tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml
donghwi.cha 6d142165f1 IDM server registration is fixed to one server only
Heat IdMServer can not convey multiple values of IPA servers,
and it is set to a string, limited to one IPA server only.

Since IPA ansible playbook can accept multiple values of servers,
IdMServer needs update to be changed from string to array.

Closes-Bug: #1955319
Change-Id: I4cc8837b52e6b2356b6bc4436c340b2cb83879fe
2021-12-19 09:21:40 +09:00

222 lines
8.7 KiB
YAML

heat_template_version: wallaby
description: Add services and subhosts to IPA server
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
IdMDomain:
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: string
IdMServer:
default: []
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
also has to be provided. Typically, this is discovered
through DNS and does not have to be set explicitly.
type: comma_delimited_list
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
MakeHomeDir:
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
default: False
IdMNoNtpSetup:
default: False
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
type: boolean
IdMEnrollBaseServer:
default: True
description: Set to true to enroll the base server (computes, controllers)
type: boolean
IdMInstallClientPackages:
default: False
description: Set to True to have ansible-freeipa install ipa client packages
on the overcloud node.
type: boolean
IdMModifyDNS:
default: True
description: Set to false to disable DNS records manipulation in the FreeIPA server.
type: boolean
IdMZoneSplitIPv4:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
IdMZoneSplitIPv6:
default: 1
description: The level by which the PTR DNS record is split when creating zones.
type: string
conditions:
idm_server_provided:
not:
equals: [{get_param: IdMServer}, []]
outputs:
role_data:
description: Role data for the ipaservice service
value:
service_name: ipaservice
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: add the ipa services for this node in step 1
when: step|int == 1
block:
- name: Ensure ansible_fqdn is defined
set_fact:
ansible_fqdn: "{{ ansible_facts['fqdn'] }}"
- include_role:
name: tripleo_ipa_registration
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.ipaservice }}"
- include_role:
name: tripleo_ipa_dns
vars:
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
when: {get_param: IdMModifyDNS}
environment:
if:
- idm_server_provided
- IPA_HOST: {get_param: [IdMServer, 0]}
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
- name: enroll the node as an ipa client
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
when: step|int == 1
vars:
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
block:
- name: check if default.conf exists
delegate_to: "{{ item }}"
stat:
path: /etc/ipa/default.conf
register: ipa_conf_exists
loop: "{{ groups.ipaservice }}"
- name: install openssl-perl
delegate_to: "{{ item }}"
become: true
package:
name: openssl-perl
state: present
loop: "{{ groups.ipaservice }}"
when:
- ipaclient_install_packages|bool
- name: register as an ipa client
include_role:
name: ipaclient
apply:
delegate_to: "{{ outer_item.0 }}"
become: true
vars:
map_merge:
- state: present
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}"
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: true
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}"
ansible_fqdn: "{{ ipaclient_hostname }}"
ipaclients:
- "{{ outer_item.0 }}"
#NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts
# see: https://github.com/freeipa/ansible-freeipa/pull/517
ansible_distribution: "{{ ansible_facts['distribution'] }}"
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}"
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}"
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}"
ansible_os_family: "{{ ansible_facts['os_family'] }}"
- if:
- idm_server_provided
- ipaclient_servers: {get_param: IdMServer}
ipaclient_domain: {get_param: IdMDomain}
when:
- idm_enroll_base_server|bool
- not outer_item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
loop_control:
loop_var: outer_item
- name: restart certmonger service
delegate_to: "{{ item.0 }}"
become: true
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
- name: set discovered ipa realm
delegate_to: "{{ item }}"
delegate_facts: true
set_fact:
idm_realm:
str_replace:
template:
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}"
params:
DEFAULT:
yaql:
expression: $.data.toUpper()
data: {get_param: IdMDomain}
loop: "{{ groups.ipaservice }}"
scale_tasks:
- when: step|int == 1
tags: down
block:
- name: unregister node from ipa server
import_role:
name: tripleo_ipa_cleanup
delegate_to: "{{ groups['Undercloud'] | first }}"
vars:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"
external_upgrade_tasks:
- when: step|int == 1
block:
- name: check if ipa server has required permissions
import_role:
name: tls_everywhere
tasks_from: ipa-server-check
tags:
- opendev-validation
- opendev-validation-tls-everywhere