You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
228 lines
8.9 KiB
228 lines
8.9 KiB
heat_template_version: wallaby |
|
|
|
description: Add services and subhosts to IPA server |
|
|
|
parameters: |
|
RoleNetIpMap: |
|
default: {} |
|
type: json |
|
ServiceData: |
|
default: {} |
|
description: Dictionary packing service data |
|
type: json |
|
ServiceNetMap: |
|
default: {} |
|
description: Mapping of service_name -> network name. Typically set |
|
via parameter_defaults in the resource registry. This |
|
mapping overrides those in ServiceNetMapDefaults. |
|
type: json |
|
RoleName: |
|
default: '' |
|
description: Role name on which the service is applied |
|
type: string |
|
RoleParameters: |
|
default: {} |
|
description: Parameters specific to the role |
|
type: json |
|
EndpointMap: |
|
default: {} |
|
description: Mapping of service endpoint -> protocol. Typically set |
|
via parameter_defaults in the resource registry. |
|
type: json |
|
PythonInterpreter: |
|
type: string |
|
description: The python interpreter to use for python and ansible actions |
|
default: "$(command -v python3 || command -v python)" |
|
IdMDomain: |
|
default: '' |
|
description: IDM domain to register IDM client. Typically, this is discovered |
|
through DNS and does not have to be set explicitly. |
|
type: string |
|
IdMServer: |
|
default: '' |
|
description: FQDN for the FreeIPA server. If you set this value, IdMDomain |
|
also has to be provided. Typically, this is discovered |
|
through DNS and does not have to be set explicitly. |
|
type: string |
|
IdMNovaKeytab: |
|
default: 'FILE:/etc/novajoin/krb5.keytab' |
|
description: keytab for the nova/[host fqdn] user on the FreeIPA server. |
|
type: string |
|
MakeHomeDir: |
|
type: boolean |
|
description: Configure PAM to create a users home directory if it does not exist. |
|
default: False |
|
IdMNoNtpSetup: |
|
default: False |
|
description: Set to true to add --no-ntp to the IDM client install call. |
|
This will cause IDM client install not to set up NTP. |
|
type: boolean |
|
IdMEnrollBaseServer: |
|
default: True |
|
description: Set to true to enroll the base server (computes, controllers) |
|
type: boolean |
|
IdMInstallClientPackages: |
|
default: False |
|
description: Set to True to have ansible-freeipa install ipa client packages |
|
on the overcloud node. |
|
type: boolean |
|
IdMModifyDNS: |
|
default: True |
|
description: Set to false to disable DNS records manipulation in the FreeIPA server. |
|
type: boolean |
|
IdMZoneSplitIPv4: |
|
default: 1 |
|
description: The level by which the PTR DNS record is split when creating zones. |
|
type: string |
|
IdMZoneSplitIPv6: |
|
default: 1 |
|
description: The level by which the PTR DNS record is split when creating zones. |
|
type: string |
|
|
|
conditions: |
|
idm_server_provided: |
|
not: |
|
equals: [{get_param: IdMServer}, ""] |
|
|
|
outputs: |
|
role_data: |
|
description: Role data for the ipaservice service |
|
value: |
|
service_name: ipaservice |
|
upgrade_tasks: [] |
|
step_config: '' |
|
external_deploy_tasks: |
|
- name: add the ipa services for this node in step 1 |
|
when: step|int == 1 |
|
block: |
|
- name: Ensure ansible_fqdn is defined |
|
set_fact: |
|
ansible_fqdn: "{{ ansible_facts['fqdn'] }}" |
|
- include_role: |
|
name: tripleo_ipa_registration |
|
vars: |
|
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer} |
|
tripleo_ipa_delegate_server: "{{ item }}" |
|
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}" |
|
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}" |
|
loop: "{{ groups.ipaservice }}" |
|
- include_role: |
|
name: tripleo_ipa_dns |
|
vars: |
|
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4} |
|
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6} |
|
when: {get_param: IdMModifyDNS} |
|
environment: |
|
if: |
|
- idm_server_provided |
|
- IPA_HOST: {get_param: IdMServer} |
|
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}" |
|
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab} |
|
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}" |
|
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab} |
|
- name: enroll the node as an ipa client |
|
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger |
|
when: step|int == 1 |
|
vars: |
|
ipaclient_install_packages: {get_param: IdMInstallClientPackages} |
|
idm_enroll_base_server: {get_param: IdMEnrollBaseServer} |
|
block: |
|
- name: check if default.conf exists |
|
delegate_to: "{{ item }}" |
|
stat: |
|
path: /etc/ipa/default.conf |
|
register: ipa_conf_exists |
|
loop: "{{ groups.ipaservice }}" |
|
- name: install openssl-perl |
|
delegate_to: "{{ item }}" |
|
become: true |
|
package: |
|
name: openssl-perl |
|
state: present |
|
loop: "{{ groups.ipaservice }}" |
|
when: |
|
- ipaclient_install_packages|bool |
|
- name: register as an ipa client |
|
include_role: |
|
name: ipaclient |
|
apply: |
|
delegate_to: "{{ outer_item.0 }}" |
|
become: true |
|
vars: |
|
map_merge: |
|
- |
|
state: present |
|
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}" |
|
ipaclient_mkhomedir: {get_param: MakeHomeDir} |
|
ipaclient_no_ntp: {get_param: IdMNoNtpSetup} |
|
ipaclient_force: yes |
|
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}" |
|
ansible_fqdn: "{{ ipaclient_hostname }}" |
|
ipaclients: |
|
- "{{ outer_item.0 }}" |
|
#NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts |
|
# see: https://github.com/freeipa/ansible-freeipa/pull/517 |
|
ansible_distribution: "{{ ansible_facts['distribution'] }}" |
|
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}" |
|
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}" |
|
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}" |
|
ansible_os_family: "{{ ansible_facts['os_family'] }}" |
|
- |
|
if: |
|
- idm_server_provided |
|
- ipaclient_servers: {get_param: IdMServer} |
|
ipaclient_domain: {get_param: IdMDomain} |
|
- {} |
|
when: |
|
- idm_enroll_base_server|bool |
|
- not outer_item.1.stat.exists |
|
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}" |
|
loop_control: |
|
loop_var: outer_item |
|
- name: restart certmonger service |
|
delegate_to: "{{ item.0 }}" |
|
become: true |
|
systemd: |
|
state: restarted |
|
daemon_reload: true |
|
name: certmonger.service |
|
when: |
|
- idm_enroll_base_server|bool |
|
- not item.1.stat.exists |
|
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}" |
|
- name: set discovered ipa realm |
|
delegate_to: "{{ item }}" |
|
delegate_facts: true |
|
set_fact: |
|
idm_realm: |
|
str_replace: |
|
template: |
|
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}" |
|
params: |
|
DEFAULT: |
|
yaql: |
|
expression: $.data.toUpper() |
|
data: {get_param: IdMDomain} |
|
loop: "{{ groups.ipaservice }}" |
|
scale_tasks: |
|
- when: step|int == 1 |
|
tags: down |
|
block: |
|
- name: unregister node from ipa server |
|
import_role: |
|
name: tripleo_ipa_cleanup |
|
delegate_to: undercloud |
|
vars: |
|
tripleo_ipa_keytab: {get_param: IdMNovaKeytab} |
|
tripleo_ipa_hosts_to_delete: |
|
- "{{ fqdn_canonical }}" |
|
external_upgrade_tasks: |
|
- when: step|int == 1 |
|
block: |
|
- name: check if ipa server has required permissions |
|
import_role: |
|
name: tls_everywhere |
|
tasks_from: ipa-server-check |
|
tags: |
|
- opendev-validation |
|
- opendev-validation-tls-everywhere
|
|
|