[WIP] ipa-keycloak: Test IPA-Keycloak integration with Github Action

[rjeffman]

This Github workflow uses FreeIPA-Cluster-Test to run a simple login test against the IPA-Keycloak integration environment.

Summary by Sourcery

Introduce a GitHub Actions workflow to automate IPA-Keycloak integration testing and a minimal FreeIPA demo environment with automated provisioning, configuration, and artifact handling.

New Features:

• Add test-ipa-keycloak job to provision a FreeIPA cluster, configure Keycloak as an OIDC IDP, and tear down the environment
• Add minimal-demo job to build a minimal container image, deploy a FreeIPA environment, and record or collect demo artifacts

CI:

• Configure workflow concurrency to cancel in-progress runs on new pushes
• Add conditional steps to collect and upload server logs on failures and demo recordings on success

[sourcery-ai]

Hey @rjeffman - I've reviewed your changes - here's some feedback:

• Avoid hard-coding the OIDC client secret and user password in the workflow—pull them from GitHub Secrets instead.
• Either implement the headless OIDC login steps for jdoe or remove the commented placeholders to keep the workflow runnable end-to-end.
• The minimal-demo job sources venv/bin/activate without creating the virtual environment—add a step to set up and install dependencies into the venv first.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[rjeffman]

@f-trivino, this is an unfinished example for testing IPA-Keycloak using the Github Action.

Any help on filling the missing steps is very welcome.

[abbra]

@rjeffman keycloak container has no python, so you cannot use ansible. We probably need to extend the container to include python.

[rjeffman]

@abbra this container cannot be easily extended, and I don't actually want to extend it, as it is the official keycloak container. I was even thinking on mounting the conf directory as a volume.

It's probably a bug on the FreeIPA-Cluster-Test action.

[abbra]

@rjeffman The issue here is that we don't know which host is really built with a version that requires running a script. For example, in this topology we only need to run it on the server host (IPA server) and not on keycloak.

Perhaps, one can inspect podman to see if there is unknown init and skip that one? We only care about /sbin/init because this is what would allow systemd running