7761fed0cb
With a switch to using the ansible-freeipa modules instead of the community modules, we need to specify a credentials cache file. We need to change to ansible-freeipa modules because the community modules do not support FIPS. This is required for the tripleo-ipa change[1]. [1] https://review.opendev.org/c/x/tripleo-ipa/+/848255 Change-Id: Iffc0c1f9cf038f20436b65bb9602f121f1c07d37
226 lines
8.8 KiB
YAML
226 lines
8.8 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: Add services and subhosts to IPA server
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
IdMDomain:
|
|
default: ''
|
|
description: IDM domain to register IDM client. Typically, this is discovered
|
|
through DNS and does not have to be set explicitly.
|
|
type: string
|
|
IdMServer:
|
|
default: []
|
|
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
|
|
also has to be provided. Typically, this is discovered
|
|
through DNS and does not have to be set explicitly.
|
|
type: comma_delimited_list
|
|
IdMNovaKeytab:
|
|
default: 'FILE:/etc/novajoin/krb5.keytab'
|
|
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
|
|
type: string
|
|
IdMNovaCredentialCache:
|
|
default: '/etc/novajoin/krb5.cache'
|
|
description: credential cache for nova/[host fqdn] user
|
|
type: string
|
|
MakeHomeDir:
|
|
type: boolean
|
|
description: Configure PAM to create a users home directory if it does not exist.
|
|
default: False
|
|
IdMNoNtpSetup:
|
|
default: False
|
|
description: Set to true to add --no-ntp to the IDM client install call.
|
|
This will cause IDM client install not to set up NTP.
|
|
type: boolean
|
|
IdMEnrollBaseServer:
|
|
default: True
|
|
description: Set to true to enroll the base server (computes, controllers)
|
|
type: boolean
|
|
IdMInstallClientPackages:
|
|
default: False
|
|
description: Set to True to have ansible-freeipa install ipa client packages
|
|
on the overcloud node.
|
|
type: boolean
|
|
IdMModifyDNS:
|
|
default: True
|
|
description: Set to false to disable DNS records manipulation in the FreeIPA server.
|
|
type: boolean
|
|
IdMZoneSplitIPv4:
|
|
default: 1
|
|
description: The level by which the PTR DNS record is split when creating zones.
|
|
type: string
|
|
IdMZoneSplitIPv6:
|
|
default: 1
|
|
description: The level by which the PTR DNS record is split when creating zones.
|
|
type: string
|
|
|
|
conditions:
|
|
idm_server_provided:
|
|
not:
|
|
equals: [{get_param: IdMServer}, []]
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the ipaservice service
|
|
value:
|
|
service_name: ipaservice
|
|
upgrade_tasks: []
|
|
step_config: ''
|
|
external_deploy_tasks:
|
|
- name: add the ipa services for this node in step 1
|
|
when: step|int == 1
|
|
block:
|
|
- name: Ensure ansible_fqdn is defined
|
|
set_fact:
|
|
ansible_fqdn: "{{ ansible_facts['fqdn'] }}"
|
|
- include_role:
|
|
name: tripleo_ipa_registration
|
|
vars:
|
|
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
|
tripleo_ipa_delegate_server: "{{ item }}"
|
|
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
|
|
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
|
|
loop: "{{ groups.ipaservice }}"
|
|
- include_role:
|
|
name: tripleo_ipa_dns
|
|
vars:
|
|
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
|
|
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
|
|
when: {get_param: IdMModifyDNS}
|
|
environment:
|
|
map_merge:
|
|
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
|
|
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
|
KRB5CCNAME: {get_param: IdMNovaCredentialCache}
|
|
- if:
|
|
- idm_server_provided
|
|
- IPA_HOST: {get_param: [IdMServer, 0]}
|
|
- name: enroll the node as an ipa client
|
|
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
|
|
when: step|int == 1
|
|
vars:
|
|
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
|
|
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
|
block:
|
|
- name: check if default.conf exists
|
|
delegate_to: "{{ item }}"
|
|
stat:
|
|
path: /etc/ipa/default.conf
|
|
register: ipa_conf_exists
|
|
loop: "{{ groups.ipaservice }}"
|
|
- name: install openssl-perl
|
|
delegate_to: "{{ item }}"
|
|
become: true
|
|
package:
|
|
name: openssl-perl
|
|
state: present
|
|
loop: "{{ groups.ipaservice }}"
|
|
when:
|
|
- ipaclient_install_packages|bool
|
|
- name: register as an ipa client
|
|
include_role:
|
|
name: ipaclient
|
|
apply:
|
|
delegate_to: "{{ outer_item.0 }}"
|
|
become: true
|
|
vars:
|
|
map_merge:
|
|
- state: present
|
|
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}"
|
|
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
|
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
|
ipaclient_force: true
|
|
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}"
|
|
ansible_fqdn: "{{ ipaclient_hostname }}"
|
|
ipaclients:
|
|
- "{{ outer_item.0 }}"
|
|
#NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts
|
|
# see: https://github.com/freeipa/ansible-freeipa/pull/517
|
|
ansible_distribution: "{{ ansible_facts['distribution'] }}"
|
|
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}"
|
|
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}"
|
|
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}"
|
|
ansible_os_family: "{{ ansible_facts['os_family'] }}"
|
|
- if:
|
|
- idm_server_provided
|
|
- ipaclient_servers: {get_param: IdMServer}
|
|
ipaclient_domain: {get_param: IdMDomain}
|
|
when:
|
|
- idm_enroll_base_server|bool
|
|
- not outer_item.1.stat.exists
|
|
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
|
|
loop_control:
|
|
loop_var: outer_item
|
|
- name: restart certmonger service
|
|
delegate_to: "{{ item.0 }}"
|
|
become: true
|
|
systemd:
|
|
state: restarted
|
|
daemon_reload: true
|
|
name: certmonger.service
|
|
when:
|
|
- idm_enroll_base_server|bool
|
|
- not item.1.stat.exists
|
|
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
|
|
- name: set discovered ipa realm
|
|
delegate_to: "{{ item }}"
|
|
delegate_facts: true
|
|
set_fact:
|
|
idm_realm:
|
|
str_replace:
|
|
template:
|
|
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}"
|
|
params:
|
|
DEFAULT:
|
|
yaql:
|
|
expression: $.data.toUpper()
|
|
data: {get_param: IdMDomain}
|
|
loop: "{{ groups.ipaservice }}"
|
|
scale_tasks:
|
|
- when: step|int == 1
|
|
tags: down
|
|
block:
|
|
- name: unregister node from ipa server
|
|
import_role:
|
|
name: tripleo_ipa_cleanup
|
|
delegate_to: "{{ groups['Undercloud'] | first }}"
|
|
vars:
|
|
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
|
|
tripleo_ipa_hosts_to_delete:
|
|
- "{{ fqdn_canonical }}"
|
|
external_upgrade_tasks:
|
|
- when: step|int == 1
|
|
block:
|
|
- name: check if ipa server has required permissions
|
|
import_role:
|
|
name: tls_everywhere
|
|
tasks_from: ipa-server-check
|
|
tags:
|
|
- opendev-validation
|
|
- opendev-validation-tls-everywhere
|