Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

188 lines
6.9 KiB

heat_template_version: rocky
description: Add services and subhosts to IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: "$(command -v python3 || command -v python)"
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMServer:
default: ''
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
also has to be provided. Typically, this is discovered
through DNS and does not have to set explicitly.
type: string
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
IdMEnrollBaseServer:
default: True
description: Set to true to enroll the base server (computes, controllers)
type: boolean
IdMInstallClientPackages:
default: False
description: Set to True to have ansible-freeipa install ipa client packages
on the overcloud node.
type: boolean
IdMModifyDNS:
default: True
description: Set to false to disable DNS records manipulation in the FreeIPA server.
type: boolean
IdMZoneSplitIPv4:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
IdMZoneSplitIPv6:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
conditions:
idm_server_provided:
not:
equals: [{get_param: IdMServer}, ""]
outputs:
role_data:
description: Role data for the ipaservice service
value:
service_name: ipaservice
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: add the ipa services for this node in step 1
when: step|int == 1
block:
- name: Ensure ansible_fqdn is defined
set_fact:
ansible_fqdn: "{{ ansible_facts['fqdn'] }}"
- include_role:
name: tripleo_ipa_registration
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.certmonger_user }}"
- include_role:
name: tripleo_ipa_dns
vars:
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
when: {get_param: IdMModifyDNS}
environment:
if:
- idm_server_provided
- IPA_HOST: {get_param: IdMServer}
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
deploy_steps_tasks:
- name: enroll the node as an ipa client
when: step|int == 1
vars:
map_merge:
-
state: present
ipaclient_otp: "{{ ipa_host_otp }}"
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: yes
ipaclient_hostname: "{{ fqdn_canonical }}"
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
ipaclients:
- "{{ inventory_hostname }}"
ansible_distribution: "{{ ansible_facts['distribution'] }}"
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}"
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}"
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}"
ansible_os_family: "{{ ansible_facts['os_family'] }}"
ansible_fqdn: "{{ ipaclient_hostname }}"
-
if:
- idm_server_provided
- ipaclient_servers: {get_param: IdMServer}
ipaclient_domain: {get_param: IdMDomain}
- {}
block:
- name: check if default.conf exists
stat:
path: /etc/ipa/default.conf
register: ipa_conf_exists
- name: install openssl-perl
package:
name: openssl-perl
state: present
when:
- ipaclient_install_packages|bool
- block:
- name: register as an ipa client
import_role:
name: ipaclient
- name: restart certmonger service
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not ipa_conf_exists.stat.exists
scale_tasks:
- when: step|int == 1
tags: down
block:
- name: unregister node from ipa server
import_role:
name: tripleo_ipa_cleanup
delegate_to: undercloud
vars:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"