tripleo-heat-templates/deployment/deprecated/novajoin/ipaclient-baremetal-ansible...

195 lines
7.1 KiB
YAML

heat_template_version: rocky
description: Registers nodes with the IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PythonInterpreter:
type: string
description: The python interpreter to use for python and ansible actions
default: "$(command -v python3 || command -v python)"
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
outputs:
role_data:
description: Role data for the ipaclient service
value:
service_name: ipaclient
upgrade_tasks: []
step_config: ''
host_prep_tasks:
- name: enroll client in ipa and get metadata
become: yes
vars:
python_interpreter: {get_param: PythonInterpreter}
makehomedir: {get_param: MakeHomeDir}
idm_domain: {get_param: IdMDomain}
idm_no_ntp: {get_param: IdMNoNtpSetup}
block:
- name: install needed packages
package:
name: "{{ item }}"
state: present
with_items:
- ipa-client
- ipa-admintools
- hostname
- name: create enrollment script
copy:
dest: /root/setup-ipa-client.sh
mode: '0700'
content: |
#!/bin/sh
set -x
function get_metadata_config_drive {
if [ -f /run/cloud-init/status.json ]; then
# Get metadata from config drive
data=`cat /run/cloud-init/status.json`
config_drive=`echo $data | {{ python_interpreter }} -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get("v1", {}).get("datasource"); print(re.findall(r"source=(.*)]", ds)[0])'`
if [[ -b $config_drive ]]; then
temp_dir=`mktemp -d`
mount $config_drive $temp_dir
if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then
data=`cat $temp_dir/openstack/latest/vendor_data2.json`
umount $config_drive
rmdir $temp_dir
else
umount $config_drive
rmdir $temp_dir
fi
else
echo "Unable to retrieve metadata from config drive."
return 1
fi
else
echo "Unable to retrieve metadata from config drive."
return 1
fi
return 0
}
function get_metadata_network {
# Get metadata over the network
data=$(timeout 300 /bin/bash -c 'data=""; while [ -z "$data" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')
if [[ $? != 0 ]] ; then
echo "Unable to retrieve metadata from metadata service."
return 1
fi
}
function get_fqdn {
# Get the instance hostname out of the metadata
fqdn=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("hostname", ""))'`
if [ -z "$fqdn"]; then
echo "Unable to determine hostname"
return 1
fi
return 0
}
if ! get_metadata_config_drive || ! get_fqdn; then
if ! get_metadata_network || ! get_fqdn; then
echo "FATAL: No metadata available or could not read the hostname from the metadata"
exit 1
fi
fi
realm=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("krb_realm", ""))'`
otp=`echo $data | {{ python_interpreter }} -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("ipaotp", ""))'`
# Force hostname to use the FQDN
hostnamectl set-hostname $fqdn
makehomedir={{ makehomedir }}
idm_no_ntp={{ idm_no_ntp }}
idm_domain={{ idm_domain }}
# run ipa-client-install
OPTS="-U -w $otp --hostname $fqdn"
if [ -n "$realm" ]; then
OPTS="$OPTS --realm=$realm"
fi
if [ -n "$idm_domain" ]; then
OPTS="$OPTS --domain=$idm_domain"
fi
if [ "${makehomedir,,}" = "true" ]; then
OPTS="$OPTS --mkhomedir"
fi
if [ "${idm_no_ntp,,}" = "true" ]; then
OPTS="$OPTS --no-ntp"
fi
# Ensure we have the proper domain in /etc/resolv.conf
domain=$(hostname -d)
if [ -n "$idm_domain" ]; then
domain = "$domain $idm_domain"
fi
if ! grep -q ${domain} /etc/resolv.conf ; then
sed -i "0,/nameserver/s/\(nameserver.*\)/search ${domain}\n\1/" /etc/resolv.conf
fi
ipa-client-install $OPTS
- name: determine if client is already enrolled
stat:
path: /etc/ipa/default.conf
register: ipa_default_conf
- block:
- name: run enrollment script
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
- name: restart certmonger service
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when: ipa_default_conf.stat.exists == False