heat_template_version: wallaby description: Add services and subhosts to IPA server parameters: RoleNetIpMap: default: {} type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json IdMDomain: default: '' description: IDM domain to register IDM client. Typically, this is discovered through DNS and does not have to be set explicitly. type: string IdMServer: default: [] description: FQDN for the FreeIPA server. If you set this value, IdMDomain also has to be provided. Typically, this is discovered through DNS and does not have to be set explicitly. type: comma_delimited_list IdMNovaKeytab: default: 'FILE:/etc/novajoin/krb5.keytab' description: keytab for the nova/[host fqdn] user on the FreeIPA server. type: string IdMNovaCredentialCache: default: '/etc/novajoin/krb5.cache' description: credential cache for nova/[host fqdn] user type: string MakeHomeDir: type: boolean description: Configure PAM to create a users home directory if it does not exist. default: False IdMNoNtpSetup: default: False description: Set to true to add --no-ntp to the IDM client install call. This will cause IDM client install not to set up NTP. type: boolean IdMEnrollBaseServer: default: True description: Set to true to enroll the base server (computes, controllers) type: boolean IdMInstallClientPackages: default: False description: Set to True to have ansible-freeipa install ipa client packages on the overcloud node. type: boolean IdMModifyDNS: default: True description: Set to false to disable DNS records manipulation in the FreeIPA server. type: boolean IdMZoneSplitIPv4: default: 1 description: The level by which the PTR DNS record is split when creating zones. type: string IdMZoneSplitIPv6: default: 1 description: The level by which the PTR DNS record is split when creating zones. type: string conditions: idm_server_provided: not: equals: [{get_param: IdMServer}, []] outputs: role_data: description: Role data for the ipaservice service value: service_name: ipaservice upgrade_tasks: [] step_config: '' external_deploy_tasks: - name: add the ipa services for this node in step 1 when: step|int == 1 block: - name: Ensure ansible_fqdn is defined set_fact: ansible_fqdn: "{{ ansible_facts['fqdn'] }}" - include_role: name: tripleo_ipa_registration vars: tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer} tripleo_ipa_delegate_server: "{{ item }}" tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}" tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}" loop: "{{ groups.ipaservice }}" - include_role: name: tripleo_ipa_dns vars: tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4} tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6} when: {get_param: IdMModifyDNS} environment: map_merge: - IPA_USER: "nova/{{ ansible_facts['fqdn'] }}" KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab} KRB5CCNAME: {get_param: IdMNovaCredentialCache} - if: - idm_server_provided - IPA_HOST: {get_param: [IdMServer, 0]} - name: enroll the node as an ipa client #NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger when: step|int == 1 vars: ipaclient_install_packages: {get_param: IdMInstallClientPackages} idm_enroll_base_server: {get_param: IdMEnrollBaseServer} block: - name: check if default.conf exists delegate_to: "{{ item }}" stat: path: /etc/ipa/default.conf register: ipa_conf_exists loop: "{{ groups.ipaservice }}" - name: install openssl-perl delegate_to: "{{ item }}" become: true package: name: openssl-perl state: present loop: "{{ groups.ipaservice }}" when: - ipaclient_install_packages|bool - name: register as an ipa client include_role: name: ipaclient apply: delegate_to: "{{ outer_item.0 }}" become: true vars: map_merge: - state: present ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}" ipaclient_mkhomedir: {get_param: MakeHomeDir} ipaclient_no_ntp: {get_param: IdMNoNtpSetup} ipaclient_force: true ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}" ansible_fqdn: "{{ ipaclient_hostname }}" ipaclients: - "{{ outer_item.0 }}" #NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts # see: https://github.com/freeipa/ansible-freeipa/pull/517 ansible_distribution: "{{ ansible_facts['distribution'] }}" ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}" ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}" ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}" ansible_os_family: "{{ ansible_facts['os_family'] }}" - if: - idm_server_provided - ipaclient_servers: {get_param: IdMServer} ipaclient_domain: {get_param: IdMDomain} when: - idm_enroll_base_server|bool - not outer_item.1.stat.exists loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}" loop_control: loop_var: outer_item - name: restart certmonger service delegate_to: "{{ item.0 }}" become: true systemd: state: restarted daemon_reload: true name: certmonger.service when: - idm_enroll_base_server|bool - not item.1.stat.exists loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}" - name: set discovered ipa realm delegate_to: "{{ item }}" delegate_facts: true set_fact: idm_realm: str_replace: template: "{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}" params: DEFAULT: yaql: expression: $.data.toUpper() data: {get_param: IdMDomain} loop: "{{ groups.ipaservice }}" scale_tasks: - when: step|int == 1 tags: down block: - name: unregister node from ipa server import_role: name: tripleo_ipa_cleanup delegate_to: "{{ groups['Undercloud'] | first }}" vars: tripleo_ipa_keytab: {get_param: IdMNovaKeytab} tripleo_ipa_hosts_to_delete: - "{{ fqdn_canonical }}" external_upgrade_tasks: - when: step|int == 1 block: - name: check if ipa server has required permissions import_role: name: tls_everywhere tasks_from: ipa-server-check tags: - opendev-validation - opendev-validation-tls-everywhere