diff --git a/tests/roles/development_environment/defaults/main.yaml b/tests/roles/development_environment/defaults/main.yaml index e1e8b694b..f58872107 100644 --- a/tests/roles/development_environment/defaults/main.yaml +++ b/tests/roles/development_environment/defaults/main.yaml @@ -1,3 +1,7 @@ +--- +# IPA-related variables +ipa_admin_password: "fce95318204114530f31f885c9df588f" +ipa_user_password: "nomoresecrets" prelaunch_test_instance: true prelaunch_test_instance_scripts: - pre_launch.bash diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml index 2d65a2475..0adfed944 100644 --- a/tests/roles/development_environment/tasks/main.yaml +++ b/tests/roles/development_environment/tasks/main.yaml @@ -169,3 +169,35 @@ {% else %} mkdir -p ~/ci-framework-data/tests/test_operator; scp -i ${EDPM_PRIVATEKEY_PATH} -o StrictHostKeyChecking=no -r ${OS_CLOUD_IP}:~/.ssh/id_ecdsa* ~/ci-framework-data/tests/test_operator/ {% endif %} + +- name: Add IPA domain to Keystone and create IPA users + when: enable_tlse is defined and enable_tlse + block: + - name: SSH into standalone VM and execute IPA commands + ansible.builtin.shell: | + {{ shell_header }} + ssh {{ edpm_node_ip }} "sudo podman exec freeipa-server-container bash -c '\ + echo {{ ipa_admin_password }} | kinit admin;\ + ipa user-add svc-ldap --first=Openstack --last=LDAP;\ + echo {{ ipa_admin_password }} | ipa passwd svc-ldap;\ + ipa user-add ipauser1 --first=ipa1 --last=user1;\ + echo {{ ipa_user_password }} | ipa passwd ipauser1;\ + ipa user-add ipauser2 --first=ipa2 --last=user2;\ + echo {{ ipa_user_password }} | ipa passwd ipauser2;\ + ipa user-add ipauser3 --first=ipa3 --last=user3;\ + echo {{ ipa_user_password }} | ipa passwd ipauser3;\ + ipa group-add --desc=\"OpenStack Users\" grp-openstack;\ + ipa group-add --desc=\"OpenStack Admin Users\" grp-openstack-admin;\ + ipa group-add --desc=\"OpenStack Demo Users\" grp-openstack-demo;\ + ipa group-add-member --users=svc-ldap grp-openstack;\ + ipa group-add-member --users=ipauser1 grp-openstack;\ + ipa group-add-member --users=ipauser1 grp-openstack-admin;\ + ipa group-add-member --users=ipauser2 grp-openstack;\ + ipa group-add-member --users=ipauser2 grp-openstack-demo;\ + ipa group-add-member --users=ipauser3 grp-openstack;\ + '" + + - name: Add REDHAT domain to Keystone + ansible.builtin.shell: | + {{ shell_header }} + {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT diff --git a/tests/roles/keystone_adoption/defaults/main.yaml b/tests/roles/keystone_adoption/defaults/main.yaml index 8cb3ed2e9..cc979aa01 100644 --- a/tests/roles/keystone_adoption/defaults/main.yaml +++ b/tests/roles/keystone_adoption/defaults/main.yaml @@ -28,3 +28,48 @@ keystone_patch: | databaseInstance: openstack secret: osp-secret keystone_retry_delay: 30 + +keystone_patch_ldap: | + spec: + keystone: + enabled: true + apiOverride: + route: {} + template: + customServiceConfig: | + [token] + expiration = 360000 + [identity] + domain_specific_drivers_enabled = true + extraMounts: + - name: v1 + region: r1 + extraVol: + - propagation: + - Keystone + extraVolType: Conf + volumes: + - name: keystone-domains + secret: + secretName: keystone-domains + mounts: + - name: keystone-domains + mountPath: "/etc/keystone/domains" + readOnly: true + override: + service: + internal: + metadata: + annotations: + metallb.universe.tf/address-pool: internalapi + metallb.universe.tf/allow-shared-ip: internalapi + metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80 + spec: + type: LoadBalancer + databaseInstance: openstack + secret: osp-secret + +# IPA-related variables +edpm_node_hostname: standalone.localdomain +ipa_admin_password: "fce95318204114530f31f885c9df588f" +ipa_user_password: "nomoresecrets" diff --git a/tests/roles/keystone_adoption/tasks/main.yaml b/tests/roles/keystone_adoption/tasks/main.yaml index 00db1c689..62a53c042 100644 --- a/tests/roles/keystone_adoption/tasks/main.yaml +++ b/tests/roles/keystone_adoption/tasks/main.yaml @@ -16,11 +16,52 @@ type: Opaque EOF + +- name: Set IPA BaseDN var + ansible.builtin.set_fact: + ipa_basedn: "dc={{ edpm_node_hostname.split('.')[1:] | join(',dc=') }}" + when: enable_tlse is defined and enable_tlse + +- name: Create Keystone domain config secret for LDAP + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + cat < /dev/null && + echo 'IPA user authentication successful' || + echo 'IPA user authentication failed'" + register: ipa_auth_test + failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout" + retries: 60 + delay: 2 + +- name: List IPA users via Keystone + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc exec -t openstackclient -- bash -c " + source /home/cloud-admin/ipauser && + export OS_IDENTITY_API_VERSION=3 && + openstack user list --domain REDHAT" + register: ipa_user_list + +- name: Verify IPA users are accessible + ansible.builtin.assert: + that: + - "'ipauser1' in ipa_user_list.stdout" + - "'ipauser2' in ipa_user_list.stdout" + - "'ipauser3' in ipa_user_list.stdout" + +- name: List IPA groups via Keystone + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc exec -t openstackclient -- bash -c " + source /home/cloud-admin/ipauser && + export OS_IDENTITY_API_VERSION=3 && + openstack group list --domain REDHAT" + register: ipa_group_list + +- name: Verify IPA groups are accessible + ansible.builtin.assert: + that: + - "'grp-openstack' in ipa_group_list.stdout" + - "'grp-openstack-admin' in ipa_group_list.stdout" + - "'grp-openstack-demo' in ipa_group_list.stdout" + +- name: Check ipauser1 in grp-openstack-admin + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc exec -t openstackclient -- bash -c " + source /home/cloud-admin/ipauser && + export OS_IDENTITY_API_VERSION=3 && + openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-admin ipauser1" + register: user1_group_result + failed_when: "'ipauser1 in group grp-openstack-admin' not in user1_group_result.stdout" + +- name: Check ipauser2 in grp-openstack-demo + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc exec -t openstackclient -- bash -c " + source /home/cloud-admin/ipauser && + export OS_IDENTITY_API_VERSION=3 && + openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-demo ipauser2" + register: user2_group_result + failed_when: "'ipauser2 in group grp-openstack-demo' not in user2_group_result.stdout" + +- name: Check ipauser3 in grp-openstack + ansible.builtin.shell: | + {{ shell_header }} + {{ oc_header }} + oc exec -t openstackclient -- bash -c " + source /home/cloud-admin/ipauser && + export OS_IDENTITY_API_VERSION=3 && + openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack ipauser3" + register: user3_group_result + failed_when: "'ipauser3 in group grp-openstack' not in user3_group_result.stdout" diff --git a/tests/roles/keystone_adoption/templates/ipauser.j2 b/tests/roles/keystone_adoption/templates/ipauser.j2 new file mode 100644 index 000000000..d1970b31e --- /dev/null +++ b/tests/roles/keystone_adoption/templates/ipauser.j2 @@ -0,0 +1,7 @@ +#!/bin/bash +unset OS_CLOUD +export OS_IDENTITY_API_VERSION=3 +export OS_AUTH_URL="{{ auth_url }}" +export OS_USER_DOMAIN_NAME="{{ domain }}" +export OS_USERNAME="{{ username }}" +export OS_PASSWORD="{{ password }}"