From eef1f1ce120f51f96d00d031eba4cdcc7ec74ceb Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
Date: Jun 02 2025 13:07:53 +0000
Subject: Initialize kani-ext-dev


VMs, reverse proxy and certificates to house a test environment for
external Kanidm.

Signed-off-by: Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>

---

diff --git a/pillar/cluster/hel/init.sls b/pillar/cluster/hel/init.sls
index f716f2d..5c40880 100644
--- a/pillar/cluster/hel/init.sls
+++ b/pillar/cluster/hel/init.sls
@@ -24,26 +24,31 @@ haproxy:
         {{ bind(bind_v6, 443, 'v6only tfo alpn h2,http/1.1 npn h2,http/1.1 ssl crt /etc/ssl/services/') }}
       acls:
         - host_idm         hdr(host)    idm.infra.opensuse.org
+        - host_idm_ext_dev hdr(host)    idm-ext-dev.infra.opensuse.org
         - host_netbox      hdr(host)    netbox.infra.opensuse.org
       use_backends:
         - kanidm           if host_idm
+        - kanidm-ext-dev   if host_idm_ext_dev
         - netbox           if host_netbox
 
   backends:
-    kanidm:
+    {%- for suffix in ['', '-ext-dev'] %}
+    kanidm{{ suffix }}:
       balance: source
       hashtype: consistent
       mode: http
       options:
         - httpchk
-      {{ httpcheck('idm.infra.opensuse.org', 200, '/status', tls=True) }}
+      {{ httpcheck('idm' ~ suffix ~ '.infra.opensuse.org', 200, '/status', tls=True) }}
       servers:
+        {%- set s = 'kani' ~ suffix %}
         {%- for i in [1, 2] %}
-        {{ server('kani' ~ i, 'kani' ~ i ~ '.infra.opensuse.org', 443,
+        {{ server(s ~ i, s ~ i ~ '.infra.opensuse.org', 443,
                     extra_extra='ssl verify required ca-file ' ~ heroes_ca,
                     header=False
                   ) }}
         {%- endfor %}
+    {%- endfor %}
 
     netbox:
       mode: http
diff --git a/pillar/id/kani-ext-dev1_infra_opensuse_org.sls b/pillar/id/kani-ext-dev1_infra_opensuse_org.sls
new file mode 100644
index 0000000..4b5bb65
--- /dev/null
+++ b/pillar/id/kani-ext-dev1_infra_opensuse_org.sls
@@ -0,0 +1,18 @@
+grains:
+  site: prg2
+  hostusage:
+    - Kanidm (External)
+    - Development
+  reboot_safe: yes
+  aliases: []
+  description: External identity provider and authentication service (development/test environment)
+  documentation:
+    - https://kanidm.com/
+    - https://kanidm.github.io/kanidm/stable/
+  responsible:
+    - firstyear
+  partners:
+    - kani-ext-dev2.infra.opensuse.org
+  weburls: []
+roles:
+  - kanidm-server.external
diff --git a/pillar/id/kani-ext-dev2_infra_opensuse_org.sls b/pillar/id/kani-ext-dev2_infra_opensuse_org.sls
new file mode 100644
index 0000000..ab8cda1
--- /dev/null
+++ b/pillar/id/kani-ext-dev2_infra_opensuse_org.sls
@@ -0,0 +1,18 @@
+grains:
+  site: prg2
+  hostusage:
+    - Kanidm (External)
+    - Development
+  reboot_safe: yes
+  aliases: []
+  description: External identity provider and authentication service (development/test environment)
+  documentation:
+    - https://kanidm.com/
+    - https://kanidm.github.io/kanidm/stable/
+  responsible:
+    - firstyear
+  partners:
+    - kani-ext-dev1.infra.opensuse.org
+  weburls: []
+roles:
+  - kanidm-server.external
diff --git a/pillar/infra/certificates/heroes.yaml b/pillar/infra/certificates/heroes.yaml
index 9ad9eb6..e08e2d6 100644
--- a/pillar/infra/certificates/heroes.yaml
+++ b/pillar/infra/certificates/heroes.yaml
@@ -39,11 +39,24 @@ hel.infra.opensuse.org:
     - macro: hel
       services:
         - pgbouncer
+idm-ext-dev.infra.opensuse.org:
+  targets:
+    - macro: hel
 idm.infra.opensuse.org:
   sans:
     - ldap.infra.opensuse.org
   targets:
     - macro: hel
+kani-ext-dev1.infra.opensuse.org:
+  targets:
+    - host: kani-ext-dev1
+      services:
+        - kanidmd
+kani-ext-dev2.infra.opensuse.org:
+  targets:
+    - host: kani-ext-dev2
+      services:
+        - kanidmd
 kani1.infra.opensuse.org:
   targets:
     - host: kani1
diff --git a/pillar/infra/hosts.yaml b/pillar/infra/hosts.yaml
index c73322b..a0211c3 100644
--- a/pillar/infra/hosts.yaml
+++ b/pillar/infra/hosts.yaml
@@ -410,6 +410,28 @@ jekyll:
   legacy_boot: true
   ram: 3072MB
   vcpu: 2
+kani-ext-dev1:
+  cluster: falkor
+  disks:
+    root: 3600a09803831494f635d554b39503144
+  interfaces:
+    os-kani-dev:
+      ip6: 2a07:de40:b27e:1216::a/64
+      mac: 6a:62:c0:08:91:13
+      source: x-os-kani-dev
+  ram: 2048MB
+  vcpu: 1
+kani-ext-dev2:
+  cluster: falkor
+  disks:
+    root: 3600a09803831494f635d554b39503145
+  interfaces:
+    os-kani-dev:
+      ip6: 2a07:de40:b27e:1216::b/64
+      mac: 6a:62:c0:08:91:14
+      source: x-os-kani-dev
+  ram: 2048MB
+  vcpu: 1
 kani-test:
   cluster: falkor
   disks:
diff --git a/pillar/role/kanidm-server/external.sls b/pillar/role/kanidm-server/external.sls
new file mode 100644
index 0000000..9a34375
--- /dev/null
+++ b/pillar/role/kanidm-server/external.sls
@@ -0,0 +1,2 @@
+include:
+  - role.common.kanidm-server
diff --git a/salt/role/kanidm-server/external.sls b/salt/role/kanidm-server/external.sls
new file mode 100644
index 0000000..a98f223
--- /dev/null
+++ b/salt/role/kanidm-server/external.sls
@@ -0,0 +1 @@
+# empty :-(