diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## [22.2.0](https://github.com/theforeman/puppet-foreman/tree/22.2.0) (2023-02-21)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/22.1.2...22.2.0)
+
+**Implemented enhancements:**
+
+- Fixes [\#36037](https://projects.theforeman.org/issues/36037) - Manage Redis service for Redis cache [\#1109](https://github.com/theforeman/puppet-foreman/pull/1109) ([ekohl](https://github.com/ekohl))
+- Add basic external auth for API [\#1108](https://github.com/theforeman/puppet-foreman/pull/1108) ([ofedoren](https://github.com/ofedoren))
+- bump puppet/systemd to \< 5.0.0 [\#1104](https://github.com/theforeman/puppet-foreman/pull/1104) ([jhoblitt](https://github.com/jhoblitt))
+
 ## [22.1.2](https://github.com/theforeman/puppet-foreman/tree/22.1.2) (2023-02-01)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman/compare/22.1.1...22.1.2)

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -20,6 +20,17 @@
     }
   }
 
+  if $foreman::rails_cache_store['type'] == 'redis' {
+    if $foreman::rails_cache_store['urls'] {
+      $redis_cache_urls = prefix($foreman::rails_cache_store['urls'], 'redis://')
+    } else {
+      include redis
+      $redis_cache_urls = ["redis://localhost:${redis::port}/0"]
+    }
+  } else {
+    $redis_cache_urls =  undef
+  }
+
   # Used in the settings template
   $websockets_ssl_cert = pick($foreman::websockets_ssl_cert, $foreman::server_ssl_cert)
   $websockets_ssl_key = pick($foreman::websockets_ssl_key, $foreman::server_ssl_key)
@@ -204,6 +215,10 @@
         ssl_content => template('foreman/auth_gssapi.conf.erb'),
       }
 
+      foreman::config::apache::fragment { 'external_auth_api':
+        ssl_content => template('foreman/external_auth_api.conf.erb'),
+      }
+
       if $foreman::ipa_manage_sssd {
         $sssd = pick(fact('foreman_sssd'), {})
         $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
@@ -228,6 +243,11 @@
         content => template('foreman/settings-external-auth.yaml.erb'),
         order   => '02',
       }
+
+      foreman::settings_fragment { 'authorize_login_delegation_api.yaml':
+        content => template('foreman/settings-external-auth-api.yaml.erb'),
+        order   => '03',
+      }
     }
   } else {
     $foreman_socket_override = undef

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -234,6 +234,7 @@
 
   if $ipa_authentication {
     include apache::mod::authnz_pam
+    include apache::mod::auth_basic
     include apache::mod::intercept_form_submit
     include apache::mod::lookup_identity
     include apache::mod::auth_gssapi

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -46,6 +46,8 @@
 #
 # $ipa_authentication::           Enable configuration for external authentication via IPA
 #
+# $ipa_authentication_api::       Enable configuration for external authentication via IPA for API
+#
 # === Advanced parameters:
 #
 # $foreman_url::                  URL on which foreman is going to run
@@ -249,6 +251,7 @@
   Optional[String] $initial_organization = undef,
   Optional[String] $initial_location = undef,
   Boolean $ipa_authentication = false,
+  Boolean $ipa_authentication_api = false,
   Optional[Stdlib::Absolutepath] $http_keytab = undef,
   Boolean $gssapi_local_name = true,
   String $pam_service = 'foreman',
@@ -321,6 +324,9 @@
     if $ipa_authentication and $keycloak {
       fail("${facts['networking']['hostname']}: External authentication via IPA and Keycloak are mutually exclusive.")
     }
+    if !$ipa_authentication and $ipa_authentication_api {
+      fail("${facts['networking']['hostname']}: External authentication for API via IPA requires general external authentication to be enabled.")
+    }
   } elsif $ipa_authentication {
     fail("${facts['networking']['hostname']}: External authentication via IPA can only be enabled when Apache is used.")
   } elsif $keycloak {

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman",
-  "version": "22.1.2",
+  "version": "22.2.0",
   "author": "theforeman",
   "summary": "Foreman server configuration",
   "license": "GPL-3.0+",
@@ -14,7 +14,7 @@
   "dependencies": [
     {
       "name": "puppet/systemd",
-      "version_requirement": ">= 3.1.0 < 4.0.0"
+      "version_requirement": ">= 3.1.0 < 5.0.0"
     },
     {
       "name": "puppetlabs/apache",

diff --git a/spec/acceptance/foreman_basic_spec.rb b/spec/acceptance/foreman_basic_spec.rb
@@ -1,19 +1,58 @@
 require 'spec_helper_acceptance'
 
-describe 'Scenario: install foreman' do
+describe 'Foreman' do
   before(:context) { purge_foreman }
 
-  it_behaves_like 'an idempotent resource' do
-    let(:manifest) { 'include foreman' }
+  describe 'with default options' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) { 'include foreman' }
+    end
+
+    it_behaves_like 'the foreman application'
+
+    describe package('foreman-journald') do
+      it { is_expected.not_to be_installed }
+    end
+
+    describe package('foreman-telemetry') do
+      it { is_expected.not_to be_installed }
+    end
   end
 
-  it_behaves_like 'the foreman application'
+  describe 'with Redis caching' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<~PUPPET
+        class { 'foreman':
+          rails_cache_store => { 'type' => 'redis' },
+        }
+        PUPPET
+      end
+    end
 
-  describe package('foreman-journald') do
-    it { is_expected.not_to be_installed }
+    it_behaves_like 'the foreman application'
+
+    # TODO: verify it works using the /api/ping endpoint
+    # https://projects.theforeman.org/issues/36113
   end
 
-  describe package('foreman-telemetry') do
-    it { is_expected.not_to be_installed }
+  context 'GSSAPI auth enabled' do
+    before { on default, 'mkdir -p /etc/httpd && touch /etc/httpd/conf.keytab' }
+
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'foreman':
+          ipa_authentication     => true,
+          ipa_authentication_api => true,
+          # Stub out ipa enrollment
+          http_keytab            => '/etc/httpd/conf.keytab',
+          ipa_manage_sssd        => false,
+        }
+        PUPPET
+      end
+    end
+
+    it_behaves_like 'the foreman application', { expected_login_url_path: '/users/extlogin' }
   end
 end
diff --git a/spec/acceptance/foreman_cli_plugins_spec.rb b/spec/acceptance/foreman_cli_plugins_spec.rb
@@ -15,24 +15,26 @@ class { 'foreman::cli':
         }
 
         if $facts['os']['family'] == 'RedHat' {
-          include foreman::cli::ansible
           include foreman::cli::azure
+          include foreman::cli::kubevirt
+          include foreman::cli::openscap
         }
+        include foreman::cli::ansible
         include foreman::cli::discovery
+        include foreman::cli::google
+        include foreman::cli::puppet
         include foreman::cli::remote_execution
         include foreman::cli::ssh
         include foreman::cli::tasks
         include foreman::cli::templates
         include foreman::cli::webhooks
-        include foreman::cli::puppet
-        include foreman::cli::google
         PUPPET
       end
     end
 
     it_behaves_like 'hammer'
 
-    ['discovery', 'remote_execution', 'ssh', 'tasks', 'templates', 'webhooks', 'puppet'].each do |plugin|
+    ['ansible', 'discovery', 'google', 'puppet', 'remote_execution', 'ssh', 'tasks', 'templates', 'webhooks'].each do |plugin|
       package_name = case fact('os.family')
                      when 'RedHat'
                        "rubygem-hammer_cli_foreman_#{plugin}"
@@ -46,6 +48,14 @@ class { 'foreman::cli':
         it { is_expected.to be_installed }
       end
     end
+
+    if fact('os.family') == 'RedHat'
+      ['azure_rm', 'kubevirt', 'openscap'].each do |plugin|
+        describe package("rubygem-hammer_cli_foreman_#{plugin}") do
+          it { is_expected.to be_installed }
+        end
+      end
+    end
   end
 
   if fact('os.family') == 'RedHat'
@@ -73,6 +83,7 @@ class { 'foreman::cli':
           }
 
           include foreman::cli::katello
+          include foreman::cli::virt_who_configure
 
