Merge "Move ipa enrollment to host_prep_tasks"

2019-02-18 21:10:42 +00:00 · 2019-02-18 21:10:42 +00:00 · ea60b78f84
commit ea60b78f84
parent 7163fc924b 2a83856585
45 changed files with 202 additions and 0 deletions
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -45,6 +45,7 @@ parameter_defaults:
    - OS::TripleO::Services::SensuClient
    - OS::TripleO::Services::SkydiveAgent
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::AuditD
    - OS::TripleO::Services::Collectd
--- a/environments/ssl/enable-internal-tls.yaml
+++ b/environments/ssl/enable-internal-tls.yaml
@ -37,4 +37,5 @@ resource_registry:
  OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
  OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
  OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
+  OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
  OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
--- a/extraconfig/services/ipaclient.yaml
+++ b/extraconfig/services/ipaclient.yaml
@ -0,0 +1,147 @@
+heat_template_version: rocky
+
+description: Registers nodes with the IPA server
+
+parameters:
+  RoleNetIpMap:
+    default: {}
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the ipaclient service
+    value:
+      service_name: ipaclient
+      upgrade_tasks: []
+      step_config: ''
+      host_prep_tasks:
+        - name: enroll client in ipa and get metadata
+          become: yes
+          block:
+          - name: install needed packages
+            package:
+              name: "{{ item }}"
+              state: present
+            with_items:
+              - python-simplejson
+              - ipa-client
+              - ipa-admintools
+              - openldap-clients
+              - hostname
+
+          - name: create enrollment script
+            copy:
+              dest: /root/setup-ipa-client.sh
+              mode: '0700'
+              content: |
+                #!/bin/sh
+                set -x
+
+                function get_metadata_config_drive {
+                    if [ -f /run/cloud-init/status.json ]; then
+                    # Get metadata from config drive
+                    data=`cat /run/cloud-init/status.json`
+                    config_drive=`echo $data | python -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print re.findall(r"source=(.*)]", ds)[0]'`
+                    if [[ -b $config_drive ]]; then
+                  temp_dir=`mktemp -d`
+                  mount $config_drive $temp_dir
+                  if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then
+                  data=`cat $temp_dir/openstack/latest/vendor_data2.json`
+                  umount $config_drive
+                  rmdir $temp_dir
+                  else
+                  umount $config_drive
+                  rmdir $temp_dir
+                  fi
+                    else
+                  echo "Unable to retrieve metadata from config drive."
+                  return 1
+                    fi
+                    else
+                    echo "Unable to retrieve metadata from config drive."
+                    return 1
+                    fi
+
+                    return 0
+                }
+
+                function get_metadata_network {
+                    # Get metadata over the network
+                    data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 )  + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')
+
+                    if [[ $? != 0 ]] ; then
+                    echo "Unable to retrieve metadata from metadata service."
+                    return 1
+                    fi
+                }
+
+                if ! get_metadata_config_drive; then
+                   if ! get_metadata_network; then
+                       echo "FATAL: No metadata available"
+                       exit 1
+                   fi
+                fi
+
+                # Get the instance hostname out of the metadata
+                fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("hostname", "")'`
+
+                if [ -z "$fqdn" ]; then
+                    echo "Unable to determine hostname"
+                    exit 1
+                fi
+
+                realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("krb_realm", "")'`
+                otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.get("join", {}).get("ipaotp", "")'`
+
+                hostname=`/bin/hostname -f`
+
+                # Force hostname to use the FQDN
+                hostnamectl set-hostname $fqdn
+
+                # run ipa-client-install
+                OPTS="-U -w $otp"
+                if [ $hostname != $fqdn ]; then
+                    OPTS="$OPTS --hostname $fqdn"
+                fi
+                if [ -n "$realm" ]; then
+                    OPTS="$OPTS --realm=$realm"
+                fi
+
+                # Ensure we have the proper domain in /etc/resolv.conf
+                domain=$(hostname -d)
+                if ! grep -q ${domain} /etc/resolv.conf ; then
+                    sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf
+                fi
+
+                ipa-client-install $OPTS
+
+          - name: run enrollment script
+            shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
+            args:
+              creates: /etc/ipa/default.conf
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -238,6 +238,7 @@ resource_registry:

  # Services that are disabled by default (use relevant environment files):
  OS::TripleO::Services::Fluentd: OS::Heat::None
+  OS::TripleO::Services::IpaClient: OS::Heat::None
  OS::TripleO::Services::Ipsec: OS::Heat::None
  OS::TripleO::Services::Rhsm: OS::Heat::None
  OS::TripleO::Services::MasqueradeNetworks: OS::Heat::None
--- a/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml
+++ b/releasenotes/notes/move-ipaclient-enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    When setting up TLS everywhere, some deployers may not have their FreIPA
+    server in the ctlplane, causing the ipaclient registration to fail.
+    We move this registration to host-prep tasks and invoke it using ansible.
+    At this point, all networks should be set up and the FreeIPA server should
+    be accessible.
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -24,6 +24,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/CephAll.yaml
+++ b/roles/CephAll.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephFile.yaml
+++ b/roles/CephFile.yaml
@ -22,6 +22,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephObject.yaml
+++ b/roles/CephObject.yaml
@ -22,6 +22,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -21,6 +21,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -43,6 +43,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeAlt.yaml
+++ b/roles/ComputeAlt.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::ComputeNeutronOvsAgentAlt
    - OS::TripleO::Services::FluentdAlt
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::IscsidAlt
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::MySQLClient
--- a/roles/ComputeDVR.yaml
+++ b/roles/ComputeDVR.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeInstanceHA.yaml
+++ b/roles/ComputeInstanceHA.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeLiquidio.yaml
+++ b/roles/ComputeLiquidio.yaml
@ -33,6 +33,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkRT.yaml
+++ b/roles/ComputeOvsDpdkRT.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkSriov.yaml
+++ b/roles/ComputeOvsDpdkSriov.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeOvsDpdkSriovRT.yaml
+++ b/roles/ComputeOvsDpdkSriovRT.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputePPC64LE.yaml
+++ b/roles/ComputePPC64LE.yaml
@ -32,6 +32,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeRealTime.yaml
+++ b/roles/ComputeRealTime.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -30,6 +30,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/ComputeSriovRT.yaml
+++ b/roles/ComputeSriovRT.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -95,6 +95,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/ControllerAllNovaStandalone.yaml
+++ b/roles/ControllerAllNovaStandalone.yaml
@ -58,6 +58,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerNoCeph.yaml
+++ b/roles/ControllerNoCeph.yaml
@ -88,6 +88,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -63,6 +63,7 @@
    - OS::TripleO::Services::Ec2Api
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
--- a/roles/ControllerStorageNfs.yaml
+++ b/roles/ControllerStorageNfs.yaml
@ -89,6 +89,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -18,6 +18,7 @@
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/DistributedCompute.yaml
+++ b/roles/DistributedCompute.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/DistributedComputeHCI.yaml
+++ b/roles/DistributedComputeHCI.yaml
@ -36,6 +36,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephAll.yaml
+++ b/roles/HciCephAll.yaml
@ -38,6 +38,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephFile.yaml
+++ b/roles/HciCephFile.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephMon.yaml
+++ b/roles/HciCephMon.yaml
@ -35,6 +35,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/HciCephObject.yaml
+++ b/roles/HciCephObject.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -17,6 +17,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicNeutronAgent
    - OS::TripleO::Services::Kernel
--- a/roles/Novacontrol.yaml
+++ b/roles/Novacontrol.yaml
@ -18,6 +18,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -29,6 +29,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Standalone.yaml
+++ b/roles/Standalone.yaml
@ -81,6 +81,7 @@
    - OS::TripleO::Services::HeatApiCloudwatch
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
--- a/roles/Telemetry.yaml
+++ b/roles/Telemetry.yaml
@ -31,6 +31,7 @@
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
    - OS::TripleO::Services::GnocchiStatsd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -98,6 +98,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
@ -234,6 +235,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
@ -291,6 +293,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
@ -341,6 +344,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
@ -385,6 +389,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
+    - OS::TripleO::Services::IpaClient
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@ -61,6 +61,7 @@ environments:
      OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
      # We use apache as a TLS proxy
      # FIXME(bogdando): switch it, once it is containerized
+      OS::TripleO::Services::IpaClient: ../../extraconfig/services/ipaclient.yaml
      OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
      # Creates nova metadata that will create the extra service principals per
      # node.