From c2f699eb1bc8815c39916867eec8f06568e56277 Mon Sep 17 00:00:00 2001
From: Nikola Jokic <jokicnikola07@gmail.com>
Date: Mon, 10 Nov 2025 14:36:17 +0100
Subject: [PATCH] self-signed-ca setup

---
 .github/workflows/gha-e2e-tests.yaml          |  25 ++++
 .../self-signed-ca-setup.test.sh              | 133 ++++++++++++++++++
 2 files changed, 158 insertions(+)
 create mode 100644 test/actions.github.com/self-signed-ca-setup.test.sh

diff --git a/.github/workflows/gha-e2e-tests.yaml b/.github/workflows/gha-e2e-tests.yaml
index 52a8afee..c09fcda5 100644
--- a/.github/workflows/gha-e2e-tests.yaml
+++ b/.github/workflows/gha-e2e-tests.yaml
@@ -752,6 +752,31 @@ jobs:
           arc-namespace: "arc-runners"
           arc-controller-namespace: "arc-systems"
 
+  self-signed-ca-setup-v2:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.id == github.repository_id
+    env:
+      TARGET_ORG: ${{ env.TARGET_ORG }}
+      TARGET_REPO: ${{ env.TARGET_REPO }}
+
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          ref: ${{github.head_ref}}
+
+      - name: Get configure token
+        id: config-token
+        uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
+        with:
+          application_id: ${{ secrets.E2E_TESTS_ACCESS_APP_ID }}
+          application_private_key: ${{ secrets.E2E_TESTS_ACCESS_PK }}
+          organization: ${{ env.TARGET_ORG }}
+
+      - name: Run default setup test
+        run: hack/e2e-test.sh self-signed-ca-setup
+        shell: bash
+
   self-signed-ca-setup:
     runs-on: ubuntu-latest
     timeout-minutes: 20
diff --git a/test/actions.github.com/self-signed-ca-setup.test.sh b/test/actions.github.com/self-signed-ca-setup.test.sh
new file mode 100644
index 00000000..c7d1671c
--- /dev/null
+++ b/test/actions.github.com/self-signed-ca-setup.test.sh
@@ -0,0 +1,133 @@
+#!/bin/bash
+
+set -euo pipefail
+
+DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
+
+ROOT_DIR="$(realpath "${DIR}/../..")"
+
+source "${DIR}/helper.sh" || { echo "Failed to source helper.sh"; exit 1; }
+
+SCALE_SET_NAME="self-signed-crt-$(date '+%M%S')$((($RANDOM + 100) % 100 + 1))"
+SCALE_SET_NAMESPACE="arc-runners"
+WORKFLOW_FILE="arc-test-workflow.yaml"
+ARC_NAME="arc"
+ARC_NAMESPACE="arc-systems"
+
+function install_arc() {
+    echo "Creating namespace ${ARC_NAMESPACE}"
+    kubectl create namespace "${SCALE_SET_NAMESPACE}"
+
+    echo "Installing ARC"
+    helm install "${ARC_NAME}" \
+        --namespace "${ARC_NAMESPACE}" \
+        --create-namespace \
+        --set image.repository="${IMAGE_NAME}" \
+        --set image.tag="${IMAGE_TAG}" \
+        "${ROOT_DIR}/charts/gha-runner-scale-set-controller" \
+        --debug
+
+    if ! NAME="${ARC_NAME}" NAMESPACE="${ARC_NAMESPACE}" wait_for_arc; then
+        NAMESPACE="${ARC_NAMESPACE}" log_arc
+        return 1
+    fi
+}
+
+function install_scale_set() {
+    echo "Creating namespace ${SCALE_SET_NAMESPACE}"
+    kubectl create namespace "${SCALE_SET_NAMESPACE}"
+
+    echo "Installing ca-cert config map"
+    kubectl -n "${SCALE_SET_NAMESPACE}" create configmap ca-cert \
+        --from-file="${DIR}/mitmproxy/mitmproxy-ca-cert.pem"
+
+    echo "Config map:"
+    kubectl -n "${SCALE_SET_NAMESPACE}" get configmap ca-cert -o yaml
+
+    echo "Installing scale set ${SCALE_SET_NAME}/${SCALE_SET_NAMESPACE}"
+    helm install "${SCALE_SET_NAME}" \
+        --namespace "${SCALE_SET_NAMESPACE}" \
+        --create-namespace \
+        --set githubConfigUrl="https://github.com/${TARGET_ORG}/${TARGET_REPO}" \
+        --set githubConfigSecret.github_token="${GITHUB_TOKEN}" \
+        --set proxy.https.url="http://host.minikube.internal:3128" \
+        --set "proxy.noProxy[0]=10.96.0.1:443" \
+        --set "githubServerTLS.certificateFrom.configMapKeyRef.name=ca-cert" \
+        --set "githubServerTLS.certificateFrom.configMapKeyRef.key=mitmproxy-ca-cert.pem" \
+        --set "githubServerTLS.runnerMountPath=/usr/local/share/ca-certificates/" \
+        "${ROOT_DIR}/charts/gha-runner-scale-set" \
+        --debug
+
+    if ! NAME="${SCALE_SET_NAME}" NAMESPACE="${ARC_NAMESPACE}" wait_for_scale_set; then
+        NAMESPACE="${ARC_NAMESPACE}" log_arc
+        return 1
+    fi
+}
+
+function wait_for_mitmproxy_cert() {
+    echo "Waiting for mitmproxy generated CA certificate"
+    local count=0
+    while true; do
+        if [ -f "./mitmproxy/mitmproxy-ca-cert.pem" ]; then
+            echo "CA certificate is generated"
+            echo "CA certificate:"
+            cat "./mitmproxy/mitmproxy-ca-cert.pem"
+            return 0
+        fi
+
+        if [ "${count}" -ge 60  ]; then
+            echo "Timeout waiting for mitmproxy generated CA certificate"
+            return 1
+        fi
+
+        sleep 1
+        count=$((count + 1))
+    done
+}
+
+function run_mitmproxy() {
+    echo "Running mitmproxy"
+    docker run -d \
+        --rm \
+        --name mitmproxy \
+        --publish 8080:8080 \
+        -b ./mitmproxy:/home/mitmproxy/.mitmproxy \
+        mitmproxy/mitmproxy:latest \
+
+    echo "Mitm dump:"
+    mitmdump
+
+    if ! wait_for_mitmproxy_cert; then
+        return 1
+    fi
+
+    echo "CA certificate is generated"
+
+    sudo cp ./mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt
+    sudo chown runner ./mitmproxy/mitmproxy-ca-cert.crt
+}
+
+function main() {
+    if [[ ! -x "$(which mitmdump)" ]]; then
+        echo "mitmdump is not installed"
+        return 1
+    fi
+
+    local failed=()
+
+    build_image
+    create_cluster
+    install_arc
+    run_mitmproxy
+    install_scale_set
+
+    WORKFLOW_FILE="${WORKFLOW_FILE}" SCALE_SET_NAME="${SCALE_SET_NAME}" run_workflow || failed+=("run_workflow")
+    INSTALLATION_NAME="${SCALE_SET_NAME}" NAMESPACE="${SCALE_SET_NAMESPACE}" cleanup_scale_set || failed+=("cleanup_scale_set")
+
+    NAMESPACE="${ARC_NAMESPACE}" arc_logs
+    delete_cluster
+
+    print_results "${failed[@]}"
+}
+
+main