Add new composable service for IpaClient
This new role is used to register nodes as ipa-clients and
configure the services required in IPA using ansible, rather
than using novajoin. This is required on the standalone
environment, where there is no novajoin. It will also be the
implementation used when nova is removed from the undercloud
and for pre-provisioned nodes. The existing IpaClient
composable service will be removed in a future release.
This code replaces the server ipaclient-baremetal-ansible by using
a role from freeipa-ansible to register the nodes (controllers,
computes) as ipa-clients.
In external_tasks, the host entry is created and an otp is stored
as a host variable. In deploy_step_tasks, this otp is used to
register the node. The IPA configuration tasks are delegated to
http://opendev.org/x/tripleo-ipa roles.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I7dcd4608d3998596c2e4da19a8eca0d48e1fa841
(cherry picked from commit ae68c90b92
)
This commit is contained in:
parent
8de77560bb
commit
afb7b78e3a
|
@ -0,0 +1,122 @@
|
|||
heat_template_version: rocky
|
||||
|
||||
description: Add services and subhosts to IPA server
|
||||
|
||||
parameters:
|
||||
RoleNetIpMap:
|
||||
default: {}
|
||||
type: json
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
PythonInterpreter:
|
||||
type: string
|
||||
description: The python interpreter to use for python and ansible actions
|
||||
default: "/usr/bin/python"
|
||||
IdMDomain:
|
||||
default: ''
|
||||
description: IDM domain to register IDM client. Typically, this is discovered
|
||||
through DNS and does not have to be set explicitly.
|
||||
type: string
|
||||
IdMServer:
|
||||
default: ''
|
||||
description: FQDN for the FreeIPA server. Typically, this is discovered
|
||||
through DNS and does not have to set explicitly.
|
||||
type: string
|
||||
IdMNovaKeytab:
|
||||
default: 'FILE:/etc/novajoin/krb5.keytab'
|
||||
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
|
||||
type: string
|
||||
MakeHomeDir:
|
||||
type: boolean
|
||||
description: Configure PAM to create a users home directory if it does not exist.
|
||||
default: False
|
||||
IdMNoNtpSetup:
|
||||
default: False
|
||||
description: Set to true to add --no-ntp to the IDM client install call.
|
||||
This will cause IDM client install not to set up NTP.
|
||||
type: boolean
|
||||
IdMEnrollBaseServer:
|
||||
default: True
|
||||
description: Set to true to enroll the base server (computes, controllers)
|
||||
type: boolean
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the ipaservice service
|
||||
value:
|
||||
service_name: ipaservice
|
||||
upgrade_tasks: []
|
||||
step_config: ''
|
||||
external_deploy_tasks:
|
||||
- name: add the ipa services for this node in step 1
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: tripleo_ipa_registration
|
||||
apply:
|
||||
environment:
|
||||
IPA_USER: "nova/{{ ansible_fqdn }}"
|
||||
IPA_HOST: {get_param: IdMServer}
|
||||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
vars:
|
||||
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
tripleo_ipa_delegate_server: "{{ item }}"
|
||||
tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}"
|
||||
tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}"
|
||||
loop: "{{ groups.certmonger_user }}"
|
||||
deploy_steps_tasks:
|
||||
- name: enroll the node as an ipa client
|
||||
when: step|int == 1
|
||||
vars:
|
||||
state: present
|
||||
ipaclient_otp: "{{ ipa_host_otp }}"
|
||||
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
||||
ipaclient_domain: {get_param: IdMDomain}
|
||||
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
||||
ipaclient_force: yes
|
||||
ipaclient_servers: {get_param: IdMServer}
|
||||
ipaclient_hostname: "{{ fqdn_canonical }}"
|
||||
ipaclients:
|
||||
- "{{ inventory_hostname }}"
|
||||
block:
|
||||
- name: check if default.conf exists
|
||||
stat:
|
||||
path: /etc/ipa/default.conf
|
||||
register: ipa_conf_exists
|
||||
- block:
|
||||
- name: register as an ipa client
|
||||
import_role:
|
||||
name: ipaclient
|
||||
- name: restart certmonger service
|
||||
systemd:
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
name: certmonger.service
|
||||
when:
|
||||
- idm_enroll_base_server|bool
|
||||
- not ipa_conf_exists.stat.exists
|
|
@ -37,6 +37,8 @@ resource_registry:
|
|||
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
||||
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
||||
# FIXME(xek): after removal of novajoin, switch to using this service instead
|
||||
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
{%- for role in roles %}
|
||||
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml
|
||||
|
|
|
@ -72,6 +72,7 @@ resource_registry:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
OS::TripleO::Services::IronicInspector: OS::Heat::None
|
||||
|
|
|
@ -85,6 +85,7 @@ resource_registry:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
OS::TripleO::Services::IronicInspector: OS::Heat::None
|
||||
|
|
|
@ -61,6 +61,8 @@ environments:
|
|||
# We use apache as a TLS proxy
|
||||
# FIXME(bogdando): switch it, once it is containerized
|
||||
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
||||
# FIXME(xek): after removal of novajoin, switch to using this service instead
|
||||
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
# Creates nova metadata that will create the extra service principals per
|
||||
# node.
|
||||
|
|
|
@ -112,6 +112,8 @@ environments:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
# TLS
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
# Ironic
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
|
@ -228,6 +230,8 @@ environments:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
# TLS
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
# Ironic
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
|
|
Loading…
Reference in New Issue