Add new composable service for IpaClient

This new role is used to register nodes as ipa-clients and
configure the services required in IPA using ansible, rather
than using novajoin.  This is required on the standalone
environment, where there is no novajoin. It will also be the
implementation used when nova is removed from the undercloud
and for pre-provisioned nodes. The existing IpaClient
composable service will be removed in a future release.

This code replaces the server ipaclient-baremetal-ansible by using
a role from freeipa-ansible to register the nodes (controllers,
computes) as ipa-clients.

In external_tasks, the host entry is created and an otp is stored
as a host variable.  In deploy_step_tasks, this otp is used to
register the node. The IPA configuration tasks are delegated to
http://opendev.org/x/tripleo-ipa roles.

Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I7dcd4608d3998596c2e4da19a8eca0d48e1fa841
changes/04/691904/16
Ade Lee 3 years ago committed by Grzegorz Grasza
parent 8e0ef7156b
commit ae68c90b92
  1. 122
      deployment/ipa/ipaservices-baremetal-ansible.yaml
  2. 2
      environments/ssl/enable-internal-tls.j2.yaml
  3. 1
      environments/standalone/standalone-overcloud.yaml
  4. 1
      environments/standalone/standalone-tripleo.yaml
  5. 2
      sample-env-generator/ssl.yaml
  6. 4
      sample-env-generator/standalone.yaml

@ -0,0 +1,122 @@
heat_template_version: rocky
description: Add services and subhosts to IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: "$(command -v python3 || command -v python)"
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMServer:
default: ''
description: FQDN for the FreeIPA server. Typically, this is discovered
through DNS and does not have to set explicitly.
type: string
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
IdMEnrollBaseServer:
default: True
description: Set to true to enroll the base server (computes, controllers)
type: boolean
outputs:
role_data:
description: Role data for the ipaservice service
value:
service_name: ipaservice
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: add the ipa services for this node in step 1
when: step|int == 1
block:
- include_role:
name: tripleo_ipa_registration
apply:
environment:
IPA_USER: "nova/{{ ansible_fqdn }}"
IPA_HOST: {get_param: IdMServer}
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}"
tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.certmonger_user }}"
deploy_steps_tasks:
- name: enroll the node as an ipa client
when: step|int == 1
vars:
state: present
ipaclient_otp: "{{ ipa_host_otp }}"
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_domain: {get_param: IdMDomain}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: yes
ipaclient_servers: {get_param: IdMServer}
ipaclient_hostname: "{{ fqdn_canonical }}"
ipaclients:
- "{{ inventory_hostname }}"
block:
- name: check if default.conf exists
stat:
path: /etc/ipa/default.conf
register: ipa_conf_exists
- block:
- name: register as an ipa client
import_role:
name: ipaclient
- name: restart certmonger service
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not ipa_conf_exists.stat.exists

@ -37,6 +37,8 @@ resource_registry:
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
{%- for role in roles %}
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml

@ -72,6 +72,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
OS::TripleO::Services::IpaClient: OS::Heat::None
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
OS::TripleO::Services::IronicInspector: OS::Heat::None

@ -81,6 +81,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
OS::TripleO::Services::IpaClient: OS::Heat::None
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
OS::TripleO::Services::IronicInspector: OS::Heat::None

@ -61,6 +61,8 @@ environments:
# We use apache as a TLS proxy
# FIXME(bogdando): switch it, once it is containerized
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
# FIXME(xek): after removal of novajoin, switch to using this service instead
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
# Creates nova metadata that will create the extra service principals per
# node.

@ -106,6 +106,8 @@ environments:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
# TLS
OS::TripleO::Services::IpaClient: OS::Heat::None
# Ironic
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None
@ -216,6 +218,8 @@ environments:
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
OS::TripleO::Services::HeatEngine: OS::Heat::None
# TLS
OS::TripleO::Services::IpaClient: OS::Heat::None
# Ironic
OS::TripleO::Services::IronicApi: OS::Heat::None
OS::TripleO::Services::IronicConductor: OS::Heat::None

Loading…
Cancel
Save