diff --git a/deployment/ipa/ipaservices-baremetal-ansible.yaml b/deployment/ipa/ipaservices-baremetal-ansible.yaml new file mode 100644 index 0000000000..bc4cdcb3fc --- /dev/null +++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml @@ -0,0 +1,122 @@ +heat_template_version: rocky + +description: Add services and subhosts to IPA server + +parameters: + RoleNetIpMap: + default: {} + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PythonInterpreter: + type: string + description: The python interpreter to use for python and ansible actions + default: "$(command -v python3 || command -v python)" + IdMDomain: + default: '' + description: IDM domain to register IDM client. Typically, this is discovered + through DNS and does not have to be set explicitly. + type: string + IdMServer: + default: '' + description: FQDN for the FreeIPA server. Typically, this is discovered + through DNS and does not have to set explicitly. + type: string + IdMNovaKeytab: + default: 'FILE:/etc/novajoin/krb5.keytab' + description: keytab for the nova/[host fqdn] user on the FreeIPA server. + type: string + MakeHomeDir: + type: boolean + description: Configure PAM to create a users home directory if it does not exist. + default: False + IdMNoNtpSetup: + default: False + description: Set to true to add --no-ntp to the IDM client install call. + This will cause IDM client install not to set up NTP. + type: boolean + IdMEnrollBaseServer: + default: True + description: Set to true to enroll the base server (computes, controllers) + type: boolean + +outputs: + role_data: + description: Role data for the ipaservice service + value: + service_name: ipaservice + upgrade_tasks: [] + step_config: '' + external_deploy_tasks: + - name: add the ipa services for this node in step 1 + when: step|int == 1 + block: + - include_role: + name: tripleo_ipa_registration + apply: + environment: + IPA_USER: "nova/{{ ansible_fqdn }}" + IPA_HOST: {get_param: IdMServer} + KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab} + vars: + tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer} + tripleo_ipa_delegate_server: "{{ item }}" + tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}" + tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}" + loop: "{{ groups.certmonger_user }}" + deploy_steps_tasks: + - name: enroll the node as an ipa client + when: step|int == 1 + vars: + state: present + ipaclient_otp: "{{ ipa_host_otp }}" + idm_enroll_base_server: {get_param: IdMEnrollBaseServer} + ipaclient_mkhomedir: {get_param: MakeHomeDir} + ipaclient_domain: {get_param: IdMDomain} + ipaclient_no_ntp: {get_param: IdMNoNtpSetup} + ipaclient_force: yes + ipaclient_servers: {get_param: IdMServer} + ipaclient_hostname: "{{ fqdn_canonical }}" + ipaclients: + - "{{ inventory_hostname }}" + block: + - name: check if default.conf exists + stat: + path: /etc/ipa/default.conf + register: ipa_conf_exists + - block: + - name: register as an ipa client + import_role: + name: ipaclient + - name: restart certmonger service + systemd: + state: restarted + daemon_reload: true + name: certmonger.service + when: + - idm_enroll_base_server|bool + - not ipa_conf_exists.stat.exists diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml index 8165cfec2e..1bec0f14e2 100644 --- a/environments/ssl/enable-internal-tls.j2.yaml +++ b/environments/ssl/enable-internal-tls.j2.yaml @@ -37,6 +37,8 @@ resource_registry: OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml + # FIXME(xek): after removal of novajoin, switch to using this service instead + # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml {%- for role in roles %} OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml diff --git a/environments/standalone/standalone-overcloud.yaml b/environments/standalone/standalone-overcloud.yaml index 686cbd7c51..f3d1f998d9 100644 --- a/environments/standalone/standalone-overcloud.yaml +++ b/environments/standalone/standalone-overcloud.yaml @@ -72,6 +72,7 @@ resource_registry: OS::TripleO::Services::HeatApiCfn: OS::Heat::None OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None OS::TripleO::Services::HeatEngine: OS::Heat::None + OS::TripleO::Services::IpaClient: OS::Heat::None OS::TripleO::Services::IronicApi: OS::Heat::None OS::TripleO::Services::IronicConductor: OS::Heat::None OS::TripleO::Services::IronicInspector: OS::Heat::None diff --git a/environments/standalone/standalone-tripleo.yaml b/environments/standalone/standalone-tripleo.yaml index 97e156e38c..6e8df643a7 100644 --- a/environments/standalone/standalone-tripleo.yaml +++ b/environments/standalone/standalone-tripleo.yaml @@ -81,6 +81,7 @@ resource_registry: OS::TripleO::Services::HeatApiCfn: OS::Heat::None OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None OS::TripleO::Services::HeatEngine: OS::Heat::None + OS::TripleO::Services::IpaClient: OS::Heat::None OS::TripleO::Services::IronicApi: OS::Heat::None OS::TripleO::Services::IronicConductor: OS::Heat::None OS::TripleO::Services::IronicInspector: OS::Heat::None diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index ab73146cd4..59df6fad09 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -61,6 +61,8 @@ environments: # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml + # FIXME(xek): after removal of novajoin, switch to using this service instead + # OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml # Creates nova metadata that will create the extra service principals per # node. diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml index d6e7c498be..20d9543d3c 100644 --- a/sample-env-generator/standalone.yaml +++ b/sample-env-generator/standalone.yaml @@ -106,6 +106,8 @@ environments: OS::TripleO::Services::HeatApiCfn: OS::Heat::None OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None OS::TripleO::Services::HeatEngine: OS::Heat::None + # TLS + OS::TripleO::Services::IpaClient: OS::Heat::None # Ironic OS::TripleO::Services::IronicApi: OS::Heat::None OS::TripleO::Services::IronicConductor: OS::Heat::None @@ -216,6 +218,8 @@ environments: OS::TripleO::Services::HeatApiCfn: OS::Heat::None OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None OS::TripleO::Services::HeatEngine: OS::Heat::None + # TLS + OS::TripleO::Services::IpaClient: OS::Heat::None # Ironic OS::TripleO::Services::IronicApi: OS::Heat::None OS::TripleO::Services::IronicConductor: OS::Heat::None