novajoin: Optionally configure kerberos
This enables the puppet module to optionally create a minimal kerberos configuration. This is specially useful when running novajoin inside a container, since when running with SELinux enabled, we sometimes cannot load the the kerberos configuration from the host due to some includes pointing to /var/lib. Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
This commit is contained in:
parent
f153e300b5
commit
277c4c9fdf
|
@ -0,0 +1,8 @@
|
||||||
|
Facter.add(:ipa_hostname) do
|
||||||
|
confine kernel: 'Linux'
|
||||||
|
setcode do
|
||||||
|
if File.exist?('/etc/ipa/default.conf')
|
||||||
|
Facter::Util::Resolution.exec('grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -92,6 +92,15 @@
|
||||||
# (optional) Domain for novajoin user.
|
# (optional) Domain for novajoin user.
|
||||||
# Defaults to 'default'
|
# Defaults to 'default'
|
||||||
#
|
#
|
||||||
|
# [*configure_kerberos*]
|
||||||
|
# (optional) Whether or not to create a kerberos configuration file.
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# [*ipa_realm*]
|
||||||
|
# (optional) Kerberos realm. If left empty, the kerberos configuration will
|
||||||
|
# take the domain and upcase it.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
#
|
#
|
||||||
# [*nova_user*]
|
# [*nova_user*]
|
||||||
|
@ -124,6 +133,8 @@ class nova::metadata::novajoin::api (
|
||||||
$project_domain_name = 'default',
|
$project_domain_name = 'default',
|
||||||
$project_name = 'service',
|
$project_name = 'service',
|
||||||
$user_domain_id = 'default',
|
$user_domain_id = 'default',
|
||||||
|
$configure_kerberos = false,
|
||||||
|
$ipa_realm = undef,
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$nova_user = 'nova',
|
$nova_user = 'nova',
|
||||||
$nova_password = undef,
|
$nova_password = undef,
|
||||||
|
@ -184,6 +195,23 @@ class nova::metadata::novajoin::api (
|
||||||
novajoin_config {
|
novajoin_config {
|
||||||
'DEFAULT/domain': value => $ipa_domain;
|
'DEFAULT/domain': value => $ipa_domain;
|
||||||
}
|
}
|
||||||
|
$ipa_domain_real = $ipa_domain
|
||||||
|
} else {
|
||||||
|
$ipa_domain_real = $::domain
|
||||||
|
}
|
||||||
|
|
||||||
|
if $configure_kerberos {
|
||||||
|
if $ipa_realm != undef {
|
||||||
|
$ipa_realm_real
|
||||||
|
} else {
|
||||||
|
$ipa_realm_real = upcase($ipa_domain_real)
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/etc/novajoin/krb5.conf':
|
||||||
|
content => template('nova/krb5.conf.erb'),
|
||||||
|
owner => $service_user,
|
||||||
|
group => $service_user,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
novajoin_config {
|
novajoin_config {
|
||||||
|
@ -234,7 +262,7 @@ class nova::metadata::novajoin::api (
|
||||||
}
|
}
|
||||||
|
|
||||||
exec { 'get-service-user-keytab':
|
exec { 'get-service-user-keytab':
|
||||||
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${::ipa_hostname} \
|
||||||
-p nova/${::fqdn} -k ${keytab}",
|
-p nova/${::fqdn} -k ${keytab}",
|
||||||
creates => $keytab,
|
creates => $keytab,
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ describe 'nova::metadata::novajoin::api' do
|
||||||
:processorcount => '7',
|
:processorcount => '7',
|
||||||
:fqdn => "undercloud.example.com",
|
:fqdn => "undercloud.example.com",
|
||||||
:operatingsystemrelease => '7.0',
|
:operatingsystemrelease => '7.0',
|
||||||
|
:ipa_hostname => 'ipa.ipadomain'
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
@ -131,7 +132,7 @@ describe 'nova::metadata::novajoin::api' do
|
||||||
|
|
||||||
it 'is_expected.to get service user keytab' do
|
it 'is_expected.to get service user keytab' do
|
||||||
is_expected.to contain_exec('get-service-user-keytab').with(
|
is_expected.to contain_exec('get-service-user-keytab').with(
|
||||||
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
|
||||||
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
[libdefaults]
|
||||||
|
default_realm = <%= @ipa_realm_real %>
|
||||||
|
dns_lookup_realm = false
|
||||||
|
dns_lookup_kdc = false
|
||||||
|
rdns = false
|
||||||
|
ticket_lifetime = 24h
|
||||||
|
forwardable = yes
|
||||||
|
udp_preference_limit = 0
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
<%= @ipa_realm_real %> = {
|
||||||
|
kdc = <%= @ipa_hostname %>:88
|
||||||
|
master_kdc = <%= @ipa_hostname %>:88
|
||||||
|
admin_server = <%= @ipa_hostname %>:749
|
||||||
|
default_domain = <%= @ipa_domain_real %>
|
||||||
|
}
|
||||||
|
[domain_realm]
|
||||||
|
.<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
|
||||||
|
<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
|
Loading…
Reference in New Issue