled: true
+  url: http://openvox-mock:8080
+  request:
+    method: GET
+    path: /node/{certname}
+  response:
+    format: yaml
+
+servers:
+  - name: ca
+    ca: true
+    server: true
+    poolRefs: [ca, server]
+    certificate:
+      certname: puppet
+      dnsAltNames:
+        - e2e-agent-enc-server
+    replicas: 1
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+
+pools:
+  - name: ca
+    service:
+      type: ClusterIP
+      port: 8140
+  - name: server
+    service:
+      type: ClusterIP
+      port: 8140

charts/openvox-stack/ci/agent-full-values.yaml

@@ -0,0 +1,53 @@
+signingPolicies:
+  - name: autosign-any
+    any: true
+
+config:
+  puppet:
+    reports: "store,webhook"
+  code:
+    image: openvox-code:latest
+    imagePullPolicy: Never
+
+nodeClassifier:
+  enabled: true
+  url: http://openvox-mock:8080
+  request:
+    method: GET
+    path: /node/{certname}
+  response:
+    format: yaml
+
+reportProcessors:
+  - name: e2e-full-webhook
+    url: http://openvox-mock:8080/reports
+  - name: e2e-full-puppetdb
+    url: http://openvox-mock:8080/pdb/cmd/v1
+    processor: puppetdb
+
+servers:
+  - name: ca
+    ca: true
+    server: true
+    poolRefs: [ca, server]
+    certificate:
+      certname: puppet
+      dnsAltNames:
+        - e2e-agent-full-server
+    replicas: 1
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+
+pools:
+  - name: ca
+    service:
+      type: ClusterIP
+      port: 8140
+  - name: server
+    service:
+      type: ClusterIP
+      port: 8140

charts/openvox-stack/ci/agent-report-values.yaml

@@ -0,0 +1,44 @@
+signingPolicies:
+  - name: autosign-any
+    any: true
+
+config:
+  puppet:
+    reports: "store,webhook"
+  code:
+    image: openvox-code:latest
+    imagePullPolicy: Never
+
+reportProcessors:
+  - name: e2e-report-webhook
+    url: http://openvox-mock:8080/reports
+  - name: e2e-report-puppetdb
+    url: http://openvox-mock:8080/pdb/cmd/v1
+    processor: puppetdb
+
+servers:
+  - name: ca
+    ca: true
+    server: true
+    poolRefs: [ca, server]
+    certificate:
+      certname: puppet
+      dnsAltNames:
+        - e2e-agent-report-server
+    replicas: 1
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+
+pools:
+  - name: ca
+    service:
+      type: ClusterIP
+      port: 8140
+  - name: server
+    service:
+      type: ClusterIP
+      port: 8140

charts/openvox-stack/templates/_helpers.tpl

@@ -67,6 +67,18 @@ Usage: include "openvox-stack.certName" (dict "root" $ "entry" $entry)
 {{- end }}
 {{- end }}
 
+{{/*
+ReportProcessor name for array entries.
+Usage: include "openvox-stack.reportProcessorName" (dict "root" $ "entry" $entry "index" $i)
+*/}}
+{{- define "openvox-stack.reportProcessorName" -}}
+{{- if .entry.name -}}
+{{- .entry.name }}
+{{- else -}}
+{{- printf "%s-report-processor-%d" (include "openvox-stack.fullname" .root) .index | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
 {{/*
 Pool name for a pool entry.
 Usage: include "openvox-stack.poolName" (dict "root" $ "entry" $entry)