Make sure IPA has the right ACI

We need a special ACI in FreeIPA to allow etcd to obtain a certificate with an IP SAN. This ACI needs to be added ahead of time. We add a call for a validation here to make sure that the relevant ACI has been added. On failure, the installation will fail with instructions to add the ACI. The validation that is invoked here has already mereged in: https://review.opendev.org/#/c/741313/ Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e (cherry picked from commit dc959f17c8)
2020-09-01 15:45:44 -04:00 · 2020-09-01 15:45:44 -04:00 · 1cde17b813
parent ca966eef90
commit 1cde17b813
1 changed files with 19 additions and 5 deletions
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@ -205,11 +205,25 @@ outputs:
            - /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
            - /var/lib/etcd:/var/lib/etcd:ro
      host_prep_tasks:
-        - name: create /var/lib/etcd
-          file:
-            path: /var/lib/etcd
-            state: directory
-            setype: container_file_t
+        list_concat:
+          -
+            - name: create /var/lib/etcd
+              file:
+                path: /var/lib/etcd
+                state: directory
+                setype: container_file_t
+          -
+            if:
+              - internal_tls_enabled
+              -
+                - name: check if ipa server has required permissions
+                  import_role:
+                    name: tls_everywhere
+                    tasks_from: ipa-server-check
+                  tags:
+                    - opendev-validation
+                    - opendev-validation-tls-everywhere
+              - null
      upgrade_tasks: []
      metadata_settings:
        if: