From 277c4c9fdff2dee9ff1f2c4c2b2fb6d6f75bf04f Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 12 Mar 2018 09:28:50 +0200
Subject: [PATCH] novajoin: Optionally configure kerberos

This enables the puppet module to optionally create a minimal kerberos
configuration. This is specially useful when running novajoin inside a
container, since when running with SELinux enabled, we sometimes cannot
load the the kerberos configuration from the host due to some includes
pointing to /var/lib.

Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
---
 lib/facter/ipa_hostname.rb                    |  8 +++++
 manifests/metadata/novajoin/api.pp            | 30 ++++++++++++++++++-
 .../nova_metadata_novajoin_api_spec.rb        |  3 +-
 templates/krb5.conf.erb                       | 19 ++++++++++++
 4 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 lib/facter/ipa_hostname.rb
 create mode 100644 templates/krb5.conf.erb

diff --git a/lib/facter/ipa_hostname.rb b/lib/facter/ipa_hostname.rb
new file mode 100644
index 000000000..0f914b1bb
--- /dev/null
+++ b/lib/facter/ipa_hostname.rb
@@ -0,0 +1,8 @@
+Facter.add(:ipa_hostname) do
+  confine kernel: 'Linux'
+  setcode do
+    if File.exist?('/etc/ipa/default.conf')
+      Facter::Util::Resolution.exec('grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3')
+    end
+  end
+end
diff --git a/manifests/metadata/novajoin/api.pp b/manifests/metadata/novajoin/api.pp
index ddcef51f4..82cd08e06 100644
--- a/manifests/metadata/novajoin/api.pp
+++ b/manifests/metadata/novajoin/api.pp
@@ -92,6 +92,15 @@
 #   (optional) Domain for novajoin user.
 #   Defaults to 'default'
 #
+# [*configure_kerberos*]
+#   (optional) Whether or not to create a kerberos configuration file.
+#   Defaults to false
+#
+# [*ipa_realm*]
+#   (optional) Kerberos realm. If left empty, the kerberos configuration will
+#   take the domain and upcase it.
+#   Defaults to undef
+#
 # DEPRECATED PARAMETERS
 #
 # [*nova_user*]
@@ -124,6 +133,8 @@ class nova::metadata::novajoin::api (
   $project_domain_name       = 'default',
   $project_name              = 'service',
   $user_domain_id            = 'default',
+  $configure_kerberos        = false,
+  $ipa_realm                 = undef,
   # DEPRECATED PARAMETERS
   $nova_user                 = 'nova',
   $nova_password             = undef,
@@ -184,6 +195,23 @@ class nova::metadata::novajoin::api (
     novajoin_config {
       'DEFAULT/domain': value => $ipa_domain;
     }
+    $ipa_domain_real = $ipa_domain
+  } else {
+    $ipa_domain_real = $::domain
+  }
+
+  if $configure_kerberos {
+    if $ipa_realm != undef {
+      $ipa_realm_real
+    } else {
+      $ipa_realm_real = upcase($ipa_domain_real)
+    }
+
+    file { '/etc/novajoin/krb5.conf':
+      content => template('nova/krb5.conf.erb'),
+      owner   => $service_user,
+      group   => $service_user,
+    }
   }
 
   novajoin_config {
@@ -234,7 +262,7 @@ class nova::metadata::novajoin::api (
   }
 
   exec { 'get-service-user-keytab':
-    command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf  | cut -d/ -f3` \
+    command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${::ipa_hostname} \
                 -p nova/${::fqdn} -k ${keytab}",
     creates => $keytab,
   }
diff --git a/spec/classes/nova_metadata_novajoin_api_spec.rb b/spec/classes/nova_metadata_novajoin_api_spec.rb
index a53189ee6..7378493e9 100644
--- a/spec/classes/nova_metadata_novajoin_api_spec.rb
+++ b/spec/classes/nova_metadata_novajoin_api_spec.rb
@@ -9,6 +9,7 @@ describe 'nova::metadata::novajoin::api' do
         :processorcount         => '7',
         :fqdn                   => "undercloud.example.com",
         :operatingsystemrelease => '7.0',
+        :ipa_hostname           => 'ipa.ipadomain'
       }
     )
   end
@@ -131,7 +132,7 @@ describe 'nova::metadata::novajoin::api' do
 
       it 'is_expected.to get service user keytab' do
         is_expected.to contain_exec('get-service-user-keytab').with(
-          'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf  | cut -d/ -f3` \
+          'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
                 -p nova/undercloud.example.com -k #{param_hash[:keytab]}",
         )
       end
diff --git a/templates/krb5.conf.erb b/templates/krb5.conf.erb
new file mode 100644
index 000000000..247cfe81d
--- /dev/null
+++ b/templates/krb5.conf.erb
@@ -0,0 +1,19 @@
+[libdefaults]
+  default_realm = <%= @ipa_realm_real %>
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  rdns = false
+  ticket_lifetime = 24h
+  forwardable = yes
+  udp_preference_limit = 0
+
+[realms]
+  <%= @ipa_realm_real %> = {
+    kdc = <%= @ipa_hostname %>:88
+    master_kdc = <%= @ipa_hostname %>:88
+    admin_server = <%= @ipa_hostname %>:749
+    default_domain = <%= @ipa_domain_real %>
+  }
+[domain_realm]
+  .<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
+  <%= @ipa_domain_real %> = <%= @ipa_realm_real %>