LDAP Adoption tests

xek · xek · commit e74e02e5f984 · 2025-06-16T15:00:10.000+02:00
IPA is enabled on OSP17 when testing TLS-E adoption. Since
it contains an LDAP server, we can use it to run additional
LDAP adoption tests.
diff --git a/tests/roles/development_environment/defaults/main.yaml b/tests/roles/development_environment/defaults/main.yaml
@@ -1,3 +1,7 @@
+---
+# IPA-related variables
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"
 prelaunch_test_instance: true
 prelaunch_test_instance_scripts:
   - pre_launch.bash
diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml
@@ -170,3 +170,35 @@
     - name: copy keys from undercloud for tobiko
       ansible.builtin.shell: |
         mkdir -p ~/ci-framework-data/tests/test_operator; scp -r ${OS_CLOUD_IP}:~/.ssh/id_ecdsa* ~/ci-framework-data/tests/test_operator/
+
+- name: Add IPA domain to Keystone and create IPA users
+  when: enable_tlse is defined and enable_tlse
+  block:
+    - name: SSH into standalone VM and execute IPA commands
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        ssh {{ edpm_node_ip }} "sudo podman exec -it freeipa-server-container bash -c '\
+          echo {{ ipa_admin_password }} | kinit admin;\
+          ipa user-add svc-ldap --first=Openstack --last=LDAP;\
+          echo {{ ipa_admin_password }} | ipa passwd svc-ldap;\
+          ipa user-add ipauser1 --first=ipa1 --last=user1;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser1;\
+          ipa user-add ipauser2 --first=ipa2 --last=user2;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser2;\
+          ipa user-add ipauser3 --first=ipa3 --last=user3;\
+          echo {{ ipa_admin_password }} | ipa passwd ipauser3;\
+          ipa group-add --desc='OpenStack Users' grp-openstack;\
+          ipa group-add --desc='OpenStack Admin Users' grp-openstack-admin;\
+          ipa group-add --desc='OpenStack Demo Users' grp-openstack-demo;\
+          ipa group-add-member --users=svc-ldap grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack-admin;\
+          ipa group-add-member --users=ipauser2 grp-openstack;\
+          ipa group-add-member --users=ipauser2 grp-openstack-demo;\
+          ipa group-add-member --users=ipauser3 grp-openstack;\
+          '"
+
+    - name: Add REDHAT domain to Keystone
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ openstack_command }} domain create --description "Test LDAP Domain" REDHAT
diff --git a/tests/roles/keystone_adoption/defaults/main.yaml b/tests/roles/keystone_adoption/defaults/main.yaml
@@ -22,3 +22,5 @@ keystone_patch: |
                 type: LoadBalancer
         databaseInstance: openstack
         secret: osp-secret
+# IPA-related variables
+ipa_user_password: "nomoresecrets"
diff --git a/tests/roles/keystone_adoption/tasks/main.yaml b/tests/roles/keystone_adoption/tasks/main.yaml
@@ -106,3 +106,7 @@
     ${BASH_ALIASES[openstack]} credential show {{ before_adoption_credential.stdout }} -f value -c blob
   register: after_adoption_credential
   failed_when: after_adoption_credential.stdout != 'test'
+
+- name: Run IPA tests if enable_tlse is true
+  ansible.builtin.include_tasks: run_ipa_test.yml
+  when: enable_tlse is defined and enable_tlse
diff --git a/tests/roles/keystone_adoption/tasks/run_ipa_test.yml b/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
@@ -0,0 +1,143 @@
+---
+# Tasks for testing IPA integration with Keystone
+- name: Check if IPA is enabled
+  ansible.builtin.fail:
+    msg: "IPA is not enabled (enable_tlse is not true). Skipping IPA tests."
+  when: enable_tlse is not defined or not enable_tlse
+
+- name: Wait for Keystone to be fully operational
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=keystone
+  register: keystone_wait_result
+  until: keystone_wait_result is success
+  retries: 60
+  delay: 2
+  when: enable_tlse
+
+- name: Wait for openstackclient pod to be ready
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=openstackclient
+  register: osc_wait_result
+  until: osc_wait_result is success
+  retries: 60
+  delay: 2
+  when: enable_tlse
+
+- name: Get Keystone route
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get route keystone-public -n openstack -o jsonpath='{.spec.host}'
+  register: keystone_route
+  when: enable_tlse
+
+- name: Create IPA test user cloudrc file
+  ansible.builtin.template:
+    src: ipauser.j2
+    dest: "{{ ansible_user_dir }}/ipauser"
+    mode: "0600"
+  vars:
+    auth_url: "https://{{ keystone_route.stdout }}/v3"
+    username: "ipauser1"
+    password: "{{ ipa_user_password }}"
+    domain: "REDHAT"
+  when: enable_tlse
+
+- name: Copy IPA test user cloudrc to openstackclient pod
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc cp {{ ansible_user_dir }}/ipauser openstackclient:/home/cloud-admin/ipauser
+  when: enable_tlse
+
+- name: Test IPA user authentication
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack token issue -f value -c id > /dev/null &&
+      echo 'IPA user authentication successful' ||
+      echo 'IPA user authentication failed'"
+  register: ipa_auth_test
+  failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout"
+  when: enable_tlse
+
+- name: List IPA users via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack user list --domain REDHAT"
+  register: ipa_user_list
+  when: enable_tlse
+
+- name: Verify IPA users are accessible
+  ansible.builtin.assert:
+    that:
+      - "'ipauser1' in ipa_user_list.stdout"
+      - "'ipauser2' in ipa_user_list.stdout"
+      - "'ipauser3' in ipa_user_list.stdout"
+  when: enable_tlse
+
+- name: List IPA groups via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group list --domain REDHAT"
+  register: ipa_group_list
+  when: enable_tlse
+
+- name: Verify IPA groups are accessible
+  ansible.builtin.assert:
+    that:
+      - "'grp-openstack' in ipa_group_list.stdout"
+      - "'grp-openstack-admin' in ipa_group_list.stdout"
+      - "'grp-openstack-demo' in ipa_group_list.stdout"
+  when: enable_tlse
+
+- name: Verify group memberships
+  block:
+    - name: Check ipauser1 in grp-openstack-admin
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-admin ipauser1"
+      register: user1_group_result
+      failed_when: "'ipauser1 in group grp-openstack-admin' not in user1_group_result.stdout"
+
+    - name: Check ipauser2 in grp-openstack-demo
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-demo ipauser2"
+      register: user2_group_result
+      failed_when: "'ipauser2 in group grp-openstack-demo' not in user2_group_result.stdout"
+
+    - name: Check ipauser3 in grp-openstack
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ oc_header }}
+        oc exec -t openstackclient -- bash -c "
+          source /home/cloud-admin/ipauser &&
+          export OS_IDENTITY_API_VERSION=3 &&
+          openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack ipauser3"
+      register: user3_group_result
+      failed_when: "'ipauser3 in group grp-openstack' not in user3_group_result.stdout"
+  when: enable_tlse
diff --git a/tests/roles/keystone_adoption/templates/ipauser.j2 b/tests/roles/keystone_adoption/templates/ipauser.j2
@@ -0,0 +1,7 @@
+#!/bin/bash
+unset OS_CLOUD
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_URL="{{ auth_url }}"
+export OS_USER_DOMAIN_NAME="{{ domain }}"
+export OS_USERNAME="{{ username }}"
+export OS_PASSWORD="{{ password }}"
