Add IPA IPA Trust Topology Controller #119
Conversation
|
@justin-stephenson, It looks great, but I do think we should rename the topologies to just IPATrust, ADTrust and then SambaTrust. |
That makes sense for the individual KnownTopology objects. What about Topology groups? My thinking was to have the following:
This handles the case of any trust tests which may only run against IPA - AD trusts (AD and SambaAD specific), but in general we should try to write tests which are green for all trust types (using this What do you think? |
|
How about about,
TrustAD could be generic, but it'd be confusing with ADTrust and just being the inverse. |
justin-stephenson
force-pushed
the
ipa_ipa_trust_topology_controller
branch
from
50d1412
to
24b3db4
Compare
Okay do we agree on the following? If yes i'll make this change to the PR. KnownTopology:
KnownTopologyGroup:
|
justin-stephenson
force-pushed
the
ipa_ipa_trust_topology_controller
branch
from
24b3db4
to
f57543c
Compare
There was a problem hiding this comment.
Hi, it looks good, in general. See comments inside.
About COPR packages, we can leave it as is for now to simplify local testing. But it certainly should not be merged. If we would like to merge it, then proper downgrade of the packages must be done, otherwise we'd run tests against wip ipa.
sssd_test_framework/topology.py
Outdated
| @@ -118,6 +119,17 @@ def test_ldap(client: Client, ldap: LDAP): | |||
| .. topology-mark:: KnownTopology.IPATrustSamba | |||
| """ | |||
|
|
|||
| IPATrustIPA = SSSDTopologyMark( | |||
| name="ipa-trust-ipa", | |||
| topology=Topology(TopologyDomain("sssd", client=1, ipa=2)), | |||
There was a problem hiding this comment.
Second IPA should go into different domain.
If you put two ore more identical roles inside single domain, it should mean that the hosts are identical (i.e. ipa replica).
There was a problem hiding this comment.
Updated, along with sssd tests mhc.yaml.
| client.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
|
|
||
| ipa.conn.exec(["dnf", "update", "freeipa-server", "sssd-client", "-y"]) | ||
| client.conn.exec(["dnf", "update", "sssd-client", "-y"]) |
There was a problem hiding this comment.
Both PR CI and IDM CI installs SSSD under test, this is not necessary and will probably break in non-local run.
There was a problem hiding this comment.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
| # Add ipa-ipa trust COPR and update packages | ||
| self.logger.info("Adding COPR and updating packages") | ||
| ipa.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
| client.conn.exec(["dnf", "copr", "enable", "abbra/wip-ipa-trust", "-y"]) | ||
|
|
||
| ipa.conn.exec(["dnf", "update", "freeipa-server", "sssd-client", "-y"]) |
There was a problem hiding this comment.
This shouldn't be here, if needed as a temporary solution it should be moved before pytest is run. I.e. the CI workflow, or install it manually on local run.
There was a problem hiding this comment.
My intent was to simplify the steps for QE.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
| # F40 sssd-kcm fails to start with 'Invalid option --genconf-section=kcm:' | ||
| ipa.conn.exec(["systemctl", "restart", "sssd-kcm"]) |
There was a problem hiding this comment.
Is this fixed/investigated already?
There was a problem hiding this comment.
Only relevant with install from COPR.
This will be removed later when feature is available and does not need to be installed from COPR, let's leave this conversation open.
|
Please, also add feature detection. |
Thank you for the review. I should have been more clear about the current state. We are still in mid-development phase of IPA IPA trust feature. I created these PRs to involve QE early on in the development. We have some working functionality in sssd/ipa packages from COPR therefore they can start writing some basic tests. Dan + Jakub wanted to see these PRs to start building out the parts needed for IPA IPA Trust downstream testing. I set the |
justin-stephenson
force-pushed
the
ipa_ipa_trust_topology_controller
branch
from
f57543c
to
be33278
Compare
There was a problem hiding this comment.
For the trust do both ipa servers need to be changed or only the one trusting?
If so:
- Would it be possible to switch the code around so ipa2 is trusting ipa1?
- That way we can keep ipa1 on the production version for other tests.
As for copr/packages, the code should be in ansible playbook in sssd-ci-containers
and enabled by a switch that is by default off. We do not want anything messing around with tested artifacts.
Currently it is possible to upgrade just the 1 IPA server but with upcoming changes on FreeIPA side in the near future it will be required to upgrade both IPA masters (
Okay I can move this code to SSSD/sssd-ci-containers#106 but I'm not sure how to handle downgrading SSSD packages from COPR after IPA IPA trust tests are run (initially I thought this would be handled by IPA topology controller teardown). |
justin-stephenson
force-pushed
the
ipa_ipa_trust_topology_controller
branch
from
be33278
to
132cd8b
Compare
Thank you for explaining your plan. There's no need to handle this if we don't intent to merge it in this state. I think we can do two things here:
|
@jakub-vavra-cz are you okay with either of these options? |
|
@justin-stephenson: We could use some detection for the ipa2ipa trust capability both on client and on the ipa server. That way we can prepare and merge tests before it is available and run them only where it makes a sense. |
Add "IPATrustIPA" KnownTopology For topology groups some changes are: - Remove "IPATrust" - Add "IPATrustAD" -- includes IPATrustAD and IPATrustSamba - Add "AnyIPATrust" -- includes IPATrustAD, IPATrustSamba, IPATrustIPA
justin-stephenson
force-pushed
the
ipa_ipa_trust_topology_controller
branch
from
132cd8b
to
f12cece
Compare
|
Rebased, needed some minor changes due to pytest-mh changes. |
Add "IPATrustIPA" KnownTopology
For topology groups some changes are:
Linked PRs:
SSSD/sssd-ci-containers#106
SSSD/sssd#7517