From 2a8385658543d9657ac4943e8fa096206d09fc82 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 12 Feb 2019 14:31:29 -0500 Subject: [PATCH] Move ipa enrollment to host_prep_tasks This addresses a possible bug when using FreeIPA to do TLS everywhere. It is possible that the IPA server is not on the ctlplane. In this case, when the nodes start up, the registration of the node with IPA will fail, resulting in failed certificate issuance requests later on. We introduce a composable service to run in host_prep_tasks. This will always run once the networks have been set up. If the instance has already been enrolled (by cloud-init or in an update), then the script executed by the service will just exit. In this iteration, we simply execute the code that the cloud-init would have done. In later releases, we will execute all the code performed by novajoin-server here in ansible - and deprecate the novajoin server. Change-Id: I31f64c3cbd1d151e3c2a436cc3e2ec5316535087 Co-Authored-By: Juan Antonio Osorio Robles Resolves: rhbz#1661635 Closes-Bug: #1815924 --- environments/hyperconverged-ceph.yaml | 1 + environments/ssl/enable-internal-tls.yaml | 1 + extraconfig/services/ipaclient.yaml | 147 ++++++++++++++++++ overcloud-resource-registry-puppet.j2.yaml | 1 + ...l-to-host-prep-tasks-934c6e0a9f75f15b.yaml | 8 + roles/BlockStorage.yaml | 1 + roles/CephAll.yaml | 1 + roles/CephFile.yaml | 1 + roles/CephObject.yaml | 1 + roles/CephStorage.yaml | 1 + roles/Compute.yaml | 1 + roles/ComputeAlt.yaml | 1 + roles/ComputeDVR.yaml | 1 + roles/ComputeHCI.yaml | 1 + roles/ComputeInstanceHA.yaml | 1 + roles/ComputeLiquidio.yaml | 1 + roles/ComputeOvsDpdk.yaml | 1 + roles/ComputeOvsDpdkRT.yaml | 1 + roles/ComputeOvsDpdkSriov.yaml | 1 + roles/ComputeOvsDpdkSriovRT.yaml | 1 + roles/ComputePPC64LE.yaml | 1 + roles/ComputeRealTime.yaml | 1 + roles/ComputeSriov.yaml | 1 + roles/ComputeSriovRT.yaml | 1 + roles/Controller.yaml | 1 + roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles/ControllerStorageNfs.yaml | 1 + roles/Database.yaml | 1 + roles/DistributedCompute.yaml | 1 + roles/DistributedComputeHCI.yaml | 1 + roles/HciCephAll.yaml | 1 + roles/HciCephFile.yaml | 1 + roles/HciCephMon.yaml | 1 + roles/HciCephObject.yaml | 1 + roles/IronicConductor.yaml | 1 + roles/Messaging.yaml | 1 + roles/Networker.yaml | 1 + roles/Novacontrol.yaml | 1 + roles/ObjectStorage.yaml | 1 + roles/Standalone.yaml | 1 + roles/Telemetry.yaml | 1 + roles_data.yaml | 5 + sample-env-generator/ssl.yaml | 1 + 45 files changed, 202 insertions(+) create mode 100644 extraconfig/services/ipaclient.yaml create mode 100644 releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index 71f81eae5f..4f38d3be06 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -45,6 +45,7 @@ parameter_defaults: - OS::TripleO::Services::SensuClient - OS::TripleO::Services::SkydiveAgent - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::AuditD - OS::TripleO::Services::Collectd diff --git a/environments/ssl/enable-internal-tls.yaml b/environments/ssl/enable-internal-tls.yaml index df7dc00f41..38bc5ac6d0 100644 --- a/environments/ssl/enable-internal-tls.yaml +++ b/environments/ssl/enable-internal-tls.yaml @@ -37,4 +37,5 @@ resource_registry: OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml + OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml diff --git a/extraconfig/services/ipaclient.yaml b/extraconfig/services/ipaclient.yaml new file mode 100644 index 0000000000..1553c36a33 --- /dev/null +++ b/extraconfig/services/ipaclient.yaml @@ -0,0 +1,147 @@ +heat_template_version: rocky + +description: Registers nodes with the IPA server + +parameters: + RoleNetIpMap: + default: {} + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the ipaclient service + value: + service_name: ipaclient + upgrade_tasks: [] + step_config: '' + host_prep_tasks: + - name: enroll client in ipa and get metadata + become: yes + block: + - name: install needed packages + package: + name: "{{ item }}" + state: present + with_items: + - python-simplejson + - ipa-client + - ipa-admintools + - openldap-clients + - hostname + + - name: create enrollment script + copy: + dest: /root/setup-ipa-client.sh + mode: '0700' + content: | + #!/bin/sh + set -x + + function get_metadata_config_drive { + if [ -f /run/cloud-init/status.json ]; then + # Get metadata from config drive + data=`cat /run/cloud-init/status.json` + config_drive=`echo $data | python -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print re.findall(r"source=(.*)]", ds)[0]'` + if [[ -b $config_drive ]]; then + temp_dir=`mktemp -d` + mount $config_drive $temp_dir + if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then + data=`cat $temp_dir/openstack/latest/vendor_data2.json` + umount $config_drive + rmdir $temp_dir + else + umount $config_drive + rmdir $temp_dir + fi + else + echo "Unable to retrieve metadata from config drive." + return 1 + fi + else + echo "Unable to retrieve metadata from config drive." + return 1 + fi + + return 0 + } + + function get_metadata_network { + # Get metadata over the network + data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data') + + if [[ $? != 0 ]] ; then + echo "Unable to retrieve metadata from metadata service." + return 1 + fi + } + + if ! get_metadata_config_drive; then + if ! get_metadata_network; then + echo "FATAL: No metadata available" + exit 1 + fi + fi + + # Get the instance hostname out of the metadata + fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("hostname", "")'` + + if [ -z "$fqdn" ]; then + echo "Unable to determine hostname" + exit 1 + fi + + realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("krb_realm", "")'` + otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("ipaotp", "")'` + + hostname=`/bin/hostname -f` + + # Force hostname to use the FQDN + hostnamectl set-hostname $fqdn + + # run ipa-client-install + OPTS="-U -w $otp" + if [ $hostname != $fqdn ]; then + OPTS="$OPTS --hostname $fqdn" + fi + if [ -n "$realm" ]; then + OPTS="$OPTS --realm=$realm" + fi + + # Ensure we have the proper domain in /etc/resolv.conf + domain=$(hostname -d) + if ! grep -q ${domain} /etc/resolv.conf ; then + sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf + fi + + ipa-client-install $OPTS + + - name: run enrollment script + shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1 + args: + creates: /etc/ipa/default.conf diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 48c043cbac..20fe7ae059 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -237,6 +237,7 @@ resource_registry: # Services that are disabled by default (use relevant environment files): OS::TripleO::Services::Fluentd: OS::Heat::None + OS::TripleO::Services::IpaClient: OS::Heat::None OS::TripleO::Services::Ipsec: OS::Heat::None OS::TripleO::Services::Rhsm: OS::Heat::None OS::TripleO::Services::MasqueradeNetworks: OS::Heat::None diff --git a/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml b/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml new file mode 100644 index 0000000000..3fa0c33c39 --- /dev/null +++ b/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + When setting up TLS everywhere, some deployers may not have their FreIPA + server in the ctlplane, causing the ipaclient registration to fail. + We move this registration to host-prep tasks and invoke it using ansible. + At this point, all networks should be set up and the FreeIPA server should + be accessible. diff --git a/roles/BlockStorage.yaml b/roles/BlockStorage.yaml index 48faf5eb6f..1156f1a5d7 100644 --- a/roles/BlockStorage.yaml +++ b/roles/BlockStorage.yaml @@ -24,6 +24,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/CephAll.yaml b/roles/CephAll.yaml index bc9189971d..1b39af1cf3 100644 --- a/roles/CephAll.yaml +++ b/roles/CephAll.yaml @@ -25,6 +25,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/CephFile.yaml b/roles/CephFile.yaml index a8ad4d1ec9..7b5bb84ab7 100644 --- a/roles/CephFile.yaml +++ b/roles/CephFile.yaml @@ -22,6 +22,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/CephObject.yaml b/roles/CephObject.yaml index 2dc1527aec..e68bb69f6a 100644 --- a/roles/CephObject.yaml +++ b/roles/CephObject.yaml @@ -22,6 +22,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/CephStorage.yaml b/roles/CephStorage.yaml index c52a60a59c..81a229be33 100644 --- a/roles/CephStorage.yaml +++ b/roles/CephStorage.yaml @@ -21,6 +21,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/Compute.yaml b/roles/Compute.yaml index 4352565623..4ea15c8e50 100644 --- a/roles/Compute.yaml +++ b/roles/Compute.yaml @@ -43,6 +43,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeAlt.yaml b/roles/ComputeAlt.yaml index 3222e24506..bb0bc99cc5 100644 --- a/roles/ComputeAlt.yaml +++ b/roles/ComputeAlt.yaml @@ -30,6 +30,7 @@ - OS::TripleO::Services::ComputeNeutronMetadataAgent - OS::TripleO::Services::ComputeNeutronOvsAgentAlt - OS::TripleO::Services::FluentdAlt + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::IscsidAlt - OS::TripleO::Services::Kernel - OS::TripleO::Services::MySQLClient diff --git a/roles/ComputeDVR.yaml b/roles/ComputeDVR.yaml index 6a33cd1689..cf228276ba 100644 --- a/roles/ComputeDVR.yaml +++ b/roles/ComputeDVR.yaml @@ -31,6 +31,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeHCI.yaml b/roles/ComputeHCI.yaml index 3483b85260..383e4acf65 100644 --- a/roles/ComputeHCI.yaml +++ b/roles/ComputeHCI.yaml @@ -32,6 +32,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeInstanceHA.yaml b/roles/ComputeInstanceHA.yaml index 0bc51976c8..cfef237ba8 100644 --- a/roles/ComputeInstanceHA.yaml +++ b/roles/ComputeInstanceHA.yaml @@ -32,6 +32,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeLiquidio.yaml b/roles/ComputeLiquidio.yaml index 2be1e3351c..a013966f4f 100644 --- a/roles/ComputeLiquidio.yaml +++ b/roles/ComputeLiquidio.yaml @@ -33,6 +33,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeOvsDpdk.yaml b/roles/ComputeOvsDpdk.yaml index 471fb509a5..d334b0c71d 100644 --- a/roles/ComputeOvsDpdk.yaml +++ b/roles/ComputeOvsDpdk.yaml @@ -34,6 +34,7 @@ - OS::TripleO::Services::ComputeNeutronOvsDpdk - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeOvsDpdkRT.yaml b/roles/ComputeOvsDpdkRT.yaml index 7af4604fd3..2fc43e5c07 100644 --- a/roles/ComputeOvsDpdkRT.yaml +++ b/roles/ComputeOvsDpdkRT.yaml @@ -34,6 +34,7 @@ - OS::TripleO::Services::ComputeNeutronOvsDpdk - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeOvsDpdkSriov.yaml b/roles/ComputeOvsDpdkSriov.yaml index fa51be78c2..1043a8e330 100644 --- a/roles/ComputeOvsDpdkSriov.yaml +++ b/roles/ComputeOvsDpdkSriov.yaml @@ -30,6 +30,7 @@ - OS::TripleO::Services::ComputeNeutronOvsDpdk - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeOvsDpdkSriovRT.yaml b/roles/ComputeOvsDpdkSriovRT.yaml index 90c670fd7f..251f9e0984 100644 --- a/roles/ComputeOvsDpdkSriovRT.yaml +++ b/roles/ComputeOvsDpdkSriovRT.yaml @@ -31,6 +31,7 @@ - OS::TripleO::Services::ComputeNeutronOvsDpdk - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputePPC64LE.yaml b/roles/ComputePPC64LE.yaml index 989cc2a629..c4670e8f2d 100644 --- a/roles/ComputePPC64LE.yaml +++ b/roles/ComputePPC64LE.yaml @@ -32,6 +32,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeRealTime.yaml b/roles/ComputeRealTime.yaml index 335a2cb32b..e6e33044c9 100644 --- a/roles/ComputeRealTime.yaml +++ b/roles/ComputeRealTime.yaml @@ -38,6 +38,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml index 6cace0ce5c..5329525bff 100644 --- a/roles/ComputeSriov.yaml +++ b/roles/ComputeSriov.yaml @@ -30,6 +30,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/ComputeSriovRT.yaml b/roles/ComputeSriovRT.yaml index 70c9b7820d..78852f7ab9 100644 --- a/roles/ComputeSriovRT.yaml +++ b/roles/ComputeSriovRT.yaml @@ -31,6 +31,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/Controller.yaml b/roles/Controller.yaml index 24e668ba86..f22c8327d7 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -95,6 +95,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor diff --git a/roles/ControllerAllNovaStandalone.yaml b/roles/ControllerAllNovaStandalone.yaml index 6868b81053..0ede2d48fb 100644 --- a/roles/ControllerAllNovaStandalone.yaml +++ b/roles/ControllerAllNovaStandalone.yaml @@ -58,6 +58,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Etcd - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GnocchiApi diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index 32baf793fe..c2d0649dae 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -88,6 +88,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 196c9c7b2b..27f7e5bb2b 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -63,6 +63,7 @@ - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::Etcd - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GnocchiApi diff --git a/roles/ControllerStorageNfs.yaml b/roles/ControllerStorageNfs.yaml index 0bcbf62e10..c4f95aa2c7 100644 --- a/roles/ControllerStorageNfs.yaml +++ b/roles/ControllerStorageNfs.yaml @@ -89,6 +89,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor diff --git a/roles/Database.yaml b/roles/Database.yaml index 92d0323aa2..d17b005a65 100644 --- a/roles/Database.yaml +++ b/roles/Database.yaml @@ -18,6 +18,7 @@ - OS::TripleO::Services::Clustercheck - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/DistributedCompute.yaml b/roles/DistributedCompute.yaml index a385da2c9a..2a900e8dd9 100644 --- a/roles/DistributedCompute.yaml +++ b/roles/DistributedCompute.yaml @@ -31,6 +31,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/DistributedComputeHCI.yaml b/roles/DistributedComputeHCI.yaml index 5b2b8662a0..41e625d4bc 100644 --- a/roles/DistributedComputeHCI.yaml +++ b/roles/DistributedComputeHCI.yaml @@ -36,6 +36,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/HciCephAll.yaml b/roles/HciCephAll.yaml index 543c55134b..c61c5554ac 100644 --- a/roles/HciCephAll.yaml +++ b/roles/HciCephAll.yaml @@ -38,6 +38,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/HciCephFile.yaml b/roles/HciCephFile.yaml index f23a70cf8d..9652c0ccc5 100644 --- a/roles/HciCephFile.yaml +++ b/roles/HciCephFile.yaml @@ -34,6 +34,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/HciCephMon.yaml b/roles/HciCephMon.yaml index a25fa9912d..6d3a0cb6ad 100644 --- a/roles/HciCephMon.yaml +++ b/roles/HciCephMon.yaml @@ -35,6 +35,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/HciCephObject.yaml b/roles/HciCephObject.yaml index 5420bc0107..ec2703807b 100644 --- a/roles/HciCephObject.yaml +++ b/roles/HciCephObject.yaml @@ -34,6 +34,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml index 46992cf2e7..5a4c131b72 100644 --- a/roles/IronicConductor.yaml +++ b/roles/IronicConductor.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe diff --git a/roles/Messaging.yaml b/roles/Messaging.yaml index a5207d9132..2ddebbc450 100644 --- a/roles/Messaging.yaml +++ b/roles/Messaging.yaml @@ -17,6 +17,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/Networker.yaml b/roles/Networker.yaml index 33ead995e4..5d0759334b 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicNeutronAgent - OS::TripleO::Services::Kernel diff --git a/roles/Novacontrol.yaml b/roles/Novacontrol.yaml index 5beaf2636f..9f69fad831 100644 --- a/roles/Novacontrol.yaml +++ b/roles/Novacontrol.yaml @@ -18,6 +18,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/ObjectStorage.yaml b/roles/ObjectStorage.yaml index dd1a19451d..bf65f39cea 100644 --- a/roles/ObjectStorage.yaml +++ b/roles/ObjectStorage.yaml @@ -29,6 +29,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml index 3a27a57559..293975f136 100644 --- a/roles/Standalone.yaml +++ b/roles/Standalone.yaml @@ -81,6 +81,7 @@ - OS::TripleO::Services::HeatApiCloudwatch - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor diff --git a/roles/Telemetry.yaml b/roles/Telemetry.yaml index fd2019ad23..0e78b1ae87 100644 --- a/roles/Telemetry.yaml +++ b/roles/Telemetry.yaml @@ -31,6 +31,7 @@ - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles_data.yaml b/roles_data.yaml index eebf0e4167..4565a351b5 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -98,6 +98,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor @@ -234,6 +235,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel @@ -291,6 +293,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel @@ -341,6 +344,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs @@ -385,6 +389,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index fd8ab033a8..8058793aaf 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -61,6 +61,7 @@ environments: OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized + OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml # Creates nova metadata that will create the extra service principals per # node.