LDAP Adoption tests

IPA is enabled on OSP17 when testing TLS-E adoption. Since
it contains an LDAP server, we can use it to run additional
LDAP adoption tests.

Depends-On: openstack-k8s-operators/install_yamls#1079
Jira: https://issues.redhat.com/browse/OSPRH-6861

Author: jagee

tests/roles/development_environment/defaults/main.yaml

@@ -1,3 +1,7 @@
+---
+# IPA-related variables
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"
 prelaunch_test_instance: true
 prelaunch_test_instance_scripts:
   - pre_launch.bash

tests/roles/development_environment/tasks/main.yaml

@@ -169,3 +169,34 @@
         {% else %}
         mkdir -p ~/ci-framework-data/tests/test_operator; scp -i ${EDPM_PRIVATEKEY_PATH} -o StrictHostKeyChecking=no -r ${OS_CLOUD_IP}:~/.ssh/id_ecdsa* ~/ci-framework-data/tests/test_operator/
         {% endif %}
+
+- name: Add IPA domain to Keystone and create IPA users
+  when: enable_tlse is defined and enable_tlse
+  block:
+    - name: SSH into standalone VM and execute IPA commands
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        ssh {{ edpm_node_ip }} "sudo podman exec freeipa-server-container bash -c '\
+          echo {{ ipa_admin_password }} | kinit admin;\
+          ipa user-add svc-ldap --first=Openstack --last=LDAP;\
+          echo {{ ipa_admin_password }} | ipa passwd svc-ldap;\
+          ipa user-add ipauser1 --first=ipa1 --last=user1;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser1;\
+          ipa user-add ipauser2 --first=ipa2 --last=user2;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser2;\
+          ipa user-add ipauser3 --first=ipa3 --last=user3;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser3;\
+          ipa group-add --desc=\"OpenStack Users\" grp-openstack;\
+          ipa group-add --desc=\"OpenStack Admin Users\" grp-openstack-admin;\
+          ipa group-add --desc=\"OpenStack Demo Users\" grp-openstack-demo;\
+          ipa group-add-member --users=svc-ldap grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack-admin;\
+          ipa group-add-member --users=ipauser2 grp-openstack;\
+          ipa group-add-member --users=ipauser2 grp-openstack-demo;\
+          ipa group-add-member --users=ipauser3 grp-openstack;\
+          '"
+    - name: Add REDHAT domain to Keystone
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT

tests/roles/keystone_adoption/defaults/main.yaml

@@ -28,3 +28,48 @@ keystone_patch: |
         databaseInstance: openstack
         secret: osp-secret
 keystone_retry_delay: 30
+
+
+keystone_patch_ldap: |
+  spec:
+    keystone:
+      enabled: true
+      apiOverride:
+        route: {}
+      template:
+        customServiceConfig: |
+          [token]
+          expiration = 360000
+          [identity]
+                    domain_specific_drivers_enabled = true
+        extraMounts:
+          - name: v1
+            region: r1
+            extraVol:
+              - propagation:
+                - Keystone
+                extraVolType: Conf
+                volumes:
+                - name: keystone-domains
+                  secret:
+                    secretName: keystone-domains
+                mounts:
+                - name: keystone-domains
+                  mountPath: "/etc/keystone/domains"
+                  readOnly: true
+        override:
+          service:
+            internal:
+              metadata:
+                annotations:
+                  metallb.universe.tf/address-pool: internalapi
+                  metallb.universe.tf/allow-shared-ip: internalapi
+                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
+              spec:
+                type: LoadBalancer
+        databaseInstance: openstack
+        secret: osp-secret
+# IPA-related variables
+edpm_node_hostname: ipa.example.testing
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"

tests/roles/keystone_adoption/tasks/main.yaml

@@ -16,11 +16,51 @@
     type: Opaque
     EOF
 
+- name: Set IPA BaseDN var
+  ansible.builtin.set_fact:
+    ipa_basedn: "dc={{ edpm_node_hostname.split('.')[1:] | join(',dc=') }}"
+  when: enable_tlse is defined and enable_tlse
+
+- name: Create Keystone domain config secret for LDAP
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -n openstack -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: keystone-domains
+    type: Opaque
+    stringData:
+      keystone.{{ ipa_domain | default('REDHAT') }}.conf: |
+        [identity]
+        driver = ldap
+        [ldap]
+        url = ldaps://ipa.apps-crc.testing
+        user = uid=svc-ldap,cn=users,cn=accounts,{{ ipa_basedn }}
+        password = {{ ipa_admin_password | default('nomoresecrets') }}
+        suffix = {{ ipa_basedn }}
+        user_tree_dn = cn=users,cn=accounts,{{ ipa_basedn }}
+        user_objectclass = person
+        user_id_attribute = uid
+        user_name_attribute = uid
+        user_mail_attribute = mail
+        group_tree_dn = cn=groups,cn=accounts,{{ ipa_basedn }}
+        group_objectclass = groupOfNames
+        group_id_attribute = cn
+        group_name_attribute = cn
+        group_member_attribute = member
+        group_desc_attribute = description
+    EOF
+  when: enable_tlse is defined and enable_tlse
+
 - name: deploy podified Keystone
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
-    oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch }}'
+    oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch_to_use }}'
+  vars:
+    keystone_patch_to_use: "{{ keystone_patch_ldap if (enable_tlse is defined and enable_tlse) else keystone_patch }}"
 
 - name: wait for Keystone to start up
   ansible.builtin.shell: |
@@ -106,3 +146,7 @@
     ${BASH_ALIASES[openstack]} credential show {{ before_adoption_credential.stdout }} -f value -c blob
   register: after_adoption_credential
   failed_when: after_adoption_credential.stdout != 'test'
+
+- name: Run IPA tests if enable_tlse is true
+  ansible.builtin.include_tasks: run_ipa_test.yml
+  when: enable_tlse is defined and enable_tlse

tests/roles/keystone_adoption/tasks/run_ipa_test.yml

@@ -0,0 +1,136 @@
+# Tasks for testing IPA integration with Keystone
+- name: Check if IPA is enabled
+  ansible.builtin.fail:
+    msg: "IPA is not enabled (enable_tlse is not true). Skipping IPA tests."
+  when: enable_tlse is not defined or not enable_tlse
+
+- name: Wait for Keystone to be fully operational
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=keystone
+  register: keystone_wait_result
+  until: keystone_wait_result is success
+  retries: 60
+  delay: 2
+
+- name: Wait for openstackclient pod to be ready
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=openstackclient
+  register: osc_wait_result
+  until: osc_wait_result is success
+  retries: 60
+  delay: 2
+
+- name: Get Keystone route
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get route keystone-public -n openstack -o jsonpath='{.spec.host}'
+  register: keystone_route
+
+- name: Create files directory if it does not exist
+  ansible.builtin.file:
+    path: "{{ role_path }}/files"
+    state: directory
+    mode: '0755'
+
+- name: Create IPA test user cloudrc file
+  ansible.builtin.template:
+    src: ipauser.j2
+    dest: "{{ role_path }}/files/ipauser"
+    mode: "0600"
+  vars:
+    auth_url: "https://{{ keystone_route.stdout }}/v3"
+    username: "ipauser1"
+    password: "{{ ipa_user_password }}"
+    domain: "REDHAT"
+
+- name: Copy IPA test user cloudrc to openstackclient pod
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc cp {{ role_path }}/files/ipauser openstackclient:/home/cloud-admin/ipauser
+- name: Test IPA user authentication
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack token issue -f value -c id > /dev/null &&
+      echo 'IPA user authentication successful' ||
+      echo 'IPA user authentication failed'"
+  register: ipa_auth_test
+  failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout"
+  retries: 60
+  delay: 2
+
+- name: List IPA users via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack user list --domain REDHAT"
+  register: ipa_user_list
+
+- name: Verify IPA users are accessible
+  ansible.builtin.assert:
+    that:
+      - "'ipauser1' in ipa_user_list.stdout"
+      - "'ipauser2' in ipa_user_list.stdout"
+      - "'ipauser3' in ipa_user_list.stdout"
+
+- name: List IPA groups via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group list --domain REDHAT"
+  register: ipa_group_list
+
+- name: Verify IPA groups are accessible
+  ansible.builtin.assert:
+    that:
+      - "'grp-openstack' in ipa_group_list.stdout"
+      - "'grp-openstack-admin' in ipa_group_list.stdout"
+      - "'grp-openstack-demo' in ipa_group_list.stdout"
+
+- name: Check ipauser1 in grp-openstack-admin
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-admin ipauser1"
+  register: user1_group_result
+  failed_when: "'ipauser1 in group grp-openstack-admin' not in user1_group_result.stdout"
+
+- name: Check ipauser2 in grp-openstack-demo
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-demo ipauser2"
+  register: user2_group_result
+  failed_when: "'ipauser2 in group grp-openstack-demo' not in user2_group_result.stdout"
+
+- name: Check ipauser3 in grp-openstack
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack ipauser3"
+  register: user3_group_result
+  failed_when: "'ipauser3 in group grp-openstack' not in user3_group_result.stdout"

tests/roles/keystone_adoption/templates/ipauser.j2

@@ -0,0 +1,7 @@
+#!/bin/bash
+unset OS_CLOUD
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_URL="{{ auth_url }}"
+export OS_USER_DOMAIN_NAME="{{ domain }}"
+export OS_USERNAME="{{ username }}"
+export OS_PASSWORD="{{ password }}"