           Yumrepo['katello'] -> Class['foreman::cli::katello']
           PUPPET
@@ -81,9 +92,10 @@ class { 'foreman::cli':
 
       it_behaves_like 'hammer'
 
-      package_name = "rubygem-hammer_cli_katello"
-      describe package(package_name) do
-        it { is_expected.to be_installed }
+      ['katello', 'foreman_virt_who_configure'].each do |plugin|
+        describe package("rubygem-hammer_cli_#{plugin}") do
+          it { is_expected.to be_installed }
+        end
       end
     end
   end

diff --git a/spec/classes/foreman_config_ipa_spec.rb b/spec/classes/foreman_config_ipa_spec.rb
@@ -30,6 +30,7 @@
           it { should contain_class('apache::mod::intercept_form_submit') }
           it { should contain_class('apache::mod::lookup_identity') }
           it { should contain_class('apache::mod::auth_gssapi') }
+          it { should contain_class('apache::mod::auth_basic') }
 
           it 'should contain Apache fragments' do
             should contain_foreman__config__apache__fragment('intercept_form_submit')
@@ -41,6 +42,13 @@
               .with_ssl_content(%r{^\s*GssapiCredStore keytab:#{keytab_path}$})
               .with_ssl_content(/^\s*GssapiLocalName On$/)
               .with_ssl_content(/^\s*require pam-account foreman$/)
+
+            should contain_foreman__config__apache__fragment('external_auth_api')
+              .with_ssl_content(/^\s*AuthType Basic$/)
+              .with_ssl_content(/^\s*AuthBasicProvider PAM$/)
+              .with_ssl_content(/^\s*AuthPAMService foreman$/)
+              .with_ssl_content(/^\s*require pam-account foreman$/)
+              .without_ssl_content(/^\s*AuthType GSSAPI/)
           end
 
           context 'with gssapi_local_name=false' do
@@ -52,6 +60,22 @@
             end
           end
 
+          context 'with GSSAPI auth for API' do
+            let(:params) { super().merge(ipa_authentication_api: true) }
+
+            it 'should contain GSSAPI and Basic coniguration in API fragment' do
+              should contain_foreman__config__apache__fragment('external_auth_api')
+                .with_ssl_content(/^\s*AuthType Basic$/)
+                .with_ssl_content(/^\s*AuthBasicProvider PAM$/)
+                .with_ssl_content(/^\s*AuthPAMService foreman$/)
+                .with_ssl_content(/^\s*require pam-account foreman$/)
+                .with_ssl_content(/^\s*AuthType GSSAPI/)
+                .with_ssl_content(/^\s*GssapiCredStore keytab:#{keytab_path}$/)
+                .with_ssl_content(/^\s*GssapiLocalName On$/)
+                .with_ssl_content(/^\s*require pam-account foreman$/)
+            end
+          end
+
           context 'with SELinux' do
             let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
 

diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
@@ -331,12 +331,33 @@
       end
 
       describe 'with rails_cache_store redis' do
+        let(:params) { super().merge(rails_cache_store: { type: "redis" }) }
+        it 'should set rails_cache_store config' do
+          should contain_concat__fragment('foreman_settings+01-header.yaml')
+            .with_content(%r{^:rails_cache_store:\n\s+:type:\s*redis\n\s+:urls:\n\s*- redis://localhost:6379/0\n\s+:options:\n\s+:compress:\s*true\n\s+:namespace:\s*foreman$})
+        end
+        it { is_expected.to contain_package('foreman-redis') }
+
+        describe 'without dynflow managing redis' do
+          let(:params) { super().merge(dynflow_manage_services: false) }
+
+          it { is_expected.to contain_class('redis') }
+        end
+      end
+
+      describe 'with rails_cache_store redis with explicit URL' do
         let(:params) { super().merge(rails_cache_store: { type: "redis", urls: [ "redis.example.com/0" ]}) }
         it 'should set rails_cache_store config' do
           should contain_concat__fragment('foreman_settings+01-header.yaml')
             .with_content(/^:rails_cache_store:\n\s+:type:\s*redis\n\s+:urls:\n\s*- redis:\/\/redis.example.com\/0\n\s+:options:\n\s+:compress:\s*true\n\s+:namespace:\s*foreman$/)
         end
         it { is_expected.to contain_package('foreman-redis') }
+
+        describe 'without dynflow managing redis' do
+          let(:params) { super().merge(dynflow_manage_services: false) }
+
+          it { is_expected.not_to contain_class('redis') }
+        end
       end
 
       describe 'with rails_cache_store redis with options' do

diff --git a/spec/support/acceptance/examples.rb b/spec/support/acceptance/examples.rb
@@ -1,4 +1,4 @@
-shared_examples 'the foreman application' do
+shared_examples 'the foreman application' do |params = {}|
   [
     ['debian', 'ubuntu'].include?(os[:family]) ? 'apache2' : 'httpd',
     'dynflow-sidekiq@orchestrator',
@@ -24,7 +24,7 @@
   end
 
   describe command("curl -s --cacert /etc/foreman-certs/certificate.pem https://#{host_inventory['fqdn']} -w '\%{redirect_url}' -o /dev/null") do
-    its(:stdout) { is_expected.to eq("https://#{host_inventory['fqdn']}/users/login") }
+    its(:stdout) { is_expected.to eq("https://#{host_inventory['fqdn']}#{params.fetch(:expected_login_url_path, '/users/login')}") }
     its(:exit_status) { is_expected.to eq 0 }
   end
 end

diff --git a/templates/auth_gssapi.conf.erb b/templates/auth_gssapi.conf.erb
@@ -1,5 +1,5 @@
 
-<LocationMatch ^(/api(/v2)?)?/users/extlogin/?$>
+<LocationMatch ^/users/extlogin/?$>
   SSLRequireSSL
   AuthType GSSAPI
   AuthName "GSSAPI Single Sign On Login"

diff --git a/templates/external_auth_api.conf.erb b/templates/external_auth_api.conf.erb
@@ -0,0 +1,28 @@
+
+<LocationMatch ^/api(/v2)?/users/extlogin/?$>
+  SSLRequireSSL
+  <% if scope.lookupvar('foreman::ipa_authentication_api') %>
+  <If "%{HTTP:Authorization} =~ /^Basic/">
+    AuthType Basic
+    AuthName "PAM Authentication"
+    AuthBasicProvider PAM
+    AuthPAMService <%= scope.lookupvar('foreman::pam_service') %>
+  </If>
+  <Else>
+    AuthType GSSAPI
+    AuthName "GSSAPI Single Sign On Login"
+    GssapiCredStore keytab:<%= @http_keytab %>
+    GssapiSSLonly On
+    GssapiLocalName <%= @gssapi_local_name %>
+  </Else>
+  <% else %>
+  AuthType Basic
+  AuthName "PAM Authentication"
+  AuthBasicProvider PAM
+  AuthPAMService <%= scope.lookupvar('foreman::pam_service') %>
+  <% end %>
+  require pam-account <%= scope.lookupvar('foreman::pam_service') %>
+  ErrorDocument 401 '{ "error": "External authentication did not pass." }'
+  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
+  ErrorDocument 500 '{ "error": "External authentication did not pass." }'
+</LocationMatch>
diff --git a/templates/settings-external-auth-api.yaml.erb b/templates/settings-external-auth-api.yaml.erb
@@ -0,0 +1 @@
+:authorize_login_delegation_api: true
diff --git a/templates/settings-external-auth.yaml.erb b/templates/settings-external-auth.yaml.erb
@@ -1,3 +1,2 @@
 :authorize_login_delegation: true
-:authorize_login_delegation_api: true
 :authorize_login_delegation_auth_source_user_autocreate: External
diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb
@@ -101,12 +101,8 @@
   :type: <%= scope["foreman::rails_cache_store"]["type"] %>
 <% if scope["foreman::rails_cache_store"]["type"] == "redis" -%>
   :urls:
-<%   if scope["foreman::rails_cache_store"].key?("urls") -%>
-<%     scope["foreman::rails_cache_store"]["urls"].each do |url| -%>
-    - redis://<%= url %>
-<%     end -%>
-<%   else -%>
-    - redis://localhost:8479/0
+<%   @redis_cache_urls.each do |url| -%>
+    - <%= url %>
 <%   end -%>
   :options:
 <%   if scope["foreman::rails_cache_store"].key?("options") -%>