Add role to deploy FreeIPA

New role has the ability to deploy a FreeIPA server

- Update undercloud-deploy role to check hostvars for freeipa
  related vars set during role execution
- Update novajoin_prep.sh to set IPA server as dns server

Closes-Bug: 1662923

Change-Id: I53323511aabf0d616805efab6edde4acc7bedf11

roles/freeipa-setup/README.md

@@ -0,0 +1,35 @@
+FreeIPA Setup
+=============
+
+An Ansible role to setup a FreeIPA server
+
+Requirements
+------------
+
+This role requires a running host to deploy FreeIPA
+
+Role Variables
+--------------
+
+- `freeipa_hostname`: <'ipa.tripleodomain'> -- Hostname for the FreeIPA server
+- `freeipa_ip`: <'192.168.24.250'> -- IP for the the FreeIPA server
+- `directory_manager_password`: <string> -- Password for the directory manager
+- `freeipa_admin_password`: <string> -- FreeIPA server admin password
+- `undercloud_fqdn`: <'undercloud.tripleodomain'> -- FQDN for the undercloud
+- `provisioning_cidr`: <'{{ freeipa_ip }}/24'> -- If set, it adds the given CIDR to the
+provisioning interface (which is hardcoded to eth1)
+- `supplemental_user`: <stack> The user which is used to deploy FreeIpa on the supplemental node
+
+Example Playbook
+----------------
+
+Sample playbook to call the role
+
+```yaml
+# Deploy the FreeIPA Server
+- name:  Deploy FreeIPA
+  hosts: freeipa_host
+  gather_facts: no
+  roles:
+    - freeipa-setup
+```

roles/freeipa-setup/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+freeipa_hostname: "ipa.tripleodomain"
+freeipa_ip: "{{ undercloud_network_cidr|nthhost(250) }}"
+undercloud_fqdn: "undercloud.tripleodomain"
+provisioning_cidr: "{{ undercloud_network_cidr }}"
+supplemental_user: "stack"

roles/freeipa-setup/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - extras-common

roles/freeipa-setup/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- block:
+  - name: Set FreeIPA admin password
+    set_fact:
+      freeipa_admin_password: "{{ lookup('pipe','uuidgen') }}"
+    when: freeipa_admin_password is not defined
+
+  - name: Set directory manager password
+    set_fact:
+      directory_manager_password: "{{ lookup('pipe','uuidgen') }}"
+    when: directory_manager_password is not defined
+
+  - name: Create FreeIPA deployment script
+    template:
+      src: deploy_freeipa.sh.j2
+      dest: "~{{ supplemental_user }}/deploy_freeipa.sh"
+      mode: 0744
+
+  - name: Deploy FreeIPA
+    become: true
+    command: "~{{ supplemental_user }}/deploy_freeipa.sh &> ~{{ supplemental_user }}/deploy_freeipa.log"

roles/freeipa-setup/templates/deploy_freeipa.sh.j2

@@ -0,0 +1,83 @@
+#! /bin/bash
+
+set -eux
+
+### ---start_docs
+
+## Setup FreeIPA
+## =============
+
+## * Set required environment variables::
+
+export TRIPLEO_DOMAIN=tripleodomain.example.com
+export CA_SERVER_HOSTNAME=ipa.$TRIPLEO_DOMAIN
+export CA_ADMIN_PASS={{ freeipa_admin_password }}
+export CA_DIR_MANAGER_PASS={{ directory_manager_password }}
+export UNDERCLOUD_FQDN=undercloud.$TRIPLEO_DOMAIN
+export IPA_SERVER_IP={{ supplemental_node_ip }}
+
+## * Set IPA hostname::
+
+hostnamectl set-hostname --static $CA_SERVER_HOSTNAME
+
+## * Prepare the hosts file
+## .. note:: This must be at the top of /etc/hosts
+## ::
+
+sed -i "1i$IPA_SERVER_IP $CA_SERVER_HOSTNAME" /etc/hosts
+
+## * Install required system packages::
+
+yum install -yq ipa-server ipa-server-dns wget epel-release
+
+## * Increase system entropy (to prevent slow down during IPA installation)::
+
+wget https://centos7.iuscommunity.org/ius-release.rpm
+rpm -Uvh ius-release*.rpm
+yum install -y haveged
+systemctl start haveged.service
+
+## * Install FreeIPA::
+
+ipa-server-install -U \
+    -r `hostname -d|tr "[a-z]" "[A-Z]"` \
+    -p $CA_DIR_MANAGER_PASS \
+    -a $CA_ADMIN_PASS \
+    --hostname `hostname -f ` \
+    --ip-address=$IPA_SERVER_IP \
+    --setup-dns --auto-forwarders --auto-reverse
+
+## * Set iptables rules::
+
+cat << EOF > freeipa-iptables-rules.txt
+# Firewall configuration written by system-config-firewall
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#TCP ports for FreeIPA
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 443  -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 88  -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 464  -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 53  -j ACCEPT
+#UDP ports for FreeIPA
+-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+
+iptables-restore < freeipa-iptables-rules.txt
+
+### ---stop_docs

roles/undercloud-deploy/tasks/novajoin_prep.yml

@@ -1,7 +1,10 @@
 ---
+
 - name: Validate FreeIPA Admin password was passed
   fail: msg="freeipa_admin_password is not passed and or blank"
-  when: freeipa_admin_password is not defined or ( freeipa_admin_password is defined and freeipa_admin_password == "" )
+  when:
+    - deploy_supplemental_node|bool and not hostvars['supplemental'].freeipa_admin_password|default('')
+    - not freeipa_admin_password|default('')
 
 - name: Validate FreeIPA Server hostname was passed
   fail: msg="freeipa_server_hostname is not passed and or blank"

roles/undercloud-deploy/templates/novajoin_prep.sh.j2

@@ -7,12 +7,23 @@ set -eux
 ## =======================================================
 
 
+## * Ensure that the undercloud is using the FreeIPA server
+##   as its DNS server
+
+## .. Note:: You may not use sudo and use output redirection '>'::
+
+sudo /bin/su -c "echo 'nameserver {{ undercloud_undercloud_nameservers[-1] }}' > /etc/resolv.conf"
+
 ## * Set up FreeIPA permissions and privileges and get the OTP.
 ## ::
 
 sudo /usr/libexec/novajoin-ipa-setup \
     --principal admin \
+{% if deploy_supplemental_node|bool %}
+    --password {{ hostvars['supplemental'].freeipa_admin_password }} \
+{% else %}
     --password {{ freeipa_admin_password }} \
+{% endif %}
     --server {{ freeipa_server_hostname }} \
     --realm $(echo {{ overcloud_cloud_domain }} | awk '{print toupper($0)}') \
     --domain {{ overcloud_cloud_domain }} \