kerberos-kdc: add database backups

Add a script to save a db dump to borg backups.  Add the primary KDC
to our backup list.

Change-Id: I32f4ebc1bb4c1952034aba43c75e4d2f85a1b6d3

doc/source/kerberos.rst

@@ -59,8 +59,7 @@ The general process is:
    (primary-side push) and ``kpropod`` (replica-side listen).
 
 In a disaster recovery situation, we can provision a fresh realm and
-recover principals from dump files (XXX: 2020-03-11 ianw -- dump file
-backup to come).
+recover principals from backup dumps.
 
 .. _addprinc:
 

inventory/service/groups.yaml

@@ -24,6 +24,7 @@ groups:
     - review-dev[0-9]*.open*.org
     - zuul[0-9]*.open*.org
     - refstack01.openstack.org
+    - kdc03.openstack.org
     # All these servers are "special-cased" in specifically
     # as they are puppet and should be replaced "soon"
     - ethercalc02.openstack.org

playbooks/roles/kerberos-kdc/tasks/primary.yaml

@@ -92,3 +92,16 @@
     state: started
     enabled: yes
     name: krb5-kdc
+
+- name: Setup db backup streaming job
+  block:
+    - name: Create backup streaming config dir
+      file:
+        path: /etc/borg-streams
+        state: directory
+
+    - name: Create db streaming file
+      copy:
+        content: >-
+            /usr/sbin/kdb5_util dump
+        dest: /etc/borg-streams/kdb5