From e4d31a189156ef29921e0da025a0d69586056101 Mon Sep 17 00:00:00 2001
From: Lenka Segura <lsegura@redhat.com>
Date: Mon, 7 Apr 2025 13:05:10 +0200
Subject: [PATCH] Add changes and guide for local toddler testing on tiny-stage

Signed-off-by: Lenka Segura <lsegura@redhat.com>
---
 README.rst                                 | 87 ++++++++++++++++++++--
 ansible/roles/ipa-client/defaults/main.yml |  6 ++
 ansible/roles/ipa-client/tasks/main.yml    | 45 +++++++++++
 ansible/roles/ipa-keytab/defaults/main.yml |  9 +++
 ansible/roles/ipa-keytab/tasks/main.yml    | 34 +++++++++
 ansible/roles/toddlers/files/krb5.conf     |  2 +
 6 files changed, 176 insertions(+), 7 deletions(-)
 create mode 100644 ansible/roles/ipa-client/defaults/main.yml
 create mode 100644 ansible/roles/ipa-client/tasks/main.yml
 create mode 100644 ansible/roles/ipa-keytab/defaults/main.yml
 create mode 100644 ansible/roles/ipa-keytab/tasks/main.yml
 create mode 100644 ansible/roles/toddlers/files/krb5.conf

diff --git a/README.rst b/README.rst
index a622d4f..9800edf 100644
--- a/README.rst
+++ b/README.rst
@@ -114,10 +114,10 @@ How to run the tests?
 
     tox
 
-How to test a single toddler locally?
------------------------------
+How to test a single toddler locally
+-------------------------------------
 
-Best way to test a toddler locally is to replay a message that triggers the toddler.
+The best way to test a toddler locally is to replay a message that triggers the toddler.
 Fedora-messaging has a replay and reconsume commands since version 3.7
 
 - Make sure you have fedora-messaging 3.7 or older and upgrade if necessary:
@@ -131,25 +131,98 @@ Fedora-messaging has a replay and reconsume commands since version 3.7
 
 ::
 
-    http get https://apps.fedoraproject.org./datagrepper/v2/search topic==<topic> delta==<delta>
+    http get https://apps.fedoraproject.org./datagrepper/v2/search \
+    topic==<topic> delta==<delta>
 
 Example command for search of messages in topic org.fedoraproject.prod.fas.group.member.removed sent in the last day:
 
 ::
 
-    http get https://apps.fedoraproject.org/datagrepper/v2/search topic==org.fedoraproject.prod.fas.groups.member.removed delta==86400
+    http get https://apps.fedoraproject.org/datagrepper/v2/search \
+    topic==org.fedoraproject.prod.fas.groups.member.removed delta==86400
 
 - Get the message ID and supply it to the fedora-messaging reconsume command, with local config:
 
 ::
 
-    poetry run fedora-messaging reconsume --conf toddlers.toml --callback toddlers.plugins.<toddler_name>:<ToddlerClass> <message ID>
+    poetry run fedora-messaging reconsume --conf toddlers.toml \
+    --callback toddlers.plugins.<toddler_name>:<ToddlerClass> <message ID>
 
 Example command:
 
 ::
 
-    poetry run fedora-messaging reconsume --callback toddlers.plugins.cleaning_packager_groups:CleanPackagerGroups e7c3f150-3695-4502-b7ca-4ced7fe14a21
+    poetry run fedora-messaging reconsume --conf toddlers.toml \
+    --callback toddlers.plugins.cleaning_packager_groups:CleanPackagerGroups \
+    e7c3f150-3695-4502-b7ca-4ced7fe14a21
+
+
+How to test with tiny-stage
+----------------------------
+
+The toddler cleaning_packager_groups uses `ipalib` freeipa library,
+which makes local testing sligthly complex.
+It's a good idea to use [tiny-stage](https://github.com/fedora-infra/tiny-stage).
+Here's how to set it up:
+
+Clone the tiny-stage repo and run following VMs:
+
+::
+
+    vagrant up tinystage ipa auth tiny-stage datagrepper src
+
+Run the toddlers vagrant:
+
+::
+
+    vagrant up
+
+Point Vagrant's host name to toddlers.dev.tinystage.test:
+
+::
+
+    toddlers.vm.host_name = "toddlers.dev.tinystage.test"
+
+Make changes in toddlers.toml for toddlers VM to see the tiny-stage environment:
+
+::
+
+    amqp_url = "amqp://fedoramessages:fedoramessages@tinystage.tinystage.test"
+
+Redirect urls to point to tiny-stage environment:
+
+::
+
+    fas_url = "https://fasjson.tinystage.test/fasjson/"
+    fas_username = "williamyoung"
+    fas_password = "password"
+
+    dist_git_url = "http://src.tinystage.test"
+    dist_git_token = ""
+
+Tiny-stage webUIs are accesible at the following urls:
+
+::
+
+    webui for noggin:
+    https://auth.tinystage.test/noggin/
+    webui for distgit:
+    http://src.tinystage.test/
+    webui for ipa:
+    https://ipa.tinystage.test/ipa/ui/
+    webui for datagrepper:
+    http://datagrepper.tinystage.test:5000/
+
+Create an API token on distgit and fill it in the previous step.
+
+Make the fedora-messages consumer listen to messages from the toddlers vagrant:
+
+::
+
+    poetry run fedora-messaging --conf toddlers.toml consume --callback toddlers.plugins.
+    cleaning_packager_groups:CleanPackagerGroups
+
+Trigger the toddler by making changes in the webUIs.
 
 
 Developing with Vagrant
diff --git a/ansible/roles/ipa-client/defaults/main.yml b/ansible/roles/ipa-client/defaults/main.yml
new file mode 100644
index 0000000..31468a7
--- /dev/null
+++ b/ansible/roles/ipa-client/defaults/main.yml
@@ -0,0 +1,6 @@
+ipa_admin_user: admin
+ipa_admin_password: password
+krb_master_password: "{{ ipa_admin_password }}"
+krb_realm: "{{ ansible_domain | upper }}"
+python_exec: python
+python_run_dir: null
diff --git a/ansible/roles/ipa-client/tasks/main.yml b/ansible/roles/ipa-client/tasks/main.yml
new file mode 100644
index 0000000..0b98899
--- /dev/null
+++ b/ansible/roles/ipa-client/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- name: Install RPM packages
+  dnf:
+    name:
+      - ipa-client
+    state: present
+
+- name: Install python-certifi
+  dnf:
+    name:
+      - python3-certifi
+    state: present
+  when: "python_exec in ('python', 'python3')"
+
+- name: Enroll system as IPA client
+  shell: |
+    ipa-client-install \
+    --hostname {{ ansible_fqdn }} \
+    --domain {{ ansible_domain }} \
+    --realm {{ krb_realm }} \
+    --server ipa.{{ ansible_domain }} \
+    -p {{ ipa_admin_user }} \
+    -w {{ ipa_admin_password }} \
+    -U -N --force-join
+  args:
+    creates: /etc/ipa/default.conf
+
+# Add Tinystage's root CA to certifi's bundle
+
+- name: Find where certifi's CA bundle is located
+  command:
+    cmd: "{{ python_exec }} -c 'import certifi; print(certifi.where())'"
+    chdir: "{{ python_run_dir }}"
+  register: _ca_bundle_path
+  changed_when: False
+
+- name: Get the content of the CA cert
+  slurp:
+    src: /etc/ipa/ca.crt
+  register: ca_crt
+
+- name: Put tinystage root CA in the list of CA's for certifi
+  blockinfile:
+    block: "{{ ca_crt.content | b64decode }}"
+    path: "{{ _ca_bundle_path.stdout }}"
diff --git a/ansible/roles/ipa-keytab/defaults/main.yml b/ansible/roles/ipa-keytab/defaults/main.yml
new file mode 100644
index 0000000..00273d6
--- /dev/null
+++ b/ansible/roles/ipa-keytab/defaults/main.yml
@@ -0,0 +1,9 @@
+krb_service: HTTP
+krb_host_fqdn: "{{ ansible_fqdn }}"
+keytab_directory: /etc
+keytab_path: "{{ keytab_directory }}/{{ krb_service }}.keytab"
+keytab_owner: root
+keytab_group: root
+ipa_admin_user: admin
+ipa_admin_password: password
+krb_realm: "{{ ansible_domain | upper }}"
diff --git a/ansible/roles/ipa-keytab/tasks/main.yml b/ansible/roles/ipa-keytab/tasks/main.yml
new file mode 100644
index 0000000..2cc255d
--- /dev/null
+++ b/ansible/roles/ipa-keytab/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: Install RPM packages
+  dnf:
+    name:
+      - krb5-workstation
+    state: present
+
+- name: kinit
+  shell: echo "{{ ipa_admin_password }}" | kinit {{ ipa_admin_user }}@{{ krb_realm }}
+
+- name: Create the service in IPA
+  command: ipa service-add --force {{ krb_service | upper }}/{{ krb_host_fqdn }}
+  register: service_add_result
+  changed_when: "'Added service' in service_add_result.stdout"
+  failed_when: "not ('Added service' in service_add_result.stdout or 'already exists' in service_add_result.stderr)"
+
+- name: Allow the host to manage the virtual service
+  shell: ipa service-add-host --hosts={{ ansible_fqdn }} {{ krb_service | upper }}/{{ krb_host_fqdn }}
+  when: krb_host_fqdn != ansible_fqdn
+  register: result
+  changed_when: '"Number of members added 1" in result.stdout'
+  failed_when: '(ansible_fqdn + ": This entry is already a member") not in result.stdout and result.rc != 0'
+
+- name: Get service keytab
+  shell: ipa-getkeytab -p {{ krb_service | upper }}/{{ krb_host_fqdn }}@{{ krb_realm }} -k {{ keytab_path }}
+  args:
+    creates: "{{ keytab_path }}"
+
+- name: Set the correct permissions on keytab
+  file:
+    path: "{{ keytab_path }}"
+    owner: "{{ keytab_owner }}"
+    group: "{{ keytab_group }}"
+    mode: 0640
diff --git a/ansible/roles/toddlers/files/krb5.conf b/ansible/roles/toddlers/files/krb5.conf
new file mode 100644
index 0000000..5ac933f
--- /dev/null
+++ b/ansible/roles/toddlers/files/krb5.conf
@@ -0,0 +1,2 @@
+[libdefaults]
+default_client_keytab_name = FILE:/etc/toddlers.keytab