From 7761fed0cb1cd0740a2c0dee128144acf053249e Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 8 Jul 2022 18:37:35 -0400
Subject: [PATCH] Add credentials cache for novajoin user

With a switch to using the ansible-freeipa modules instead of the
community modules, we need to specify a credentials cache file.
We need to change to ansible-freeipa modules because the community
modules do not support FIPS.
This is required for the tripleo-ipa change[1].

[1] https://review.opendev.org/c/x/tripleo-ipa/+/848255

Change-Id: Iffc0c1f9cf038f20436b65bb9602f121f1c07d37
---
 deployment/ipa/ipaservices-baremetal-ansible.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/deployment/ipa/ipaservices-baremetal-ansible.yaml b/deployment/ipa/ipaservices-baremetal-ansible.yaml
index e7aa753656..27a23e9f28 100644
--- a/deployment/ipa/ipaservices-baremetal-ansible.yaml
+++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml
@@ -44,6 +44,10 @@ parameters:
     default: 'FILE:/etc/novajoin/krb5.keytab'
     description: keytab for the nova/[host fqdn] user on the FreeIPA server.
     type: string
+  IdMNovaCredentialCache:
+    default: '/etc/novajoin/krb5.cache'
+    description: credential cache for nova/[host fqdn] user
+    type: string
   MakeHomeDir:
     type: boolean
     description: Configure PAM to create a users home directory if it does not exist.
@@ -109,13 +113,13 @@ outputs:
                 tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
               when: {get_param: IdMModifyDNS}
           environment:
-            if:
-              - idm_server_provided
-              - IPA_HOST: {get_param: [IdMServer, 0]}
-                IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
-                KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
+            map_merge:
               - IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
                 KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
+                KRB5CCNAME: {get_param: IdMNovaCredentialCache}
+              - if:
+                - idm_server_provided
+                - IPA_HOST: {get_param: [IdMServer, 0]}
         - name: enroll the node as an ipa client
           #NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
           when: step|int == 1