3c6ec654b4
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
84 lines
2.5 KiB
YAML
84 lines
2.5 KiB
YAML
heat_template_version: ocata
|
|
|
|
description: Enroll nodes to FreeIPA
|
|
|
|
parameters:
|
|
server:
|
|
description: ID of the controller node to apply this config to
|
|
type: string
|
|
|
|
CloudDomain:
|
|
description: >
|
|
The configured cloud domain; this will also be used as the kerberos realm
|
|
type: string
|
|
|
|
FreeIPAOTP:
|
|
default: ''
|
|
description: 'OTP that will be used for FreeIPA enrollment'
|
|
type: string
|
|
hidden: true
|
|
FreeIPAServer:
|
|
default: ''
|
|
description: 'FreeIPA server DNS name'
|
|
type: string
|
|
FreeIPAIPAddress:
|
|
default: ''
|
|
description: 'FreeIPA server IP Address'
|
|
type: string
|
|
|
|
resources:
|
|
FreeIPAEnrollmentConfig:
|
|
type: OS::Heat::SoftwareConfig
|
|
properties:
|
|
group: script
|
|
inputs:
|
|
- name: otp
|
|
- name: ipa_server
|
|
- name: ipa_domain
|
|
- name: ipa_ip
|
|
config: |
|
|
#!/bin/sh
|
|
# If no IPA server was given as a parameter, it will be assumed from
|
|
# DNS.
|
|
if [ -n "${ipa_server}" ]; then
|
|
sed -i "/${ipa_server}/d" /etc/hosts
|
|
# Optionally add the FreeIPA server IP to /etc/hosts
|
|
if [ -n "${ipa_ip}" ]; then
|
|
echo "${ipa_ip} ${ipa_server}" >> /etc/hosts
|
|
fi
|
|
fi
|
|
# Set the node's domain if needed
|
|
if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
|
|
hostnamectl set-hostname "$(hostname).${ipa_domain}"
|
|
fi
|
|
yum install -y ipa-client
|
|
# Enroll. If there is already keytab, we have already done this. If
|
|
# this node hasn't enrolled and the OTP is missing, fail.
|
|
if [ ! -f /etc/krb5.keytab ]; then
|
|
if [ -z "${otp}" ]; then
|
|
echo "OTP is missing"
|
|
exit 1
|
|
fi
|
|
ipa-client-install --server ${ipa_server} -w ${otp} \
|
|
--domain=${ipa_domain} -U
|
|
fi
|
|
# Get a TGT
|
|
kinit -k -t /etc/krb5.keytab
|
|
|
|
FreeIPAControllerEnrollmentDeployment:
|
|
type: OS::Heat::SoftwareDeployment
|
|
properties:
|
|
name: FreeIPAEnrollmentDeployment
|
|
config: {get_resource: FreeIPAEnrollmentConfig}
|
|
server: {get_param: server}
|
|
input_values:
|
|
otp: {get_param: FreeIPAOTP}
|
|
ipa_server: {get_param: FreeIPAServer}
|
|
ipa_domain: {get_param: CloudDomain}
|
|
ipa_ip: {get_param: FreeIPAIPAddress}
|
|
|
|
outputs:
|
|
deploy_stdout:
|
|
description: Output of the FreeIPA enrollment deployment
|
|
value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}
|