From 1cde17b813d20f11028a36b6d582fd23ce06296e Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 1 Sep 2020 15:45:44 -0400 Subject: [PATCH] Make sure IPA has the right ACI We need a special ACI in FreeIPA to allow etcd to obtain a certificate with an IP SAN. This ACI needs to be added ahead of time. We add a call for a validation here to make sure that the relevant ACI has been added. On failure, the installation will fail with instructions to add the ACI. The validation that is invoked here has already mereged in: https://review.opendev.org/#/c/741313/ Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e (cherry picked from commit dc959f17c8a783ea44ad77b9eca7964712ea4ca9) --- deployment/etcd/etcd-container-puppet.yaml | 24 +++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 9822bf4bdb..64c8219248 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -205,11 +205,25 @@ outputs: - /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro - /var/lib/etcd:/var/lib/etcd:ro host_prep_tasks: - - name: create /var/lib/etcd - file: - path: /var/lib/etcd - state: directory - setype: container_file_t + list_concat: + - + - name: create /var/lib/etcd + file: + path: /var/lib/etcd + state: directory + setype: container_file_t + - + if: + - internal_tls_enabled + - + - name: check if ipa server has required permissions + import_role: + name: tls_everywhere + tasks_from: ipa-server-check + tags: + - opendev-validation + - opendev-validation-tls-everywhere + - null upgrade_tasks: [] metadata_settings: if: