Make sure IPA has the right ACI

We need a special ACI in FreeIPA to allow etcd to obtain a certificate with an IP SAN. This ACI needs to be added ahead of time. We add a call for a validation here to make sure that the relevant ACI has been added. On failure, the installation will fail with instructions to add the ACI. The validation that is invoked here has already mereged in: https://review.opendev.org/#/c/741313/ Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e
2020-09-01 15:45:44 -04:00 · 2020-09-01 15:45:44 -04:00 · dc959f17c8
parent caf1c3d323
commit dc959f17c8
1 changed files with 19 additions and 5 deletions
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@ -205,11 +205,25 @@ outputs:
            - /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
            - /var/lib/etcd:/var/lib/etcd:ro
      host_prep_tasks:
-        - name: create /var/lib/etcd
-          file:
-            path: /var/lib/etcd
-            state: directory
-            setype: container_file_t
+        list_concat:
+          -
+            - name: create /var/lib/etcd
+              file:
+                path: /var/lib/etcd
+                state: directory
+                setype: container_file_t
+          -
+            if:
+              - internal_tls_enabled
+              -
+                - name: check if ipa server has required permissions
+                  import_role:
+                    name: tls_everywhere
+                    tasks_from: ipa-server-check
+                  tags:
+                    - opendev-validation
+                    - opendev-validation-tls-everywhere
+              - null
      upgrade_tasks: []
      metadata_settings:
        if: