LDAP Adoption tests

IPA is enabled on OSP17 when testing TLS-E adoption. Since
it contains an LDAP server, we can use it to run additional
LDAP adoption tests.

Author: xek

tests/roles/development_environment/defaults/main.yaml

@@ -1,3 +1,7 @@
+---
+# IPA-related variables
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"
 prelaunch_test_instance: true
 prelaunch_test_instance_scripts:
   - pre_launch.bash

tests/roles/development_environment/tasks/main.yaml

@@ -170,3 +170,35 @@
     - name: copy keys from undercloud for tobiko
       ansible.builtin.shell: |
         mkdir -p ~/ci-framework-data/tests/test_operator; scp -r ${OS_CLOUD_IP}:~/.ssh/id_ecdsa* ~/ci-framework-data/tests/test_operator/
+
+- name: Add IPA domain to Keystone and create IPA users
+  when: enable_tlse is defined and enable_tlse
+  block:
+    - name: SSH into standalone VM and execute IPA commands
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        ssh {{ edpm_node_ip }} "sudo podman exec -it freeipa-server-container bash -c '\
+          echo {{ ipa_admin_password }} | kinit admin;\
+          ipa user-add svc-ldap --first=Openstack --last=LDAP;\
+          echo {{ ipa_admin_password }} | ipa passwd svc-ldap;\
+          ipa user-add ipauser1 --first=ipa1 --last=user1;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser1;\
+          ipa user-add ipauser2 --first=ipa2 --last=user2;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser2;\
+          ipa user-add ipauser3 --first=ipa3 --last=user3;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser3;\
+          ipa group-add --desc='OpenStack Users' grp-openstack;\
+          ipa group-add --desc='OpenStack Admin Users' grp-openstack-admin;\
+          ipa group-add --desc='OpenStack Demo Users' grp-openstack-demo;\
+          ipa group-add-member --users=svc-ldap grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack-admin;\
+          ipa group-add-member --users=ipauser2 grp-openstack;\
+          ipa group-add-member --users=ipauser2 grp-openstack-demo;\
+          ipa group-add-member --users=ipauser3 grp-openstack;\
+          '"
+
+    - name: Add REDHAT domain to Keystone
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ openstack_command }} domain create --description "Test LDAP Domain" REDHAT

tests/roles/keystone_adoption/defaults/main.yaml

@@ -10,6 +10,23 @@ keystone_patch: |
         customServiceConfig: |
           [token]
           expiration = 360000
+          [identity]
+          domain_specific_drivers_enabled = true
+        extraMounts:
+          - name: v1
+            region: r1
+            extraVol:
+              - propagation:
+                - Keystone
+                extraVolType: Conf
+                volumes:
+                - name: keystone-domains
+                  secret:
+                    secretName: keystone-domains
+                mounts:
+                - name: keystone-domains
+                  mountPath: "/etc/keystone/domains"
+                  readOnly: true
         override:
           service:
             internal:
@@ -22,3 +39,7 @@ keystone_patch: |
                 type: LoadBalancer
         databaseInstance: openstack
         secret: osp-secret
+# IPA-related variables
+edpm_node_hostname: standalone.localdomain
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"

tests/roles/keystone_adoption/tasks/main.yaml

@@ -16,6 +16,48 @@
     type: Opaque
     EOF
 
+
+- name: Set IPA BaseDN and hostname vars
+  ansible.builtin.set_fact:
+    ipa_hostname: "ipa.{{ edpm_node_hostname.split('.')[1:] }}"
+    ipa_basedn: "dc={{ edpm_node_hostname.split('.')[1:] | join(',dc=') }}"
+
+
+- name: Create Keystone domain config secret for LDAP
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -n openstack -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: keystone-domains
+    type: Opaque
+    stringData:
+      keystone.{{ ipa_domain | default('REDHAT') }}.conf: |
+        [identity]
+        driver = ldap
+        [ldap]
+        url = ldap://{{ ipa_hostname }}
+        user = uid=admin,cn=users,cn=accounts,{{ ipa_basedn }}
+        password = {{ ipa_admin_password | default('nomoresecrets') }}
+        suffix = {{ ipa_basedn }}
+        user_tree_dn = cn=users,cn=accounts,{{ ipa_basedn }}
+        user_objectclass = person
+        user_id_attribute = uid
+        user_name_attribute = uid
+        user_mail_attribute = mail
+        group_tree_dn = cn=groups,cn=accounts,{{ ipa_basedn }}
+        group_objectclass = groupOfNames
+        group_id_attribute = cn
+        group_name_attribute = cn
+        group_member_attribute = member
+        group_desc_attribute = description
+    EOF
+  vars:
+    keystone_ldap_config_content: |
+
+
 - name: deploy podified Keystone
   ansible.builtin.shell: |
     {{ shell_header }}
@@ -106,3 +148,7 @@
     ${BASH_ALIASES[openstack]} credential show {{ before_adoption_credential.stdout }} -f value -c blob
   register: after_adoption_credential
   failed_when: after_adoption_credential.stdout != 'test'
+
+- name: Run IPA tests if enable_tlse is true
+  ansible.builtin.include_tasks: run_ipa_test.yml
+  when: enable_tlse is defined and enable_tlse

tests/roles/keystone_adoption/tasks/run_ipa_test.yml

@@ -0,0 +1,143 @@
+---
+# Tasks for testing IPA integration with Keystone
+- name: Check if IPA is enabled
+  ansible.builtin.fail:
+    msg: "IPA is not enabled (enable_tlse is not true). Skipping IPA tests."
+  when: enable_tlse is not defined or not enable_tlse
+
+- name: Wait for Keystone to be fully operational
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=keystone
+  register: keystone_wait_result
+  until: keystone_wait_result is success
+  retries: 60
+  delay: 2
+  when: enable_tlse
+
+- name: Wait for openstackclient pod to be ready
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=openstackclient
+  register: osc_wait_result
+  until: osc_wait_result is success
+  retries: 60
+  delay: 2
+  when: enable_tlse
+
+- name: Get Keystone route
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get route keystone-public -n openstack -o jsonpath='{.spec.host}'
+  register: keystone_route
+  when: enable_tlse
+
+- name: Create IPA test user cloudrc file
+  ansible.builtin.template:
+    src: ipauser.j2
+    dest: "{{ ansible_user_dir }}/ipauser"
+    mode: "0600"
+  vars:
+    auth_url: "https://{{ keystone_route.stdout }}/v3"
+    username: "ipauser1"
+    password: "{{ ipa_user_password }}"
+    domain: "REDHAT"
+  when: enable_tlse
+
+- name: Copy IPA test user cloudrc to openstackclient pod
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc cp {{ ansible_user_dir }}/ipauser openstackclient:/home/cloud-admin/ipauser
+  when: enable_tlse
+
+- name: Test IPA user authentication
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack token issue -f value -c id > /dev/null &&
+      echo 'IPA user authentication successful' ||
+      echo 'IPA user authentication failed'"
+  register: ipa_auth_test
+  failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout"
+  when: enable_tlse
+
+- name: List IPA users via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack user list --domain REDHAT"
+  register: ipa_user_list
+  when: enable_tlse
+
+- name: Verify IPA users are accessible
+  ansible.builtin.assert:
+    that:
+      - "'ipauser1' in ipa_user_list.stdout"
+      - "'ipauser2' in ipa_user_list.stdout"
+      - "'ipauser3' in ipa_user_list.stdout"
+  when: enable_tlse
+
+- name: List IPA groups via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group list --domain REDHAT"
+  register: ipa_group_list
+  when: enable_tlse
+
+- name: Verify IPA groups are accessible
+  ansible.builtin.assert:
+    that:
+      - "'grp-openstack' in ipa_group_list.stdout"
+      - "'grp-openstack-admin' in ipa_group_list.stdout"
+      - "'grp-openstack-demo' in ipa_group_list.stdout"
+  when: enable_tlse
+
+- name: Verify group memberships
+  when: enable_tlse
+  block:
+    - name: Check ipauser1 in grp-openstack-admin
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-admin ipauser1"
+      register: user1_group_result
+      failed_when: "'ipauser1 in group grp-openstack-admin' not in user1_group_result.stdout"
+
+    - name: Check ipauser2 in grp-openstack-demo
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-demo ipauser2"
+      register: user2_group_result
+      failed_when: "'ipauser2 in group grp-openstack-demo' not in user2_group_result.stdout"
+
+    - name: Check ipauser3 in grp-openstack
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack ipauser3"
+      register: user3_group_result
+      failed_when: "'ipauser3 in group grp-openstack' not in user3_group_result.stdout"

tests/roles/keystone_adoption/templates/ipauser.j2

@@ -0,0 +1,7 @@
+#!/bin/bash
+unset OS_CLOUD
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_URL="{{ auth_url }}"
+export OS_USER_DOMAIN_NAME="{{ domain }}"
+export OS_USERNAME="{{ username }}"
+export OS_PASSWORD="{{ password }}"