d44c1f8b3e
Change-Id: Ie8e778c28df344f5f62dc0574522abb0ba8cdf48
178 lines
6.3 KiB
YAML
178 lines
6.3 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: Add services and subhosts to IPA server
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
PythonInterpreter:
|
|
type: string
|
|
description: The python interpreter to use for python and ansible actions
|
|
default: "$(command -v python3 || command -v python)"
|
|
IdMDomain:
|
|
default: ''
|
|
description: IDM domain to register IDM client. Typically, this is discovered
|
|
through DNS and does not have to be set explicitly.
|
|
type: string
|
|
IdMServer:
|
|
default: ''
|
|
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
|
|
also has to be provided. Typically, this is discovered
|
|
through DNS and does not have to be set explicitly.
|
|
type: string
|
|
IdMNovaKeytab:
|
|
default: 'FILE:/etc/novajoin/krb5.keytab'
|
|
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
|
|
type: string
|
|
MakeHomeDir:
|
|
type: boolean
|
|
description: Configure PAM to create a users home directory if it does not exist.
|
|
default: False
|
|
IdMNoNtpSetup:
|
|
default: False
|
|
description: Set to true to add --no-ntp to the IDM client install call.
|
|
This will cause IDM client install not to set up NTP.
|
|
type: boolean
|
|
IdMEnrollBaseServer:
|
|
default: True
|
|
description: Set to true to enroll the base server (computes, controllers)
|
|
type: boolean
|
|
IdMInstallClientPackages:
|
|
default: False
|
|
description: Set to True to have ansible-freeipa install ipa client packages
|
|
on the overcloud node.
|
|
type: boolean
|
|
IdMModifyDNS:
|
|
default: True
|
|
description: Set to false to disable DNS records manipulation in the FreeIPA server.
|
|
type: boolean
|
|
IdMZoneSplitIPv4:
|
|
default: 1
|
|
description: The level by which the PTR DNS record is split when creating zones.
|
|
type: string
|
|
IdMZoneSplitIPv6:
|
|
default: 1
|
|
description: The level by which the PTR DNS record is split when creating zones.
|
|
type: string
|
|
|
|
conditions:
|
|
idm_server_provided:
|
|
not:
|
|
equals: [{get_param: IdMServer}, ""]
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ipaservice service
|
|
value:
|
|
service_name: ipaservice
|
|
upgrade_tasks: []
|
|
step_config: ''
|
|
external_deploy_tasks:
|
|
- name: add the ipa services for this node in step 1
|
|
when: step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: tripleo_ipa_registration
|
|
vars:
|
|
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
|
tripleo_ipa_delegate_server: "{{ item }}"
|
|
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
|
|
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
|
|
loop: "{{ groups.certmonger_user }}"
|
|
- include_role:
|
|
name: tripleo_ipa_dns
|
|
vars:
|
|
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
|
|
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
|
|
when: {get_param: IdMModifyDNS}
|
|
environment:
|
|
if:
|
|
- idm_server_provided
|
|
- IPA_HOST: {get_param: IdMServer}
|
|
IPA_USER: "nova/{{ ansible_fqdn }}"
|
|
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
|
- IPA_USER: "nova/{{ ansible_fqdn }}"
|
|
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
|
deploy_steps_tasks:
|
|
- name: enroll the node as an ipa client
|
|
when: step|int == 1
|
|
vars:
|
|
state: present
|
|
ipaclient_otp: "{{ ipa_host_otp }}"
|
|
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
|
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
|
ipaclient_domain: {get_param: IdMDomain}
|
|
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
|
ipaclient_force: yes
|
|
ipaclient_servers: {get_param: IdMServer}
|
|
ipaclient_hostname: "{{ fqdn_canonical }}"
|
|
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
|
|
ipaclients:
|
|
- "{{ inventory_hostname }}"
|
|
block:
|
|
- name: check if default.conf exists
|
|
stat:
|
|
path: /etc/ipa/default.conf
|
|
register: ipa_conf_exists
|
|
- block:
|
|
- name: register as an ipa client
|
|
import_role:
|
|
name: ipaclient
|
|
- name: restart certmonger service
|
|
systemd:
|
|
state: restarted
|
|
daemon_reload: true
|
|
name: certmonger.service
|
|
when:
|
|
- idm_enroll_base_server|bool
|
|
- not ipa_conf_exists.stat.exists
|
|
scale_tasks:
|
|
- when: step|int == 1
|
|
tags: down
|
|
block:
|
|
- name: unregister node from ipa server
|
|
import_role:
|
|
name: tripleo_ipa_cleanup
|
|
delegate_to: Undercloud
|
|
vars:
|
|
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
|
|
tripleo_ipa_hosts_to_delete:
|
|
- "{{ fqdn_canonical }}"
|
|
external_upgrade_tasks:
|
|
- when: step|int == 1
|
|
block:
|
|
- name: check if ipa server has required permissions
|
|
import_role:
|
|
name: tls_everywhere
|
|
tasks_from: ipa-server-check
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-tls-everywhere
|