novajoin: Optionally configure kerberos
This enables the puppet module to optionally create a minimal kerberos configuration. This is specially useful when running novajoin inside a container, since when running with SELinux enabled, we sometimes cannot load the the kerberos configuration from the host due to some includes pointing to /var/lib. Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
This commit is contained in:
parent
f153e300b5
commit
277c4c9fdf
|
@ -0,0 +1,8 @@
|
|||
Facter.add(:ipa_hostname) do
|
||||
confine kernel: 'Linux'
|
||||
setcode do
|
||||
if File.exist?('/etc/ipa/default.conf')
|
||||
Facter::Util::Resolution.exec('grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3')
|
||||
end
|
||||
end
|
||||
end
|
|
@ -92,6 +92,15 @@
|
|||
# (optional) Domain for novajoin user.
|
||||
# Defaults to 'default'
|
||||
#
|
||||
# [*configure_kerberos*]
|
||||
# (optional) Whether or not to create a kerberos configuration file.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*ipa_realm*]
|
||||
# (optional) Kerberos realm. If left empty, the kerberos configuration will
|
||||
# take the domain and upcase it.
|
||||
# Defaults to undef
|
||||
#
|
||||
# DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*nova_user*]
|
||||
|
@ -124,6 +133,8 @@ class nova::metadata::novajoin::api (
|
|||
$project_domain_name = 'default',
|
||||
$project_name = 'service',
|
||||
$user_domain_id = 'default',
|
||||
$configure_kerberos = false,
|
||||
$ipa_realm = undef,
|
||||
# DEPRECATED PARAMETERS
|
||||
$nova_user = 'nova',
|
||||
$nova_password = undef,
|
||||
|
@ -184,6 +195,23 @@ class nova::metadata::novajoin::api (
|
|||
novajoin_config {
|
||||
'DEFAULT/domain': value => $ipa_domain;
|
||||
}
|
||||
$ipa_domain_real = $ipa_domain
|
||||
} else {
|
||||
$ipa_domain_real = $::domain
|
||||
}
|
||||
|
||||
if $configure_kerberos {
|
||||
if $ipa_realm != undef {
|
||||
$ipa_realm_real
|
||||
} else {
|
||||
$ipa_realm_real = upcase($ipa_domain_real)
|
||||
}
|
||||
|
||||
file { '/etc/novajoin/krb5.conf':
|
||||
content => template('nova/krb5.conf.erb'),
|
||||
owner => $service_user,
|
||||
group => $service_user,
|
||||
}
|
||||
}
|
||||
|
||||
novajoin_config {
|
||||
|
@ -234,7 +262,7 @@ class nova::metadata::novajoin::api (
|
|||
}
|
||||
|
||||
exec { 'get-service-user-keytab':
|
||||
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
||||
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${::ipa_hostname} \
|
||||
-p nova/${::fqdn} -k ${keytab}",
|
||||
creates => $keytab,
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@ describe 'nova::metadata::novajoin::api' do
|
|||
:processorcount => '7',
|
||||
:fqdn => "undercloud.example.com",
|
||||
:operatingsystemrelease => '7.0',
|
||||
:ipa_hostname => 'ipa.ipadomain'
|
||||
}
|
||||
)
|
||||
end
|
||||
|
@ -131,7 +132,7 @@ describe 'nova::metadata::novajoin::api' do
|
|||
|
||||
it 'is_expected.to get service user keytab' do
|
||||
is_expected.to contain_exec('get-service-user-keytab').with(
|
||||
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
||||
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
|
||||
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
||||
)
|
||||
end
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
[libdefaults]
|
||||
default_realm = <%= @ipa_realm_real %>
|
||||
dns_lookup_realm = false
|
||||
dns_lookup_kdc = false
|
||||
rdns = false
|
||||
ticket_lifetime = 24h
|
||||
forwardable = yes
|
||||
udp_preference_limit = 0
|
||||
|
||||
[realms]
|
||||
<%= @ipa_realm_real %> = {
|
||||
kdc = <%= @ipa_hostname %>:88
|
||||
master_kdc = <%= @ipa_hostname %>:88
|
||||
admin_server = <%= @ipa_hostname %>:749
|
||||
default_domain = <%= @ipa_domain_real %>
|
||||
}
|
||||
[domain_realm]
|
||||
.<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
|
||||
<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
|
Loading…
Reference in New Issue