Make sure IPA has the right ACI

We need a special ACI in FreeIPA to allow etcd to obtain a
certificate with an IP SAN.  This ACI needs to be added ahead of
time.  We add a call for a validation here to make sure that the
relevant ACI has been added.

On failure, the installation will fail with instructions to add
the ACI.

Depends-On: I03575a5717456ad647cb10825b8d5646a55a6378
Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e
This commit is contained in:
Ade Lee 2020-09-01 15:45:44 -04:00
parent 1ecccef564
commit 32934b30ab
1 changed files with 19 additions and 5 deletions

View File

@ -205,11 +205,25 @@ outputs:
- /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
- /var/lib/etcd:/var/lib/etcd:ro
host_prep_tasks:
- name: create /var/lib/etcd
file:
path: /var/lib/etcd
state: directory
setype: container_file_t
list_concat:
-
- name: create /var/lib/etcd
file:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
-
if:
- internal_tls_enabled
-
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere
- null
upgrade_tasks: []
metadata_settings:
if: