Add FreeIPA enrollment template

This is based on previous work [1] and it's what I've been using to test the TLS-everywhere work. This introduces a template that will run on every node to enroll them to FreeIPA and acquire a ticket (authenticate) in order to be able to request certificates. Enrollment is done via the ipa-client-install command and it does the following: * Get FreeIPA's CA certificate and trust it. * Authenticate to FreeIPA using an OTP and get a kerberos keytab. * Set up several configurations that are needed for FreeIPA (sssd, kerberos, certmonger) The keytab is then used to authenticate and get an actual TGT (Ticket-Granting-Ticket) from Kerberos The previous implementation used a PreConfig hook, however, here it was modified to use NodeTLSCAData. This has the advantage that it runs on every node as opposed to the PreConfig hook where we had to specify the role type so it's a usability improvement. And, on the other hand, this does set up necessary things for the usage of FreeIPA as a CA, such as getting the certificate and enrolling to the CA. [1] https://github.com/JAORMX/freeipa-tripleo-incubator bp tls-via-certmonger Change-Id: Iac94b3b047dca1bcabd464ea8eed6f1220c844f1
2016-12-07 12:12:25 +02:00 · 2016-12-07 12:12:25 +02:00 · 7611f45722
parent 1e11997e76
commit 7611f45722
1 changed files with 72 additions and 0 deletions
--- a/puppet/extraconfig/tls/freeipa-enroll.yaml
+++ b/puppet/extraconfig/tls/freeipa-enroll.yaml
@ -0,0 +1,72 @@
+heat_template_version: 2015-10-15
+
+description: Enroll nodes to FreeIPA
+
+parameters:
+  server:
+    description: ID of the controller node to apply this config to
+    type: string
+
+  CloudDomain:
+    description: >
+      The configured cloud domain; this will also be used as the kerberos realm
+    type: string
+
+  FreeIPAOTP:
+    description: 'OTP that will be used for FreeIPA enrollment'
+    type: string
+    hidden: true
+  FreeIPAServer:
+    description: 'FreeIPA server DNS name'
+    type: string
+  FreeIPAIPAddress:
+    default: ''
+    description: 'FreeIPA server IP Address'
+    type: string
+
+resources:
+  FreeIPAEnrollmentConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: otp
+        - name: ipa_server
+        - name: ipa_domain
+        - name: ipa_ip
+      config: |
+        #!/bin/sh
+        sed -i "/${ipa_server}/d" /etc/hosts
+        # Optionally add the FreeIPA server IP to /etc/hosts
+        if [ -n "${ipa_ip}" ]; then
+            echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
+        fi
+        # Set the node's domain if needed
+        if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
+            hostnamectl set-hostname "$(hostname).${ipa_domain}"
+        fi
+        yum install -y ipa-client
+        # Enroll. If there is already keytab, we have already done this.
+        if [ ! -f /etc/krb5.keytab ]; then
+            ipa-client-install --server ${ipa_server} -w ${otp} \
+                --domain=${ipa_domain} -U
+        fi
+        # Get a TGT
+        kinit -k -t /etc/krb5.keytab
+
+  FreeIPAControllerEnrollmentDeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      name: FreeIPAEnrollmentDeployment
+      config: {get_resource: FreeIPAEnrollmentConfig}
+      server: {get_param: server}
+      input_values:
+        otp: {get_param: FreeIPAOTP}
+        ipa_server: {get_param: FreeIPAServer}
+        ipa_domain: {get_param: CloudDomain}
+        ipa_ip: {get_param: FreeIPAIPAddress}
+
+outputs:
+  deploy_stdout:
+    description: Output of the FreeIPA enrollment deployment
+    value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}