From 78f49e7383fa9e0cf45ebc5f8618e10aa746cb2f Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Mon, 16 Jun 2025 10:34:27 +0200
Subject: [PATCH 1/6] LDAP Adoption tests

IPA is enabled on OSP17 when testing TLS-E adoption. Since
it contains an LDAP server, we can use it to run additional
LDAP adoption tests.

Depends-On: https://github.com/openstack-k8s-operators/install_yamls/pull/1079
---
 .../defaults/main.yaml                        |   4 +
 .../development_environment/tasks/main.yaml   |  32 +++++
 .../keystone_adoption/defaults/main.yaml      |  45 ++++++
 tests/roles/keystone_adoption/tasks/main.yaml |  47 +++++-
 .../keystone_adoption/tasks/run_ipa_test.yml  | 136 ++++++++++++++++++
 .../keystone_adoption/templates/ipauser.j2    |   7 +
 6 files changed, 270 insertions(+), 1 deletion(-)
 create mode 100644 tests/roles/keystone_adoption/tasks/run_ipa_test.yml
 create mode 100644 tests/roles/keystone_adoption/templates/ipauser.j2

diff --git a/tests/roles/development_environment/defaults/main.yaml b/tests/roles/development_environment/defaults/main.yaml
index 25f3534d9..c8f059eb9 100644
--- a/tests/roles/development_environment/defaults/main.yaml
+++ b/tests/roles/development_environment/defaults/main.yaml
@@ -1,3 +1,7 @@
+---
+# IPA-related variables
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"
 prelaunch_test_instance: true
 prelaunch_test_instance_scripts:
   - pre_launch.bash
diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml
index 1ec80ebba..4fee5e459 100644
--- a/tests/roles/development_environment/tasks/main.yaml
+++ b/tests/roles/development_environment/tasks/main.yaml
@@ -170,3 +170,35 @@
     - name: copy keys from undercloud for tobiko
       ansible.builtin.shell: |
         mkdir -p ~/ci-framework-data/tests/test_operator; scp -r ${OS_CLOUD_IP}:~/.ssh/id_ecdsa* ~/ci-framework-data/tests/test_operator/
+
+- name: Add IPA domain to Keystone and create IPA users
+  when: enable_tlse is defined and enable_tlse
+  block:
+    - name: SSH into standalone VM and execute IPA commands
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        ssh {{ edpm_node_ip }} "sudo podman exec freeipa-server-container bash -c '\
+          echo {{ ipa_admin_password }} | kinit admin;\
+          ipa user-add svc-ldap --first=Openstack --last=LDAP;\
+          echo {{ ipa_admin_password }} | ipa passwd svc-ldap;\
+          ipa user-add ipauser1 --first=ipa1 --last=user1;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser1;\
+          ipa user-add ipauser2 --first=ipa2 --last=user2;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser2;\
+          ipa user-add ipauser3 --first=ipa3 --last=user3;\
+          echo {{ ipa_user_password }} | ipa passwd ipauser3;\
+          ipa group-add --desc=\"OpenStack Users\" grp-openstack;\
+          ipa group-add --desc=\"OpenStack Admin Users\" grp-openstack-admin;\
+          ipa group-add --desc=\"OpenStack Demo Users\" grp-openstack-demo;\
+          ipa group-add-member --users=svc-ldap grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack;\
+          ipa group-add-member --users=ipauser1 grp-openstack-admin;\
+          ipa group-add-member --users=ipauser2 grp-openstack;\
+          ipa group-add-member --users=ipauser2 grp-openstack-demo;\
+          ipa group-add-member --users=ipauser3 grp-openstack;\
+          '"
+
+    - name: Add REDHAT domain to Keystone
+      ansible.builtin.shell: |
+        {{ shell_header }}
+        {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT
diff --git a/tests/roles/keystone_adoption/defaults/main.yaml b/tests/roles/keystone_adoption/defaults/main.yaml
index 39eb4a039..1d5cfcc1e 100644
--- a/tests/roles/keystone_adoption/defaults/main.yaml
+++ b/tests/roles/keystone_adoption/defaults/main.yaml
@@ -22,3 +22,48 @@ keystone_patch: |
                 type: LoadBalancer
         databaseInstance: openstack
         secret: osp-secret
+
+keystone_patch_ldap: |
+  spec:
+    keystone:
+      enabled: true
+      apiOverride:
+        route: {}
+      template:
+        customServiceConfig: |
+          [token]
+          expiration = 360000
+          [identity]
+          domain_specific_drivers_enabled = true
+        extraMounts:
+          - name: v1
+            region: r1
+            extraVol:
+              - propagation:
+                - Keystone
+                extraVolType: Conf
+                volumes:
+                - name: keystone-domains
+                  secret:
+                    secretName: keystone-domains
+                mounts:
+                - name: keystone-domains
+                  mountPath: "/etc/keystone/domains"
+                  readOnly: true
+        override:
+          service:
+            internal:
+              metadata:
+                annotations:
+                  metallb.universe.tf/address-pool: internalapi
+                  metallb.universe.tf/allow-shared-ip: internalapi
+                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
+              spec:
+                type: LoadBalancer
+        databaseInstance: openstack
+        secret: osp-secret
+
+# IPA-related variables
+edpm_node_hostname: standalone.localdomain
+ipa_admin_password: "fce95318204114530f31f885c9df588f"
+ipa_user_password: "nomoresecrets"
diff --git a/tests/roles/keystone_adoption/tasks/main.yaml b/tests/roles/keystone_adoption/tasks/main.yaml
index 31ff73e65..d43f50aa7 100644
--- a/tests/roles/keystone_adoption/tasks/main.yaml
+++ b/tests/roles/keystone_adoption/tasks/main.yaml
@@ -16,11 +16,52 @@
     type: Opaque
     EOF
 
+
+- name: Set IPA BaseDN var
+  ansible.builtin.set_fact:
+    ipa_basedn: "dc={{ edpm_node_hostname.split('.')[1:] | join(',dc=') }}"
+  when: enable_tlse is defined and enable_tlse
+
+- name: Create Keystone domain config secret for LDAP
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    cat <<EOF | oc apply -n openstack -f -
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: keystone-domains
+    type: Opaque
+    stringData:
+      keystone.{{ ipa_domain | default('REDHAT') }}.conf: |
+        [identity]
+        driver = ldap
+        [ldap]
+        url = ldap://{{ standalone_ip | default(edpm_node_ip) }}
+        user = uid=admin,cn=users,cn=accounts,{{ ipa_basedn }}
+        password = {{ ipa_admin_password | default('nomoresecrets') }}
+        suffix = {{ ipa_basedn }}
+        user_tree_dn = cn=users,cn=accounts,{{ ipa_basedn }}
+        user_objectclass = person
+        user_id_attribute = uid
+        user_name_attribute = uid
+        user_mail_attribute = mail
+        group_tree_dn = cn=groups,cn=accounts,{{ ipa_basedn }}
+        group_objectclass = groupOfNames
+        group_id_attribute = cn
+        group_name_attribute = cn
+        group_member_attribute = member
+        group_desc_attribute = description
+    EOF
+  when: enable_tlse is defined and enable_tlse
+
 - name: deploy podified Keystone
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
-    oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch }}'
+    oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch_to_use }}'
+  vars:
+    keystone_patch_to_use: "{{ keystone_patch_ldap if (enable_tlse is defined and enable_tlse) else keystone_patch }}"
 
 - name: wait for Keystone to start up
   ansible.builtin.shell: |
@@ -106,3 +147,7 @@
     ${BASH_ALIASES[openstack]} credential show {{ before_adoption_credential.stdout }} -f value -c blob
   register: after_adoption_credential
   failed_when: after_adoption_credential.stdout != 'test'
+
+- name: Run IPA tests if enable_tlse is true
+  ansible.builtin.include_tasks: run_ipa_test.yml
+  when: enable_tlse is defined and enable_tlse
diff --git a/tests/roles/keystone_adoption/tasks/run_ipa_test.yml b/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
new file mode 100644
index 000000000..6829828f3
--- /dev/null
+++ b/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
@@ -0,0 +1,136 @@
+---
+# Tasks for testing IPA integration with Keystone
+- name: Check if IPA is enabled
+  ansible.builtin.fail:
+    msg: "IPA is not enabled (enable_tlse is not true). Skipping IPA tests."
+  when: enable_tlse is not defined or not enable_tlse
+
+- name: Wait for Keystone to be fully operational
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=keystone
+  register: keystone_wait_result
+  until: keystone_wait_result is success
+  retries: 60
+  delay: 2
+
+- name: Wait for openstackclient pod to be ready
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc wait pod --for condition=Ready --selector=service=openstackclient
+  register: osc_wait_result
+  until: osc_wait_result is success
+  retries: 60
+  delay: 2
+
+- name: Get Keystone route
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc get route keystone-public -n openstack -o jsonpath='{.spec.host}'
+  register: keystone_route
+
+- name: Create files directory if it does not exist
+  ansible.builtin.file:
+    path: "{{ role_path }}/files"
+    state: directory
+    mode: '0755'
+
+- name: Create IPA test user cloudrc file
+  ansible.builtin.template:
+    src: ipauser.j2
+    dest: "{{ role_path }}/files/ipauser"
+    mode: "0600"
+  vars:
+    auth_url: "https://{{ keystone_route.stdout }}/v3"
+    username: "ipauser1"
+    password: "{{ ipa_user_password }}"
+    domain: "REDHAT"
+
+- name: Copy IPA test user cloudrc to openstackclient pod
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc cp {{ role_path }}/files/ipauser openstackclient:/home/cloud-admin/ipauser
+
+- name: Test IPA user authentication
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack token issue -f value -c id > /dev/null &&
+      echo 'IPA user authentication successful' ||
+      echo 'IPA user authentication failed'"
+  register: ipa_auth_test
+  failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout"
+
+- name: List IPA users via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack user list --domain REDHAT"
+  register: ipa_user_list
+
+- name: Verify IPA users are accessible
+  ansible.builtin.assert:
+    that:
+      - "'ipauser1' in ipa_user_list.stdout"
+      - "'ipauser2' in ipa_user_list.stdout"
+      - "'ipauser3' in ipa_user_list.stdout"
+
+- name: List IPA groups via Keystone
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group list --domain REDHAT"
+  register: ipa_group_list
+
+- name: Verify IPA groups are accessible
+  ansible.builtin.assert:
+    that:
+      - "'grp-openstack' in ipa_group_list.stdout"
+      - "'grp-openstack-admin' in ipa_group_list.stdout"
+      - "'grp-openstack-demo' in ipa_group_list.stdout"
+
+- name: Check ipauser1 in grp-openstack-admin
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-admin ipauser1"
+  register: user1_group_result
+  failed_when: "'ipauser1 in group grp-openstack-admin' not in user1_group_result.stdout"
+
+- name: Check ipauser2 in grp-openstack-demo
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack-demo ipauser2"
+  register: user2_group_result
+  failed_when: "'ipauser2 in group grp-openstack-demo' not in user2_group_result.stdout"
+
+- name: Check ipauser3 in grp-openstack
+  ansible.builtin.shell: |
+    {{ shell_header }}
+    {{ oc_header }}
+    oc exec -t openstackclient -- bash -c "
+      source /home/cloud-admin/ipauser &&
+      export OS_IDENTITY_API_VERSION=3 &&
+      openstack group contains user --group-domain REDHAT --user-domain REDHAT grp-openstack ipauser3"
+  register: user3_group_result
+  failed_when: "'ipauser3 in group grp-openstack' not in user3_group_result.stdout"
diff --git a/tests/roles/keystone_adoption/templates/ipauser.j2 b/tests/roles/keystone_adoption/templates/ipauser.j2
new file mode 100644
index 000000000..d1970b31e
--- /dev/null
+++ b/tests/roles/keystone_adoption/templates/ipauser.j2
@@ -0,0 +1,7 @@
+#!/bin/bash
+unset OS_CLOUD
+export OS_IDENTITY_API_VERSION=3
+export OS_AUTH_URL="{{ auth_url }}"
+export OS_USER_DOMAIN_NAME="{{ domain }}"
+export OS_USERNAME="{{ username }}"
+export OS_PASSWORD="{{ password }}"

From 7351ba492936f04b15dd00abc587ff45b9520508 Mon Sep 17 00:00:00 2001
From: Andre Aranha <afariasa@redhat.com>
Date: Wed, 24 Sep 2025 15:35:04 +0200
Subject: [PATCH 2/6] Add retry and delay on the Test IPA user authentication
 task

---
 tests/roles/keystone_adoption/tasks/run_ipa_test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/roles/keystone_adoption/tasks/run_ipa_test.yml b/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
index 6829828f3..933ce83ce 100644
--- a/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
+++ b/tests/roles/keystone_adoption/tasks/run_ipa_test.yml
@@ -67,6 +67,8 @@
       echo 'IPA user authentication failed'"
   register: ipa_auth_test
   failed_when: "'IPA user authentication failed' in ipa_auth_test.stdout"
+  retries: 60
+  delay: 2
 
 - name: List IPA users via Keystone
   ansible.builtin.shell: |

From dce1529ae5c514ad5107b0f25d205c0f5c8690ae Mon Sep 17 00:00:00 2001
From: Andre Aranha <afariasa@redhat.com>
Date: Fri, 26 Sep 2025 17:31:43 +0200
Subject: [PATCH 3/6] Configure ldap to use svc-ldap instead of admin user

---
 tests/roles/keystone_adoption/tasks/main.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/roles/keystone_adoption/tasks/main.yaml b/tests/roles/keystone_adoption/tasks/main.yaml
index d43f50aa7..2946caa68 100644
--- a/tests/roles/keystone_adoption/tasks/main.yaml
+++ b/tests/roles/keystone_adoption/tasks/main.yaml
@@ -38,7 +38,7 @@
         driver = ldap
         [ldap]
         url = ldap://{{ standalone_ip | default(edpm_node_ip) }}
-        user = uid=admin,cn=users,cn=accounts,{{ ipa_basedn }}
+        user = uid=svc-ldap,cn=users,cn=accounts,{{ ipa_basedn }}
         password = {{ ipa_admin_password | default('nomoresecrets') }}
         suffix = {{ ipa_basedn }}
         user_tree_dn = cn=users,cn=accounts,{{ ipa_basedn }}

From ceeaf364d6078ef823d8fcd764f935382e35ce85 Mon Sep 17 00:00:00 2001
From: Andre Aranha <afariasa@redhat.com>
Date: Fri, 26 Sep 2025 17:51:12 +0200
Subject: [PATCH 4/6] Use ldaps instead of ldap

---
 tests/roles/keystone_adoption/tasks/main.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/roles/keystone_adoption/tasks/main.yaml b/tests/roles/keystone_adoption/tasks/main.yaml
index d98f78852..cff587547 100644
--- a/tests/roles/keystone_adoption/tasks/main.yaml
+++ b/tests/roles/keystone_adoption/tasks/main.yaml
@@ -37,7 +37,7 @@
         [identity]
         driver = ldap
         [ldap]
-        url = ldap://{{ standalone_ip | default(edpm_node_ip) }}
+        url = ldaps://{{ standalone_ip | default(edpm_node_ip) }}
         user = uid=svc-ldap,cn=users,cn=accounts,{{ ipa_basedn }}
         password = {{ ipa_admin_password | default('nomoresecrets') }}
         suffix = {{ ipa_basedn }}

From ec6aba7ebef25e54da83e0c825edfa688c75f590 Mon Sep 17 00:00:00 2001
From: Andre Aranha <afariasa@redhat.com>
Date: Tue, 30 Sep 2025 13:10:15 +0200
Subject: [PATCH 5/6] Fix lint

---
 tests/roles/development_environment/tasks/main.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml
index ed81c86f5..9a66eb058 100644
--- a/tests/roles/development_environment/tasks/main.yaml
+++ b/tests/roles/development_environment/tasks/main.yaml
@@ -192,4 +192,5 @@
     - name: Add REDHAT domain to Keystone
       ansible.builtin.shell: |
         {{ shell_header }}
-        {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT
\ No newline at end of file
+        {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT
+

From 6385a0ef11e2bdb7c714b9adad5032ecadca5291 Mon Sep 17 00:00:00 2001
From: Andre Aranha <afariasa@redhat.com>
Date: Tue, 30 Sep 2025 14:45:59 +0200
Subject: [PATCH 6/6] Fix lint

---
 tests/roles/development_environment/tasks/main.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/roles/development_environment/tasks/main.yaml b/tests/roles/development_environment/tasks/main.yaml
index 9a66eb058..a1a858132 100644
--- a/tests/roles/development_environment/tasks/main.yaml
+++ b/tests/roles/development_environment/tasks/main.yaml
@@ -193,4 +193,3 @@
       ansible.builtin.shell: |
         {{ shell_header }}
         {{ openstack_command }} domain create --description \"Test LDAP Domain\" REDHAT
-