Move ipa enrollment to host_prep_tasks

This addresses a possible bug when using FreeIPA to do TLS everywhere. It is possible that the IPA server is not on the ctlplane. In this case, when the nodes start up, the registration of the node with IPA will fail, resulting in failed certificate issuance requests later on. We introduce a composable service to run in host_prep_tasks. This will always run once the networks have been set up. If the instance has already been enrolled (by cloud-init or in an update), then the script executed by the service will just exit. In this iteration, we simply execute the code that the cloud-init would have done. In later releases, we will execute all the code performed by novajoin-server here in ansible - and deprecate the novajoin server. Change-Id: I31f64c3cbd1d151e3c2a436cc3e2ec5316535087 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Resolves: rhbz#1661635 Closes-Bug: #1815924
2019-02-12 14:31:29 -05:00 · 2019-02-12 14:31:29 -05:00 · 2a83856585
commit 2a83856585
parent 98ecf97609
45 changed files with 202 additions and 0 deletions
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -45,6 +45,7 @@ parameter_defaults:
    - OS::TripleO::Services::SensuClient
    - OS::TripleO::Services::SkydiveAgent
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::AuditD
    - OS::TripleO::Services::Collectd
--- a/environments/ssl/enable-internal-tls.yaml
+++ b/environments/ssl/enable-internal-tls.yaml
@ -37,4 +37,5 @@ resource_registry:
  OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
  OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
  OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
  OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
  OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
--- a/extraconfig/services/ipaclient.yaml
+++ b/extraconfig/services/ipaclient.yaml
@ -0,0 +1,147 @@
 heat_template_version: rocky
 description: Registers nodes with the IPA server
 parameters:
  RoleNetIpMap:
    default: {}
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
 outputs:
  role_data:
    description: Role data for the ipaclient service
    value:
      service_name: ipaclient
      upgrade_tasks: []
      step_config: ''
      host_prep_tasks:
        - name: enroll client in ipa and get metadata
          become: yes
          block:
          - name: install needed packages
            package:
              name: "{{ item }}"
              state: present
            with_items:
              - python-simplejson
              - ipa-client
              - ipa-admintools
              - openldap-clients
              - hostname
          - name: create enrollment script
            copy:
              dest: /root/setup-ipa-client.sh
              mode: '0700'
              content: |
                #!/bin/sh
                set -x
                function get_metadata_config_drive {
                    if [ -f /run/cloud-init/status.json ]; then
                    # Get metadata from config drive
                    data=`cat /run/cloud-init/status.json`
                    config_drive=`echo $data | python -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print re.findall(r"source=(.*)]", ds)[0]'`
                    if [[ -b $config_drive ]]; then
                  temp_dir=`mktemp -d`
                  mount $config_drive $temp_dir
                  if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then
                  data=`cat $temp_dir/openstack/latest/vendor_data2.json`
                  umount $config_drive
                  rmdir $temp_dir
                  else
                  umount $config_drive
                  rmdir $temp_dir
                  fi
                    else
                  echo "Unable to retrieve metadata from config drive."
                  return 1
                    fi
                    else
                    echo "Unable to retrieve metadata from config drive."
                    return 1
                    fi
                    return 0
                }
                function get_metadata_network {
                    # Get metadata over the network
                    data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 )  + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')
                    if [[ $? != 0 ]] ; then
                    echo "Unable to retrieve metadata from metadata service."
                    return 1
                    fi
                }
                if ! get_metadata_config_drive; then
                   if ! get_metadata_network; then
                       echo "FATAL: No metadata available"
                       exit 1
                   fi
                fi
                # Get the instance hostname out of the metadata
                fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("hostname", "")'`
                if [ -z "$fqdn" ]; then
                    echo "Unable to determine hostname"
                    exit 1
                fi
                realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("krb_realm", "")'`
                otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("ipaotp", "")'`
                hostname=`/bin/hostname -f`
                # Force hostname to use the FQDN
                hostnamectl set-hostname $fqdn
                # run ipa-client-install
                OPTS="-U -w $otp"
                if [ $hostname != $fqdn ]; then
                    OPTS="$OPTS --hostname $fqdn"
                fi
                if [ -n "$realm" ]; then
                    OPTS="$OPTS --realm=$realm"
                fi
                # Ensure we have the proper domain in /etc/resolv.conf
                domain=$(hostname -d)
                if ! grep -q ${domain} /etc/resolv.conf ; then
                    sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf
                fi
                ipa-client-install $OPTS
          - name: run enrollment script
            shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
            args:
              creates: /etc/ipa/default.conf
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -237,6 +237,7 @@ resource_registry:
  # Services that are disabled by default (use relevant environment files):
  OS::TripleO::Services::Fluentd: OS::Heat::None
  OS::TripleO::Services::IpaClient: OS::Heat::None
  OS::TripleO::Services::Ipsec: OS::Heat::None
  OS::TripleO::Services::Rhsm: OS::Heat::None
  OS::TripleO::Services::MasqueradeNetworks: OS::Heat::None
--- a/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml
+++ b/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml
@ -0,0 +1,8 @@
 ---
 fixes:
  - |
    When setting up TLS everywhere, some deployers may not have their FreIPA
    server in the ctlplane, causing the ipaclient registration to fail.
    We move this registration to host-prep tasks and invoke it using ansible.
    At this point, all networks should be set up and the FreeIPA server should
    be accessible.
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -24,6 +24,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/CephAll.yaml
+++ b/roles/CephAll.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephFile.yaml
+++ b/roles/CephFile.yaml
@ -22,6 +22,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephObject.yaml
+++ b/roles/CephObject.yaml
@ -22,6 +22,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -21,6 +21,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -43,6 +43,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeAlt.yaml
+++ b/roles/ComputeAlt.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgentAlt
    - OS::TripleO::Services::FluentdAlt
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::IscsidAlt
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::MySQLClient
--- a/roles/ComputeDVR.yaml
+++ b/roles/ComputeDVR.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeInstanceHA.yaml
+++ b/roles/ComputeInstanceHA.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeLiquidio.yaml
+++ b/roles/ComputeLiquidio.yaml
@ -33,6 +33,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkRT.yaml
+++ b/roles/ComputeOvsDpdkRT.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkSriov.yaml
+++ b/roles/ComputeOvsDpdkSriov.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkSriovRT.yaml
+++ b/roles/ComputeOvsDpdkSriovRT.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputePPC64LE.yaml
+++ b/roles/ComputePPC64LE.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeRealTime.yaml
+++ b/roles/ComputeRealTime.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeSriovRT.yaml
+++ b/roles/ComputeSriovRT.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -95,6 +95,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/ControllerAllNovaStandalone.yaml
+++ b/roles/ControllerAllNovaStandalone.yaml
@ -58,6 +58,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerNoCeph.yaml
+++ b/roles/ControllerNoCeph.yaml
@ -88,6 +88,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -63,6 +63,7 @@
    - OS::TripleO::Services::Ec2Api
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerStorageNfs.yaml
+++ b/roles/ControllerStorageNfs.yaml
@ -89,6 +89,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -18,6 +18,7 @@
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/DistributedCompute.yaml
+++ b/roles/DistributedCompute.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/DistributedComputeHCI.yaml
+++ b/roles/DistributedComputeHCI.yaml
@ -36,6 +36,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephAll.yaml
+++ b/roles/HciCephAll.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephFile.yaml
+++ b/roles/HciCephFile.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephMon.yaml
+++ b/roles/HciCephMon.yaml
@ -35,6 +35,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephObject.yaml
+++ b/roles/HciCephObject.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -17,6 +17,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicNeutronAgent
    - OS::TripleO::Services::Kernel
--- a/roles/Novacontrol.yaml
+++ b/roles/Novacontrol.yaml
@ -18,6 +18,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -29,6 +29,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Standalone.yaml
+++ b/roles/Standalone.yaml
@ -81,6 +81,7 @@
    - OS::TripleO::Services::HeatApiCloudwatch
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/Telemetry.yaml
+++ b/roles/Telemetry.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
    - OS::TripleO::Services::GnocchiStatsd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -98,6 +98,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
@ -234,6 +235,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
@ -291,6 +293,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
@ -341,6 +344,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
@ -385,6 +389,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -61,6 +61,7 @@ environments:
      OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
      # We use apache as a TLS proxy
      # FIXME(bogdando): switch it, once it is containerized
      OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
      OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
      # Creates nova metadata that will create the extra service principals per
      # node.