tripleo-heat-templates/deployment/tls/undercloud-tls.yaml

heat_template_version: wallaby

description: Enrolls the undercloud with the IPA server for TLS-e deployments

parameters:
  RoleNetIpMap:
    default: {}
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry. Use
                 parameter_merge_strategies to merge it with the defaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  UndercloudIpaOtp:
    default: ''
    description: The OTP to use to enroll to FreeIPA
    type: string

outputs:
  role_data:
    description: Role data for enrolling the undercloud into FreeIPA.
    value:
      service_name: tls-enroll
      upgrade_tasks: []
      deploy_steps_tasks:
        # https://bugs.launchpad.net/tripleo/+bug/1821139
        # This is here only for split stack environments to make sure
        # openssl-perl is installed which provides /etc/pki/CA on RHEL8
        - name: Ensure openssl-perl package is present on RHEL8
          when:
            - ansible_facts['os_family'] == 'RedHat'
            - ansible_facts['distribution_major_version'] is version('8', '==')
          package:
            name: openssl-perl
            state: present
        - name: Ensure ansible_fqdn is defined
          set_fact:
            ansible_fqdn: "{{ ansible_facts['fqdn'] }}"
        - name: Create tripleo-admin user and group
          include_role:
            name: tripleo_create_admin
            tasks_from: create_user
        - name: Set FreeIPA OTP fact
          set_fact:
            ipa_otp: {get_param: UndercloudIpaOtp}
          no_log: true
        - name: Enroll to FreeIPA
          include_role:
            name: ipaclient
          vars:
            ipaclient_otp: "{{ ipa_otp }}"
            ipaclient_hostname: "{{ fqdn_canonical }}"
          when: ipa_otp != ''
        - name: Set keytab permission facts
          set_fact:
            nova_service: "nova/{{ ansible_facts['nodename'] }}"
            nova_keytab: "/etc/novajoin/krb5.keytab"
        - name: Add directory for keytab
          file:
            path: "/etc/novajoin"
            state: directory
            mode: '0755'
        - name: Request keytab for {{ nova_service }}
          shell: |
            /usr/bin/kinit -kt /etc/krb5.keytab && \
            ipa-getkeytab \
              -s $(awk '/server/ { print $3 }' /etc/ipa/default.conf) \
              -p "{{ nova_service }}" \
              -k "{{ nova_keytab }}"            
          args:
            creates: /etc/novajoin/krb5.keytab
        - name: Set permissions on keytab
          file:
            path: "{{ nova_keytab }}"
            group: "root"
            mode: "g+r"