The ipaclient ansible role requires that ansible_fqdn is defined but
due to [1] we don't have ansible_fqdn inside of ansible_facts. This
uses the 'fqdn' ansible fact for ansible_fqdn which is equivalent.
[1]: https://opendev.org/openstack/tripleo-heat-templates/commit/4e79336d69e
6b7fa4b026922bac7953bafeee96d
Related-Bug: 1915761
Closes-Bug: 1923248
Change-Id: I0a740e86588c96fff24fa09698c35e492d1c64db
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
In order to ANSIBLE_INJECT_FACT_VARS=False we have to use ansible_facts
instead of ansible_* vars. This change switches our distribution and
hostname related items to use ansible_facts instead.
Change-Id: I49a2c42dcbb74671834f312798367f411c819813
Related-Bug: #1915761
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
This avoids passing an empty value to the --server and --domain options
of ipa-client-install. These are then auto-detected, as described in
the IdMServer and IdMDomain parameters descriptions.
Change-Id: I3a8725f0b64caf9fa50c90bf49634dffe0ad9b79
Closes-Bug: #1904856
Resolves: rhbz#1874936
openssl-perl is used to get the directory /etc/pki/CA, which
is needed for cert requests during the deployment. In OVB
deployments, this package is part of the image and so does not need
to be installed.
In pre-provisioned node environments, we need to document that this
package needs to be installed. By adding this patch, we ensure that
it is there before we need it for certs.
This of course assumes we're not in some kind of airgapped environment
(which is why its dependent on IdMInstallClientPackages). In that case,
we need to continue to doc what must be there.
Change-Id: I7fe5404144f7a75a5a1c257ceef9593719ac5dbc
If ansible detects uppercase characters in delegate_to, it assumes the
target is a grou, not a host.
We should use all lowercase representation (e.g., `undercloud`) so that
ansible does the right thing and looks for the host, instead of looking
for the `Undercloud` group.
Change-Id: If31e620b88830ef85a2bddaccd6cd7064cce4472
Previously, we were delegating the IPA cleanup role to the undercloud
via localhost. This is because the keytab used to authenticate to
FreeIPA and perform the cleanup of host entries during scale down is on
the undercloud. However, when using train, ansible is invoked from the
mistral container when using `delegate_to: localhost`. In this case,
you'll end up with a privilege escalation error:
"sudo: unable to open /run/sudo/ts/mistral: Permission denied\nsudo: a password is required\n",
This is because the mistral container doesn't have passwordless sudo,
resulting in a failed privilege escalation.
Instead, we should make sure we delegate this task to the Undercloud,
where we know the tripleo-admin user is setup properly.
Change-Id: I844f78c520d7b507d906faf7242e72dd717f9cb5
Related-Bug: 1891317
In RHEL 8, ansible-freeipa uses RHEL8 modules to determine which
IPA client packages to install. If the system is not registered,
this fails because the RHEL 8 repos and groups are not available.
Fortunately, the IPA client packages are already in the ovecloud
image. We add here an option to tell ansible-freeipa not to check
for and install any packages to the overcloud nodes to allow the
client registration to succeed..
Change-Id: I702bc4e5ea44af2e7f6247e5ad85ec41cfb17406
When IPA_HOST is an empty string, the ansible module doesn't
fallback on DNS. The environment variable must be not defined,
if the value is an empty string. This might be fixed in a future:
https://github.com/ansible-collections/community.general/pull/241
This change also adds a note to the description, because in case
the server is provided, the domain is required:
https://pagure.io/freeipa/issue/3912
Change-Id: Idf38c234e50442aed082d9a0ebbd488344d50a90
scale_down tasks will be executed when a node is scaled down to
deregister the node with ipa and clean up the relevant subhosts and
services and revoke the issued certs.
Change-Id: Ib636dc528687dc67fae85c27a1571f51ae7332e7
This adds forward and reverse DNS records for all services.
Without the reverse DNS entries, certificates cannot be created
for etcd which requires a subject alternative name (SAN) entry
to be included. This is used by cinder for A/A support.
The task is delegated to tripleo-ipa. It uses the host_entry
which is also used for managing the entries in /etc/hosts.
Depends-On: https://review.opendev.org/#/c/716982/
Change-Id: I41681f90f70fa0dffe4abbe3d6d5c48015589f66
Related-bug: #1869955
Related: rhbz#1804079
This new role is used to register nodes as ipa-clients and
configure the services required in IPA using ansible, rather
than using novajoin. This is required on the standalone
environment, where there is no novajoin. It will also be the
implementation used when nova is removed from the undercloud
and for pre-provisioned nodes. The existing IpaClient
composable service will be removed in a future release.
This code replaces the server ipaclient-baremetal-ansible by using
a role from freeipa-ansible to register the nodes (controllers,
computes) as ipa-clients.
In external_tasks, the host entry is created and an otp is stored
as a host variable. In deploy_step_tasks, this otp is used to
register the node. The IPA configuration tasks are delegated to
http://opendev.org/x/tripleo-ipa roles.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I7dcd4608d3998596c2e4da19a8eca0d48e1fa841
Dave Wilde (d34dh0r53)
ramishra
Grzegorz Grasza
Alex Schultz
Ade Lee
Lance Bragstad