novajoin: Optionally configure kerberos

This enables the puppet module to optionally create a minimal kerberos
configuration. This is specially useful when running novajoin inside a
container, since when running with SELinux enabled, we sometimes cannot
load the the kerberos configuration from the host due to some includes
pointing to /var/lib.

Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
This commit is contained in:
Juan Antonio Osorio Robles 2018-03-12 09:28:50 +02:00
parent f153e300b5
commit 277c4c9fdf
4 changed files with 58 additions and 2 deletions

View File

@ -0,0 +1,8 @@
Facter.add(:ipa_hostname) do
confine kernel: 'Linux'
setcode do
if File.exist?('/etc/ipa/default.conf')
Facter::Util::Resolution.exec('grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3')
end
end
end

View File

@ -92,6 +92,15 @@
# (optional) Domain for novajoin user.
# Defaults to 'default'
#
# [*configure_kerberos*]
# (optional) Whether or not to create a kerberos configuration file.
# Defaults to false
#
# [*ipa_realm*]
# (optional) Kerberos realm. If left empty, the kerberos configuration will
# take the domain and upcase it.
# Defaults to undef
#
# DEPRECATED PARAMETERS
#
# [*nova_user*]
@ -124,6 +133,8 @@ class nova::metadata::novajoin::api (
$project_domain_name = 'default',
$project_name = 'service',
$user_domain_id = 'default',
$configure_kerberos = false,
$ipa_realm = undef,
# DEPRECATED PARAMETERS
$nova_user = 'nova',
$nova_password = undef,
@ -184,6 +195,23 @@ class nova::metadata::novajoin::api (
novajoin_config {
'DEFAULT/domain': value => $ipa_domain;
}
$ipa_domain_real = $ipa_domain
} else {
$ipa_domain_real = $::domain
}
if $configure_kerberos {
if $ipa_realm != undef {
$ipa_realm_real
} else {
$ipa_realm_real = upcase($ipa_domain_real)
}
file { '/etc/novajoin/krb5.conf':
content => template('nova/krb5.conf.erb'),
owner => $service_user,
group => $service_user,
}
}
novajoin_config {
@ -234,7 +262,7 @@ class nova::metadata::novajoin::api (
}
exec { 'get-service-user-keytab':
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ${::ipa_hostname} \
-p nova/${::fqdn} -k ${keytab}",
creates => $keytab,
}

View File

@ -9,6 +9,7 @@ describe 'nova::metadata::novajoin::api' do
:processorcount => '7',
:fqdn => "undercloud.example.com",
:operatingsystemrelease => '7.0',
:ipa_hostname => 'ipa.ipadomain'
}
)
end
@ -131,7 +132,7 @@ describe 'nova::metadata::novajoin::api' do
it 'is_expected.to get service user keytab' do
is_expected.to contain_exec('get-service-user-keytab').with(
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s ipa.ipadomain \
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
)
end

19
templates/krb5.conf.erb Normal file
View File

@ -0,0 +1,19 @@
[libdefaults]
default_realm = <%= @ipa_realm_real %>
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
<%= @ipa_realm_real %> = {
kdc = <%= @ipa_hostname %>:88
master_kdc = <%= @ipa_hostname %>:88
admin_server = <%= @ipa_hostname %>:749
default_domain = <%= @ipa_domain_real %>
}
[domain_realm]
.<%= @ipa_domain_real %> = <%= @ipa_realm_real %>
<%= @ipa_domain_real %> = <%= @ipa_realm_real %>