Browse Source

Make sure IPA has the right ACI

We need a special ACI in FreeIPA to allow etcd to obtain a
certificate with an IP SAN.  This ACI needs to be added ahead of
time.  We add a call for a validation here to make sure that the
relevant ACI has been added.

On failure, the installation will fail with instructions to add
the ACI.

Depends-On: https://review.opendev.org/#/c/749575/
Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e
(cherry picked from commit 32934b30ab)
changes/84/749384/2
Ade Lee 9 months ago
parent
commit
c7eb592794
1 changed files with 19 additions and 5 deletions
  1. +19
    -5
      deployment/etcd/etcd-container-puppet.yaml

+ 19
- 5
deployment/etcd/etcd-container-puppet.yaml View File

@ -205,11 +205,25 @@ outputs:
- /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
- /var/lib/etcd:/var/lib/etcd:ro
host_prep_tasks:
- name: create /var/lib/etcd
file:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
list_concat:
-
- name: create /var/lib/etcd
file:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
-
if:
- internal_tls_enabled
-
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere
- null
upgrade_tasks: []
metadata_settings:
if:


Loading…
Cancel
Save