tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml
Ade Lee 7761fed0cb Add credentials cache for novajoin user
With a switch to using the ansible-freeipa modules instead of the
community modules, we need to specify a credentials cache file.
We need to change to ansible-freeipa modules because the community
modules do not support FIPS.
This is required for the tripleo-ipa change[1].

[1] https://review.opendev.org/c/x/tripleo-ipa/+/848255

Change-Id: Iffc0c1f9cf038f20436b65bb9602f121f1c07d37
2022-07-20 11:36:27 +00:00

226 lines
8.8 KiB
YAML

heat_template_version: wallaby
description: Add services and subhosts to IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMServer:
default: []
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
also has to be provided. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: comma_delimited_list
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
IdMNovaCredentialCache:
default: '/etc/novajoin/krb5.cache'
description: credential cache for nova/[host fqdn] user
type: string
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
IdMEnrollBaseServer:
default: True
description: Set to true to enroll the base server (computes, controllers)
type: boolean
IdMInstallClientPackages:
default: False
description: Set to True to have ansible-freeipa install ipa client packages
on the overcloud node.
type: boolean
IdMModifyDNS:
default: True
description: Set to false to disable DNS records manipulation in the FreeIPA server.
type: boolean
IdMZoneSplitIPv4:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
IdMZoneSplitIPv6:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
conditions:
idm_server_provided:
not:
equals: [{get_param: IdMServer}, []]
outputs:
role_data:
description: Role data for the ipaservice service
value:
service_name: ipaservice
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: add the ipa services for this node in step 1
when: step|int == 1
block:
- name: Ensure ansible_fqdn is defined
set_fact:
ansible_fqdn: "{{ ansible_facts['fqdn'] }}"
- include_role:
name: tripleo_ipa_registration
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.ipaservice }}"
- include_role:
name: tripleo_ipa_dns
vars:
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
when: {get_param: IdMModifyDNS}
environment:
map_merge:
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
KRB5CCNAME: {get_param: IdMNovaCredentialCache}
- if:
- idm_server_provided
- IPA_HOST: {get_param: [IdMServer, 0]}
- name: enroll the node as an ipa client
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
when: step|int == 1
vars:
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
block:
- name: check if default.conf exists
delegate_to: "{{ item }}"
stat:
path: /etc/ipa/default.conf
register: ipa_conf_exists
loop: "{{ groups.ipaservice }}"
- name: install openssl-perl
delegate_to: "{{ item }}"
become: true
package:
name: openssl-perl
state: present
loop: "{{ groups.ipaservice }}"
when:
- ipaclient_install_packages|bool
- name: register as an ipa client
include_role:
name: ipaclient
apply:
delegate_to: "{{ outer_item.0 }}"
become: true
vars:
map_merge:
- state: present
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}"
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: true
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}"
ansible_fqdn: "{{ ipaclient_hostname }}"
ipaclients:
- "{{ outer_item.0 }}"
#NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts
# see: https://github.com/freeipa/ansible-freeipa/pull/517
ansible_distribution: "{{ ansible_facts['distribution'] }}"
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}"
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}"
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}"
ansible_os_family: "{{ ansible_facts['os_family'] }}"
- if:
- idm_server_provided
- ipaclient_servers: {get_param: IdMServer}
ipaclient_domain: {get_param: IdMDomain}
when:
- idm_enroll_base_server|bool
- not outer_item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
loop_control:
loop_var: outer_item
- name: restart certmonger service
delegate_to: "{{ item.0 }}"
become: true
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
- name: set discovered ipa realm
delegate_to: "{{ item }}"
delegate_facts: true
set_fact:
idm_realm:
str_replace:
template:
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}"
params:
DEFAULT:
yaql:
expression: $.data.toUpper()
data: {get_param: IdMDomain}
loop: "{{ groups.ipaservice }}"
scale_tasks:
- when: step|int == 1
tags: down
block:
- name: unregister node from ipa server
import_role:
name: tripleo_ipa_cleanup
delegate_to: "{{ groups['Undercloud'] | first }}"
vars:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"
external_upgrade_tasks:
- when: step|int == 1
block:
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere