From 61b564480c4d22130aa4ddcb104d07bac4a648b4 Mon Sep 17 00:00:00 2001 From: "Dave Wilde (d34dh0r53)" Date: Fri, 15 May 2020 15:37:56 -0500 Subject: [PATCH] Add composible service for tls enrollment This commit attempts to build out a composible service that enrolls the undercloud as a FreeIPA host using an OTP. This is similar to what we've done in the past for tls-everywhere except we're not using novajoin. Change-Id: I770227b2f4f1ea447cf0138f57a6ed66c034d225 (cherry picked from commit 0e99ceda4bddf1498b03ab1ef1c2f927b6d7d1f2) --- ci/environments/scenario000-standalone.yaml | 1 + deployment/tls/undercloud-tls.yaml | 99 +++++++++++++++++++ environments/services/undercloud-tls.yaml | 4 + .../undercloud/undercloud-minion.yaml | 1 + overcloud-resource-registry-puppet.j2.yaml | 1 + roles/Undercloud.yaml | 1 + roles_data_undercloud.yaml | 1 + sample-env-generator/undercloud-minion.yaml | 1 + 8 files changed, 109 insertions(+) create mode 100644 deployment/tls/undercloud-tls.yaml create mode 100644 environments/services/undercloud-tls.yaml diff --git a/ci/environments/scenario000-standalone.yaml b/ci/environments/scenario000-standalone.yaml index 3fd1295eae..0d71167f95 100644 --- a/ci/environments/scenario000-standalone.yaml +++ b/ci/environments/scenario000-standalone.yaml @@ -183,6 +183,7 @@ resource_registry: OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: OS::Heat::None # OS::TripleO::Services::UndercloudMinionMessaging: ../../deployment/undercloud/minion-rabbitmq-puppet.yaml + OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None OS::TripleO::Services::VRTSHyperScale: OS::Heat::None OS::TripleO::Services::Vpp: OS::Heat::None diff --git a/deployment/tls/undercloud-tls.yaml b/deployment/tls/undercloud-tls.yaml new file mode 100644 index 0000000000..b2d2cee2ce --- /dev/null +++ b/deployment/tls/undercloud-tls.yaml @@ -0,0 +1,99 @@ +heat_template_version: rocky + +description: Enrolls the undercloud with the IPA server for TLS-e deployments + +parameters: + RoleNetIpMap: + default: {} + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + + UndercloudIpaOtp: + default: '' + description: The OTP to use to enroll to FreeIPA + type: string + +outputs: + role_data: + description: Role data for enrolling the undercloud into FreeIPA. + value: + service_name: tls-enroll + upgrade_tasks: [] + deploy_steps_tasks: + # https://bugs.launchpad.net/tripleo/+bug/1821139 + # This is here only for split stack environments to make sure + # openssl-perl is installed which provides /etc/pki/CA on RHEL8 + - name: Ensure openssl-perl package is present on RHEL8 + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version == '8' + package: + name: openssl-perl + state: present + - name: Ensure FreeIPA Client package is present + package: + name: ipa-client + state: present + - name: Create tripleo-admin user and group + include_role: + name: tripleo_create_admin + tasks_from: create_user + - name: Set FreeIPA OTP fact + set_fact: + ipa_otp: {get_param: UndercloudIpaOtp} + no_log: true + - name: Enroll to FreeIPA + include_role: + name: ipaclient + vars: + ipaclient_otp: "{{ ipa_otp }}" + when: ipa_otp != '' + - name: Set keytab permission facts + set_fact: + nova_service: "nova/{{ ansible_nodename }}" + nova_keytab: "/etc/novajoin/krb5.keytab" + nova_keytab_group: "tripleo-admin" + - name: Add directory for keytab + file: + path: "/etc/novajoin" + state: directory + mode: '0755' + - name: Request keytab for {{ nova_service }} + shell: | + /usr/bin/kinit -kt /etc/krb5.keytab && \ + ipa-getkeytab \ + -s $(awk '/server/ { print $3 }' /etc/ipa/default.conf) \ + -p "{{ nova_service }}" \ + -k "{{ nova_keytab }}" + args: + creates: /etc/novajoin/krb5.keytab + - name: Set permissions on keytab + file: + path: "{{ nova_keytab }}" + group: "{{ nova_keytab_group }}" + mode: "g+r" diff --git a/environments/services/undercloud-tls.yaml b/environments/services/undercloud-tls.yaml new file mode 100644 index 0000000000..9a2354871c --- /dev/null +++ b/environments/services/undercloud-tls.yaml @@ -0,0 +1,4 @@ +# A Heat environment file which can be used to enable +# ipa services with an OTP provided +resource_registry: + OS::TripleO::Services::UndercloudTLS: ../../deployment/tls/undercloud-tls.yaml diff --git a/environments/undercloud/undercloud-minion.yaml b/environments/undercloud/undercloud-minion.yaml index fa56e34814..cd0612441c 100644 --- a/environments/undercloud/undercloud-minion.yaml +++ b/environments/undercloud/undercloud-minion.yaml @@ -212,6 +212,7 @@ resource_registry: OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: OS::Heat::None OS::TripleO::Services::UndercloudMinionMessaging: ../../deployment/undercloud/minion-rabbitmq-puppet.yaml + OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None OS::TripleO::Services::VRTSHyperScale: OS::Heat::None OS::TripleO::Services::Vpp: OS::Heat::None diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index d566936d3c..499ff7fa4c 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -208,6 +208,7 @@ resource_registry: OS::TripleO::Services::SwiftRingBuilder: deployment/swift/swift-ringbuilder-container-puppet.yaml OS::TripleO::Services::Snmp: deployment/snmp/snmp-baremetal-puppet.yaml OS::TripleO::Services::Timezone: deployment/time/timezone-baremetal-ansible.yaml + OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::CeilometerAgentCentral: OS::Heat::None OS::TripleO::Services::CeilometerAgentIpmi: OS::Heat::None OS::TripleO::Services::CeilometerAgentNotification: OS::Heat::None diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index ffa0834c02..24fc18f68d 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -43,6 +43,7 @@ - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::UndercloudTLS - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicInspector diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index dae982bf04..4fbeaa1d01 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -46,6 +46,7 @@ - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::UndercloudTLS - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicInspector diff --git a/sample-env-generator/undercloud-minion.yaml b/sample-env-generator/undercloud-minion.yaml index beaed65dce..6d0a53a65f 100644 --- a/sample-env-generator/undercloud-minion.yaml +++ b/sample-env-generator/undercloud-minion.yaml @@ -229,6 +229,7 @@ environments: OS::TripleO::Services::TripleoPackages: OS::Heat::None OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: OS::Heat::None + OS::TripleO::Services::UndercloudTLS: OS::Heat::None OS::TripleO::Services::UndercloudUpgrade: OS::Heat::None OS::TripleO::Services::Vpp: OS::Heat::None OS::TripleO::Services::VRTSHyperScale: OS::Heat::None