From 3988e5c072c585f018bf6334c38cb75a9aaadeba Mon Sep 17 00:00:00 2001
From: "Dave Wilde (d34dh0r53)" <cdwilde@gmail.com>
Date: Fri, 15 May 2020 15:37:56 -0500
Subject: [PATCH] Add composible service for tls enrollment

This commit attempts to build out a composible service that enrolls the
undercloud as a FreeIPA host using an OTP. This is similar to what we've
done in the past for tls-everywhere except we're not using novajoin.

Change-Id: I770227b2f4f1ea447cf0138f57a6ed66c034d225
(cherry picked from commit 0e99ceda4bddf1498b03ab1ef1c2f927b6d7d1f2)
---
 deployment/tls/undercloud-tls.yaml            | 99 +++++++++++++++++++
 environments/services/undercloud-tls.yaml     |  4 +
 .../undercloud/undercloud-minion.yaml         |  1 +
 overcloud-resource-registry-puppet.j2.yaml    |  1 +
 roles/Undercloud.yaml                         |  1 +
 roles_data_undercloud.yaml                    |  1 +
 sample-env-generator/undercloud-minion.yaml   |  1 +
 7 files changed, 108 insertions(+)
 create mode 100644 deployment/tls/undercloud-tls.yaml
 create mode 100644 environments/services/undercloud-tls.yaml

diff --git a/deployment/tls/undercloud-tls.yaml b/deployment/tls/undercloud-tls.yaml
new file mode 100644
index 0000000000..1796f07ef6
--- /dev/null
+++ b/deployment/tls/undercloud-tls.yaml
@@ -0,0 +1,99 @@
+heat_template_version: rocky
+
+description: Enrolls the undercloud with the IPA server for TLS-e deployments
+
+parameters:
+  RoleNetIpMap:
+    default: {}
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+  UndercloudIpaOtp:
+    default: ''
+    description: The OTP to use to enroll to FreeIPA
+    type: string
+
+outputs:
+  role_data:
+    description: Role data for enrolling the undercloud into FreeIPA.
+    value:
+      service_name: tls-enroll
+      upgrade_tasks: []
+      deploy_steps_tasks:
+        # https://bugs.launchpad.net/tripleo/+bug/1821139
+        # This is here only for split stack environments to make sure
+        # openssl-perl is installed which provides /etc/pki/CA on RHEL8
+        - name: Ensure openssl-perl package is present on RHEL8
+          when:
+            - ansible_os_family == 'RedHat'
+            - ansible_distribution_major_version == '8'
+          package:
+            name: openssl-perl
+            state: present
+        - name: Ensure FreeIPA Client package is present
+          package:
+            name: ipa-client
+            state: present
+        - name: Create tripleo-admin user and group
+          include_role:
+            name: tripleo-create-admin
+            tasks_from: create_user
+        - name: Set FreeIPA OTP fact
+          set_fact:
+            ipa_otp: {get_param: UndercloudIpaOtp}
+          no_log: true
+        - name: Enroll to FreeIPA
+          include_role:
+            name: ipaclient
+          vars:
+            ipaclient_otp: "{{ ipa_otp }}"
+          when: ipa_otp != ''
+        - name: Set keytab permission facts
+          set_fact:
+            nova_service: "nova/{{ ansible_nodename }}"
+            nova_keytab: "/etc/novajoin/krb5.keytab"
+            nova_keytab_group: "tripleo-admin"
+        - name: Add directory for keytab
+          file:
+            path: "/etc/novajoin"
+            state: directory
+            mode: '0755'
+        - name: Request keytab for {{ nova_service }}
+          shell: |
+            /usr/bin/kinit -kt /etc/krb5.keytab && \
+            ipa-getkeytab \
+              -s $(awk '/server/ { print $3 }' /etc/ipa/default.conf) \
+              -p "{{ nova_service }}" \
+              -k "{{ nova_keytab }}"
+          args:
+            creates: /etc/novajoin/krb5.keytab
+        - name: Set permissions on keytab
+          file:
+            path: "{{ nova_keytab }}"
+            group: "{{ nova_keytab_group }}"
+            mode: "g+r"
diff --git a/environments/services/undercloud-tls.yaml b/environments/services/undercloud-tls.yaml
new file mode 100644
index 0000000000..9a2354871c
--- /dev/null
+++ b/environments/services/undercloud-tls.yaml
@@ -0,0 +1,4 @@
+# A Heat environment file which can be used to enable
+# ipa services with an OTP provided
+resource_registry:
+   OS::TripleO::Services::UndercloudTLS: ../../deployment/tls/undercloud-tls.yaml
diff --git a/environments/undercloud/undercloud-minion.yaml b/environments/undercloud/undercloud-minion.yaml
index 37bfd5d51f..433572d699 100644
--- a/environments/undercloud/undercloud-minion.yaml
+++ b/environments/undercloud/undercloud-minion.yaml
@@ -237,6 +237,7 @@ resource_registry:
   OS::TripleO::Services::TripleoUI: OS::Heat::None
   OS::TripleO::Services::Tuned: OS::Heat::None
   OS::TripleO::Services::UndercloudMinionMessaging: ../../deployment/undercloud/minion-rabbitmq-puppet.yaml
+  OS::TripleO::Services::UndercloudTLS: OS::Heat::None
   OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None
   OS::TripleO::Services::VRTSHyperScale: OS::Heat::None
   OS::TripleO::Services::Vpp: OS::Heat::None
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 8b441d1e15..8d47bf4f3f 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -218,6 +218,7 @@ resource_registry:
   OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml
   OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml
   OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml
+  OS::TripleO::Services::UndercloudTLS: OS::Heat::None
   OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None
   OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None
   OS::TripleO::Services::CeilometerAgentNotification: OS::Heat::None
diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml
index 1fd8f50bfa..893c230eeb 100644
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@@ -43,6 +43,7 @@
     - OS::TripleO::Services::HeatApi
     - OS::TripleO::Services::HeatApiCfn
     - OS::TripleO::Services::HeatEngine
+    - OS::TripleO::Services::UndercloudTLS
     - OS::TripleO::Services::IronicApi
     - OS::TripleO::Services::IronicConductor
     - OS::TripleO::Services::IronicInspector
diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml
index ee766333e2..a16e38b16a 100644
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@@ -46,6 +46,7 @@
     - OS::TripleO::Services::HeatApi
     - OS::TripleO::Services::HeatApiCfn
     - OS::TripleO::Services::HeatEngine
+    - OS::TripleO::Services::UndercloudTLS
     - OS::TripleO::Services::IronicApi
     - OS::TripleO::Services::IronicConductor
     - OS::TripleO::Services::IronicInspector
diff --git a/sample-env-generator/undercloud-minion.yaml b/sample-env-generator/undercloud-minion.yaml
index 577ec94508..940e33c020 100644
--- a/sample-env-generator/undercloud-minion.yaml
+++ b/sample-env-generator/undercloud-minion.yaml
@@ -257,6 +257,7 @@ environments:
       OS::TripleO::Services::TripleoPackages: OS::Heat::None
       OS::TripleO::Services::TripleoUI: OS::Heat::None
       OS::TripleO::Services::Tuned: OS::Heat::None
+      OS::TripleO::Services::UndercloudTLS: OS::Heat::None
       OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None
       OS::TripleO::Services::Vpp: OS::Heat::None
       OS::TripleO::Services::VRTSHyperScale: OS::Heat::None