Merge "Add new composable service for IpaClient" into stable/train

deployment/ipa/ipaservices-baremetal-ansible.yaml

@@ -0,0 +1,122 @@
+heat_template_version: rocky
+
+description: Add services and subhosts to IPA server
+
+parameters:
+  RoleNetIpMap:
+    default: {}
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  PythonInterpreter:
+    type: string
+    description: The python interpreter to use for python and ansible actions
+    default: "/usr/bin/python"
+  IdMDomain:
+    default: ''
+    description: IDM domain to register IDM client. Typically, this is discovered
+                 through DNS and does not have to be set explicitly.
+    type: string
+  IdMServer:
+    default: ''
+    description: FQDN for the FreeIPA server.  Typically, this is discovered
+                 through DNS and does not have to set explicitly.
+    type: string
+  IdMNovaKeytab:
+    default: 'FILE:/etc/novajoin/krb5.keytab'
+    description: keytab for the nova/[host fqdn] user on the FreeIPA server.
+    type: string
+  MakeHomeDir:
+    type: boolean
+    description: Configure PAM to create a users home directory if it does not exist.
+    default: False
+  IdMNoNtpSetup:
+    default: False
+    description: Set to true to add --no-ntp to the IDM client install call.
+                 This will cause IDM client install not to set up NTP.
+    type: boolean
+  IdMEnrollBaseServer:
+    default: True
+    description: Set to true to enroll the base server (computes, controllers)
+    type: boolean
+
+outputs:
+  role_data:
+    description: Role data for the ipaservice service
+    value:
+      service_name: ipaservice
+      upgrade_tasks: []
+      step_config: ''
+      external_deploy_tasks:
+        - name: add the ipa services for this node in step 1
+          when: step|int == 1
+          block:
+            - include_role:
+              name: tripleo_ipa_registration
+              apply:
+                environment:
+                  IPA_USER: "nova/{{ ansible_fqdn }}"
+                  IPA_HOST: {get_param: IdMServer}
+                  KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
+              vars:
+                tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
+                tripleo_ipa_delegate_server: "{{ item }}"
+                tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}"
+                tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}"
+              loop: "{{ groups.certmonger_user }}"
+      deploy_steps_tasks:
+        - name: enroll the node as an ipa client
+          when: step|int == 1
+          vars:
+            state: present
+            ipaclient_otp: "{{ ipa_host_otp }}"
+            idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
+            ipaclient_mkhomedir: {get_param: MakeHomeDir}
+            ipaclient_domain: {get_param: IdMDomain}
+            ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
+            ipaclient_force: yes
+            ipaclient_servers: {get_param: IdMServer}
+            ipaclient_hostname: "{{ fqdn_canonical }}"
+            ipaclients:
+              - "{{ inventory_hostname }}"
+          block:
+            - name: check if default.conf exists
+              stat:
+                path: /etc/ipa/default.conf
+              register: ipa_conf_exists
+            - block:
+                - name: register as an ipa client
+                  import_role:
+                    name: ipaclient
+                - name: restart certmonger service
+                  systemd:
+                    state: restarted
+                    daemon_reload: true
+                    name: certmonger.service
+              when:
+                - idm_enroll_base_server|bool
+                - not ipa_conf_exists.stat.exists

environments/ssl/enable-internal-tls.j2.yaml

@@ -37,6 +37,8 @@ resource_registry:
   OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
   OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
+  # FIXME(xek): after removal of novajoin, switch to using this service instead
+  # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
   OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
 {%- for role in roles %}
   OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml

environments/standalone/standalone-overcloud.yaml

@@ -72,6 +72,7 @@ resource_registry:
   OS::TripleO::Services::HeatApiCfn: OS::Heat::None
   OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
   OS::TripleO::Services::HeatEngine: OS::Heat::None
+  OS::TripleO::Services::IpaClient: OS::Heat::None
   OS::TripleO::Services::IronicApi: OS::Heat::None
   OS::TripleO::Services::IronicConductor: OS::Heat::None
   OS::TripleO::Services::IronicInspector: OS::Heat::None

environments/standalone/standalone-tripleo.yaml

@@ -85,6 +85,7 @@ resource_registry:
   OS::TripleO::Services::HeatApiCfn: OS::Heat::None
   OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
   OS::TripleO::Services::HeatEngine: OS::Heat::None
+  OS::TripleO::Services::IpaClient: OS::Heat::None
   OS::TripleO::Services::IronicApi: OS::Heat::None
   OS::TripleO::Services::IronicConductor: OS::Heat::None
   OS::TripleO::Services::IronicInspector: OS::Heat::None

sample-env-generator/ssl.yaml

@@ -61,6 +61,8 @@ environments:
       # We use apache as a TLS proxy
       # FIXME(bogdando): switch it, once it is containerized
       OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
+      # FIXME(xek): after removal of novajoin, switch to using this service instead
+      # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
       OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
       # Creates nova metadata that will create the extra service principals per
       # node.

sample-env-generator/standalone.yaml

@@ -112,6 +112,8 @@ environments:
       OS::TripleO::Services::HeatApiCfn: OS::Heat::None
       OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
       OS::TripleO::Services::HeatEngine: OS::Heat::None
+      # TLS
+      OS::TripleO::Services::IpaClient: OS::Heat::None
       # Ironic
       OS::TripleO::Services::IronicApi: OS::Heat::None
       OS::TripleO::Services::IronicConductor: OS::Heat::None
@@ -228,6 +230,8 @@ environments:
       OS::TripleO::Services::HeatApiCfn: OS::Heat::None
       OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
       OS::TripleO::Services::HeatEngine: OS::Heat::None
+      # TLS
+      OS::TripleO::Services::IpaClient: OS::Heat::None
       # Ironic
       OS::TripleO::Services::IronicApi: OS::Heat::None
       OS::TripleO::Services::IronicConductor: OS::Heat::None