test: add tasks and action plugin to run role with clear facts [citest_skip]

tests/tasks/run_role_with_clear_facts.yml

@@ -0,0 +1,39 @@
+---
+# Task file: save facts, clear_facts, run linux-system-roles.certificate, then restore facts.
+# Include this with include_tasks or import_tasks; ensure tests/library is in module search path.
+# Input:
+# - __sr_tasks_from: tasks_from to run - same as tasks_from in include_role
+# - __sr_public: export private vars from role - same as public in include_role
+# - __sr_failed_when: set to false to ignore role errors - same as failed_when in include_role
+# Output:
+# - ansible_facts: merged saved ansible_facts with ansible_facts modified by the role, if any
+- name: Clear facts
+  meta: clear_facts
+
+# note that you can use failed_when with import_role but not with include_role
+# so this simulates the __sr_failed_when false case
+# Q: Why do we need a separate task to run the role normally?  Why not just
+# run the role in the block and rethrow the error in the rescue block?
+# A: Because you cannot rethrow the error in exactly the same way as the role does.
+# It might be possible to exactly reconstruct ansible_failed_result but it's not worth the effort.
+- name: Run the role with __sr_failed_when false
+  when:
+    - __sr_failed_when is defined
+    - not __sr_failed_when
+  block:
+    - name: Run the role
+      include_role:
+        name: linux-system-roles.certificate
+        tasks_from: "{{ __sr_tasks_from | default('main') }}"
+        public: "{{ __sr_public | default(false) }}"
+  rescue:
+    - name: Ignore the failure when __sr_failed_when is false
+      debug:
+        msg: Ignoring failure when __sr_failed_when is false
+
+- name: Run the role normally
+  include_role:
+    name: linux-system-roles.certificate
+    tasks_from: "{{ __sr_tasks_from | default('main') }}"
+    public: "{{ __sr_public | default(false) }}"
+  when: __sr_failed_when | d(true)

tests/tests_basic_ipa.yml

@@ -1,7 +1,6 @@
 ---
 - name: Test using IPA to issue certs
   hosts: all
-  gather_facts: true
   become: true
   tags:
     - tests::slow
@@ -27,8 +26,7 @@
       import_tasks: tasks/setup_ipa.yml
 
     - name: Issue IPA signed certificates
-      include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
         certificate_requests:
           - name: mycert_basic_ipa

tests/tests_basic_self_signed.yml

@@ -6,8 +6,9 @@
       - name: mycert_basic_self_signed
         dns: www.example.com
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_default.yml

@@ -2,6 +2,6 @@
 ---
 - name: Ensure that the role runs with default parameters
   hosts: all
-  gather_facts: false  # check that the role works with this
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml

tests/tests_dns_ip_email.yml

@@ -18,8 +18,9 @@
           - sysadmin@example.com
           - support@example.com
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_fs_attrs.yml

@@ -32,8 +32,7 @@
       when: not __bootc_validation | d(false)
 
     - name: Issue certificate setting user/group
-      include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
         certificate_requests:
           - name: mycert_fs_attrs
@@ -87,8 +86,7 @@
             mode: "0640"
 
     - name: Issue certificate setting user/group/mode
-      include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
         certificate_requests:
           - name: mycert_fs_attrs_mode

tests/tests_include_vars_from_parent.yml

@@ -1,7 +1,6 @@
 ---
 - name: Test role include variable override
   hosts: all
-  gather_facts: true
   tasks:
     - name: Create var file in caller that can override the one in called role
       delegate_to: localhost

tests/tests_key_size.yml

@@ -6,8 +6,7 @@
     - name: Include role, ignore fail if certmonger version is not supported
       block:
         - name: Request certificate with key size
-          ansible.builtin.include_role:
-            name: linux-system-roles.certificate
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             certificate_requests:
               - name: mycert_key_size

tests/tests_key_size_reissue.yml

@@ -2,14 +2,11 @@
 - name: Test re-issue certificate if key size changes
   hosts: all
   become: false
-  gather_facts: false
-
   tasks:
     - name: Include role, ignore fail if certmonger version is not supported
       block:
         - name: Request certificate with key size
-          ansible.builtin.include_role:
-            name: linux-system-roles.certificate
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             certificate_requests:
               - name: mycert_key_size
@@ -55,8 +52,7 @@
               meta: end_play
 
     - name: Request certificate with key size 3072
-      ansible.builtin.include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
         certificate_requests:
           - name: mycert_key_size

tests/tests_key_usage_and_extended_key_usage.yml

@@ -15,8 +15,9 @@
           - id-kp-ipsecTunnel
           - 1.3.6.1.5.2.3.5
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_many_self_signed.yml

@@ -4,8 +4,7 @@
 
   tasks:
     - name: Run the role
-      include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
       vars:
         certificate_requests:
           - name: mycert_many_self_signed

tests/tests_no_auto_renew.yml

@@ -10,8 +10,9 @@
       - name: defaultcert
         dns: www.example.com
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   pre_tasks:

tests/tests_not_wait_for_cert.yml

@@ -7,8 +7,9 @@
       - name: mycert_not_wait_for_cert
         dns: www.example.com
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_principal.yml

@@ -7,8 +7,9 @@
         dns: www.example.com
         principal: HTTP/www.example.com@EXAMPLE.COM
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all
@@ -57,8 +58,7 @@
           It should be formatted as 'primary/instance@REALM'
       block:
         - name: Import certificate role
-          import_role:
-            name: linux-system-roles.certificate
+          include_tasks: tasks/run_role_with_clear_facts.yml
         - name: Failed
           fail:
             msg: "certificate with invalid principal"

tests/tests_provider.yml

@@ -7,8 +7,9 @@
         dns: www.example.com
         ca: self-sign
         provider: certmonger
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_run_hooks.yml

@@ -10,8 +10,9 @@
           touch /etc/pki/before_cert.tmp
         run_after: >
           touch /etc/pki/after_cert.tmp
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_subject.yml

@@ -12,8 +12,9 @@
         organization: Red Hat
         organizational_unit: Linux
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all

tests/tests_subject_complex.yml

@@ -9,8 +9,9 @@
         common_name: '# \\Every"thing+that,ne;eds<escap>ing\0 '
         contact_email: admin@example.com
         ca: self-sign
-  roles:
-    - linux-system-roles.certificate
+  tasks:
+    - name: Run the role
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
 - name: Verify certificate
   hosts: all
@@ -21,7 +22,6 @@
         tasks_from: set_vars.yml
         public: true
   become: true
-  gather_facts: true
   vars:
     certificates:
       - path: "{{ __certificate_default_directory }}/certs/mycert_subject_complex.crt"

tests/tests_test_mode.yml

@@ -18,8 +18,7 @@
     certificate_test_remove_files: true
   tasks:
     - name: Run the role in test mode
-      include_role:
-        name: linux-system-roles.certificate
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
     - name: Verify test data
       assert:

tests/tests_wrong_provider.yml

@@ -15,8 +15,7 @@
           Chosen provider 'fake-provider' is not available.
       block:
         - name: Import certificate role
-          import_role:
-            name: linux-system-roles.certificate
+          include_tasks: tasks/run_role_with_clear_facts.yml
         - name: Failed
           fail:
             msg: "Certificate issued with nonexistent provider 'fake-provider'."