Move ipa check to external_deploy_tasks
The ipa dns acl validation needs to occur on the undercloud
rather than on the node, because in a new environment, the node
is not yet set up as an ipa client. That only happens in the
deploy_steps tasks.
I also removed the validation tags so that this check could be
done even if validations are not requested. The check itself
is not expensive, and troubleshooting the issue we're trying to
prevent is somewhat tricky. Much better to fail fast.
Change-Id: I021a2aa173f58e0e7cb37022b73ef17782033f70
(cherry picked from commit 81087b49c2
)
This commit is contained in:
parent
8cf6c836b4
commit
fe170a3160
|
@ -205,25 +205,21 @@ outputs:
|
|||
- /var/lib/config-data/etcd/etc/etcd/:/etc/etcd:ro
|
||||
- /var/lib/etcd:/var/lib/etcd:ro
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- name: create /var/lib/etcd
|
||||
file:
|
||||
path: /var/lib/etcd
|
||||
state: directory
|
||||
setype: container_file_t
|
||||
external_deploy_tasks:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: create /var/lib/etcd
|
||||
file:
|
||||
path: /var/lib/etcd
|
||||
state: directory
|
||||
setype: container_file_t
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- name: check if ipa server has required permissions
|
||||
import_role:
|
||||
name: tls_everywhere
|
||||
tasks_from: ipa-server-check
|
||||
tags:
|
||||
- opendev-validation
|
||||
- opendev-validation-tls-everywhere
|
||||
- null
|
||||
- name: check if ipa server has required permissions
|
||||
when: step|int == 1
|
||||
import_role:
|
||||
name: tls_everywhere
|
||||
tasks_from: ipa-server-check
|
||||
- null
|
||||
upgrade_tasks: []
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
Loading…
Reference in New Issue