From 48104c25aa0d23d3606cbd9f250963b48bd7f58f Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Tue, 30 Jul 2024 14:09:08 -0400
Subject: [PATCH]  Support IPA IPA Trust with additional IPA server

---
 data/configs/dnsmasq.conf                     |  2 ++
 docker-compose.yml                            | 22 +++++++++++++++++++
 src/ansible/group_vars/all                    |  7 ++++++
 src/ansible/inventory.yml                     |  2 ++
 src/ansible/roles/cleanup/tasks/main.yml      |  4 ++--
 .../roles/dns/templates/etc.dnsmasq.conf.j2   | 10 +++++----
 src/ansible/roles/ipa/tasks/main.yml          |  5 +++++
 src/build.sh                                  |  1 +
 src/docker-compose.build.yml                  |  3 +++
 src/push.sh                                   |  1 +
 src/tools/gen-ssh-keys.sh                     |  2 +-
 src/tools/setup-dns-files.sh                  |  2 ++
 12 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf
index 011d03c8..2fea94df 100644
--- a/data/configs/dnsmasq.conf
+++ b/data/configs/dnsmasq.conf
@@ -12,6 +12,7 @@ cache-size=0
 
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
+server=/ipa2.test/172.16.100.11
 server=/samba.test/172.16.100.30
 server=/ad.test/172.16.200.10
 
@@ -35,3 +36,4 @@ ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
 ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
 ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=80.100.16.172.in-addr.arpa,master2.ipa2.test
diff --git a/docker-compose.yml b/docker-compose.yml
index 4ab587b2..20d7fbf0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,6 +44,28 @@ services:
     networks:
       sssd:
         ipv4_address: 172.16.100.10
+  ipa2:
+    image: ${REGISTRY}/ci-ipa2:${TAG}
+    container_name: ipa2
+    hostname: master2.ipa2.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.11
   ldap:
     image: ${REGISTRY}/ci-ldap:${TAG}
     container_name: ldap
diff --git a/src/ansible/group_vars/all b/src/ansible/group_vars/all
index a36830bc..4cfe7b75 100644
--- a/src/ansible/group_vars/all
+++ b/src/ansible/group_vars/all
@@ -6,6 +6,13 @@ service: {
     netbios: 'IPA',
     password: 'Secret123'
   },
+  ipa2: {
+    domain: 'ipa2.test',
+    hostname: 'master2',
+    fqn: 'master2.ipa2.test',
+    netbios: 'IPA2',
+    password: 'Secret123'
+  },
   ldap: {
     domain: 'ldap.test',
     hostname: 'master',
diff --git a/src/ansible/inventory.yml b/src/ansible/inventory.yml
index 3f075a5c..83f7d83f 100644
--- a/src/ansible/inventory.yml
+++ b/src/ansible/inventory.yml
@@ -53,6 +53,8 @@ all:
           hosts:
             master.ipa.test:
               ansible_host: sssd-wip-ipa
+            master2.ipa2.test:
+              ansible_host: sssd-wip-ipa2
         ldap:
           hosts:
             master.ldap.test:
diff --git a/src/ansible/roles/cleanup/tasks/main.yml b/src/ansible/roles/cleanup/tasks/main.yml
index 58c032c1..2c3c35a4 100644
--- a/src/ansible/roles/cleanup/tasks/main.yml
+++ b/src/ansible/roles/cleanup/tasks/main.yml
@@ -7,7 +7,7 @@
 
   - name: Remove 389ds database to make image smaller
     shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.*
-  when: inventory_hostname == 'master.ipa.test' or inventory_hostname == 'ipa-devel'
+  when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel'
 
 - name: Minimize LDAP service container
   block:
@@ -29,4 +29,4 @@
 
   - name: Remove SSSD's database and logs
     shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*
-  when: inventory_hostname == 'client.test' or inventory_hostname == 'master.ipa.test'
+  when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"]
diff --git a/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2 b/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2
index 8f1a51be..048ea69a 100644
--- a/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2
+++ b/src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2
@@ -13,9 +13,9 @@ domain=test
 cache-size=0
 
 # These zones have their own DNS server
-{% if 'master.ipa.test' in hostvars %}
-server=/ipa.test/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
-{% endif %}
+{% for host in groups['ipa'] %}
+server=/{{ hostvars[host]['ansible_facts']['domain'] }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}
+{% endfor %}
 {% if 'dc.samba.test' in hostvars %}
 server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }}
 {% endif %}
@@ -28,7 +28,9 @@ server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['a
 {% endif %}
 
 # Add reverse zones for artificial hosts in IPA domain
+{% if 'master.ipa.test' in hostvars %}
 server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
+{% endif %}
 
 # Add SRV record for LDAP
 {% if 'master.ldap.test' in hostvars %}
@@ -51,4 +53,4 @@ ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split('
 {% elif hostvars[host].ansible_system == 'Win32NT' %}
 ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }}
 {% endif %}
-{% endfor %}
\ No newline at end of file
+{% endfor %}
diff --git a/src/ansible/roles/ipa/tasks/main.yml b/src/ansible/roles/ipa/tasks/main.yml
index 186cdd8a..1631fd28 100644
--- a/src/ansible/roles/ipa/tasks/main.yml
+++ b/src/ansible/roles/ipa/tasks/main.yml
@@ -110,6 +110,7 @@
     ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24
   args:
     stdin: '{{ ipa_password }}'
+  when: inventory_hostname == 'master.ipa.test'
 
 - name: 'Check trust with other domains'
   shell: |
@@ -144,6 +145,7 @@
   - '"samba" in groups and groups["samba"]'
   - join_samba
   - trust_ipa_samba
+  - inventory_hostname != 'master2.ipa2.test'
 
 - name: 'Setup trust with AD'
   block:
@@ -167,6 +169,8 @@
     when:
     - 'ad_domain not in trust.stdout'
     - not trust_ipa_ad_two_way
+    - inventory_hostname != 'master2.ipa2.test'
+
   - name: Run ipa trust-add (two-way)
     shell: |
       kinit admin
@@ -182,3 +186,4 @@
   - '"ad" in groups and groups["ad"]'
   - join_ad
   - trust_ipa_ad
+  - inventory_hostname != 'master2.ipa2.test'
diff --git a/src/build.sh b/src/build.sh
index 0014303f..f832ec51 100755
--- a/src/build.sh
+++ b/src/build.sh
@@ -140,6 +140,7 @@ ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml
 compose stop
 build_service_image sssd-wip-client client
 build_service_image sssd-wip-ipa ipa
+build_service_image sssd-wip-ipa2 ipa2
 build_service_image sssd-wip-ldap ldap
 build_service_image sssd-wip-samba samba
 build_service_image sssd-wip-nfs nfs
diff --git a/src/docker-compose.build.yml b/src/docker-compose.build.yml
index 22211d28..a94c6011 100644
--- a/src/docker-compose.build.yml
+++ b/src/docker-compose.build.yml
@@ -5,6 +5,9 @@ services:
   ipa:
     image: localhost/sssd/ci-base-ipa:${TAG}
     container_name: sssd-wip-ipa
+  ipa2:
+    image: localhost/sssd/ci-base-ipa:${TAG}
+    container_name: sssd-wip-ipa2
   ldap:
     image: localhost/sssd/ci-base-ldap:${TAG}
     container_name: sssd-wip-ldap
diff --git a/src/push.sh b/src/push.sh
index 9c70d616..fc4eeeb1 100755
--- a/src/push.sh
+++ b/src/push.sh
@@ -66,6 +66,7 @@ push ci-dns latest ""
 push ci-client "$TAG" "$EXTRA_TAGS"
 push ci-client-devel "$TAG" "$EXTRA_TAGS"
 push ci-ipa "$TAG" "$EXTRA_TAGS"
+push ci-ipa2 "$TAG" "$EXTRA_TAGS"
 push ci-ipa-devel "$TAG" "$EXTRA_TAGS"
 push ci-ldap "$TAG" "$EXTRA_TAGS"
 push ci-samba "$TAG" "$EXTRA_TAGS"
diff --git a/src/tools/gen-ssh-keys.sh b/src/tools/gen-ssh-keys.sh
index 395aa1de..3dfd518d 100755
--- a/src/tools/gen-ssh-keys.sh
+++ b/src/tools/gen-ssh-keys.sh
@@ -17,7 +17,7 @@ mkdir -p $OUT
 mkdir -p $OUT/hosts
 
 for name in client.test dc.samba.test dns.test kdc.test \
-            master.ipa.test master.keycloak.test master.ldap.test nfs.test; do
+            master.ipa.test master2.ipa2.test master.keycloak.test master.ldap.test nfs.test; do
     for type in ecdsa ed25519 rsa; do
         ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y
     done
diff --git a/src/tools/setup-dns-files.sh b/src/tools/setup-dns-files.sh
index 056d8b1f..724b1423 100755
--- a/src/tools/setup-dns-files.sh
+++ b/src/tools/setup-dns-files.sh
@@ -17,6 +17,7 @@ sed -i '/client.test/d' /etc/hosts
 sed -i '/nfs.test/d' /etc/hosts
 sed -i '/kdc.test/d' /etc/hosts
 sed -i '/dc.ad.test/d' /etc/hosts
+sed -i '/master2.ipa2.test/d' /etc/hosts
 
 # Append the lines
 echo "172.16.100.10 master.ipa.test" >> /etc/hosts
@@ -26,3 +27,4 @@ echo "172.16.100.40 client.test" >> /etc/hosts
 echo "172.16.100.50 nfs.test" >> /etc/hosts
 echo "172.16.100.60 kdc.test" >> /etc/hosts
 echo "172.16.200.10 dc.ad.test" >> /etc/hosts
+echo "172.16.100.11 master2.ipa2.test" >> /etc/hosts