Browse Source

Merge "Add new composable service for IpaClient" into stable/train

changes/11/719011/1
Zuul 4 months ago
committed by Gerrit Code Review
parent
commit
97bc46c444
6 changed files with 132 additions and 0 deletions
  1. +122
    -0
      deployment/ipa/ipaservices-baremetal-ansible.yaml
  2. +2
    -0
      environments/ssl/enable-internal-tls.j2.yaml
  3. +1
    -0
      environments/standalone/standalone-overcloud.yaml
  4. +1
    -0
      environments/standalone/standalone-tripleo.yaml
  5. +2
    -0
      sample-env-generator/ssl.yaml
  6. +4
    -0
      sample-env-generator/standalone.yaml

+ 122
- 0
deployment/ipa/ipaservices-baremetal-ansible.yaml View File

@@ -0,0 +1,122 @@
heat_template_version: rocky

description: Add services and subhosts to IPA server

parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: "/usr/bin/python"
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMServer:
default: ''
description: FQDN for the FreeIPA server. Typically, this is discovered
through DNS and does not have to set explicitly.
type: string
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
IdMEnrollBaseServer:
default: True
description: Set to true to enroll the base server (computes, controllers)
type: boolean

outputs:
role_data:
description: Role data for the ipaservice service
value:
service_name: ipaservice
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: add the ipa services for this node in step 1
when: step|int == 1
block:
- include_role:
name: tripleo_ipa_registration
apply:
environment:
IPA_USER: "nova/{{ ansible_fqdn }}"
IPA_HOST: {get_param: IdMServer}
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}"
tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.certmonger_user }}"
deploy_steps_tasks:
- name: enroll the node as an ipa client
when: step|int == 1
vars:
state: present
ipaclient_otp: "{{ ipa_host_otp }}"
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_domain: {get_param: IdMDomain}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: yes
ipaclient_servers: {get_param: IdMServer}
ipaclient_hostname: "{{ fqdn_canonical }}"
ipaclients:
- "{{ inventory_hostname }}"
block:
- name: check if default.conf exists
stat:
path: /etc/ipa/default.conf
register: ipa_conf_exists
- block:
- name: register as an ipa client
import_role:
name: ipaclient
- name: restart certmonger service
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not ipa_conf_exists.stat.exists

+ 2
- 0
environments/ssl/enable-internal-tls.j2.yaml View File

@@ -37,6 +37,8 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
{%- for role in roles %}
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml


+ 1
- 0
environments/standalone/standalone-overcloud.yaml View File

@@ -72,6 +72,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
OS::TripleO::Services::IpaClient: OS::Heat::None
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
OS::TripleO::Services::IronicInspector: OS::Heat::None


+ 1
- 0
environments/standalone/standalone-tripleo.yaml View File

@@ -85,6 +85,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
OS::TripleO::Services::IpaClient: OS::Heat::None
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
OS::TripleO::Services::IronicInspector: OS::Heat::None


+ 2
- 0
sample-env-generator/ssl.yaml View File

@@ -61,6 +61,8 @@ environments:
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.


+ 4
- 0
sample-env-generator/standalone.yaml View File

@@ -112,6 +112,8 @@ environments:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
# TLS
OS::TripleO::Services::IpaClient: OS::Heat::None
# Ironic
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
@@ -228,6 +230,8 @@ environments:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
# TLS
OS::TripleO::Services::IpaClient: OS::Heat::None
# Ironic
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None


Loading…
Cancel
Save