From dc959f17c8a783ea44ad77b9eca7964712ea4ca9 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 1 Sep 2020 15:45:44 -0400 Subject: [PATCH] Make sure IPA has the right ACI We need a special ACI in FreeIPA to allow etcd to obtain a certificate with an IP SAN. This ACI needs to be added ahead of time. We add a call for a validation here to make sure that the relevant ACI has been added. On failure, the installation will fail with instructions to add the ACI. The validation that is invoked here has already mereged in: https://review.opendev.org/#/c/741313/ Change-Id: I9baaa77b5b846c96cf075244a8ccb6889469b08e --- deployment/etcd/etcd-container-puppet.yaml | 24 +++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 9822bf4bdb..64c8219248 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -205,11 +205,25 @@ outputs: - /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro - /var/lib/etcd:/var/lib/etcd:ro host_prep_tasks: - - name: create /var/lib/etcd - file: - path: /var/lib/etcd - state: directory - setype: container_file_t + list_concat: + - + - name: create /var/lib/etcd + file: + path: /var/lib/etcd + state: directory + setype: container_file_t + - + if: + - internal_tls_enabled + - + - name: check if ipa server has required permissions + import_role: + name: tls_everywhere + tasks_from: ipa-server-check + tags: + - opendev-validation + - opendev-validation-tls-everywhere + - null upgrade_tasks: [] metadata_settings: if: