Enable novajoin/TLS-everywhere deployment

If a conditional is set, this adds the novajoin and TLS-everywhere
bits needed in the deployment:

* It sets up novajoin in the undercloud and runs the necessary
  pre-configuration bits to work with FreeIPA.

* Modifies the overcloud-full image to use the latest working version of
  cloud-init.

* Adds the necessary environment files to the overcloud deploy command.

Change-Id: I2b8c71a88bf747d57a8fec344313603d9bf4aeb9

roles/extras-common/defaults/main.yml

@@ -3,4 +3,4 @@
 overcloud_ipv6: false
 containerized_overcloud: false
 overcloud_templates_path: /usr/share/openstack-tripleo-heat-templates
-
+enable_tls_everywhere: false

roles/overcloud-deploy/defaults/main.yml

@@ -69,6 +69,7 @@ workers_args: ""
 backup_args: ""
 
 ssl_args: ""
+tls_everywhere_args: ""
 validation_args: "--validation-warnings-fatal"
 
 deployed_server: false
@@ -90,6 +91,7 @@ deploy_args: >-
   {{ workers_args }}
   {{ backup_args }}
   {{ ssl_args }}
+  {{ tls_everywhere_args }}
   {{ extra_tht_config_args|default('') }}
   {{ validation_args }}
   {{ extra_args }}

roles/overcloud-deploy/tasks/pre-deploy.yml

@@ -61,6 +61,16 @@
     - ssl_overcloud|bool
     - release in ['mitaka', 'liberty']
 
+- name: set novajoin/TLS everywhere fact
+  set_fact:
+      tls_everywhere_novajoin_args: >-
+          -e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml
+          -e {{ overcloud_templates_path }}/environments/enable-internal-tls.yaml
+          -e {{ overcloud_templates_path }}/environments/tls-everywhere-endpoints-dns.yaml
+  when:
+    - enable_tls_everywhere|bool
+    - release not in ['mitaka', 'liberty', 'newton']
+
 - name: set validation_args fact for mitaka/liberty
   set_fact:
     validation_args: "--validation-errors-fatal --validation-warnings-fatal"

roles/overcloud-prep-images/tasks/main.yml

@@ -1,3 +1,6 @@
+- include: update-cloud-init.yml
+  when: enable_tls_everywhere|bool
+
 - include: create-scripts.yml
   tags:
     - undercloud-scripts

roles/overcloud-prep-images/tasks/update-cloud-init.yml

@@ -0,0 +1,21 @@
+# Updates the cloud-init package in the overcloud images, since it's needed for
+# novajoin/TlS-everywhere to properly work. This is currently a workaround
+# until the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1420946 is
+# available in CentOS.
+
+- name: Fetch cloud-init package
+  get_url:
+    url: http://66.187.229.139/test/cloud-init-0.7.6-9.el7.x86_64.rpm
+    dest: "{{ working_dir }}/cloud-init-0.7.6-9.el7.x86_64.rpm"
+    mode: 0755
+
+- name: Update cloud-init from the overcloud-full image
+  include_role:
+    name: modify-image
+  vars:
+    image_to_modify: "{{ working_dir }}/overcloud-full.qcow2"
+    modify_image_upload_files:
+      - src: "{{ working_dir }}/cloud-init-0.7.6-9.el7.x86_64.rpm"
+        dest: /root/cloud-init-0.7.6-9.el7.x86_64.rpm
+    modify_image_install_packages:
+      - '/root/cloud-init-0.7.6-9.el7.x86_64.rpm'

roles/undercloud-deploy/README.md

@@ -35,6 +35,19 @@ http://docs.openstack.org/developer/tripleo-quickstart/accessing-libvirt.html
   parameter from undercloud.conf.
 - undercloud_undercloud_admin_host: Sets up the 'undercloud_admin_host' from
   undercloud.conf.
+- `undercloud_undercloud_hostname`: Sets up the 'undercloud_hostname' value from
+  undercloud.conf.
+- `prepare_novajoin`: If set to true, it will install novajoin in the undercloud,
+  and run a script that will create the required privileges/permissions in
+  FreeIPA, as well as the undercloud host entry. this requires
+  'enable_tls_everywhere' to be set to true, and the following variables to be
+  properly defined: 'freeipa_admin_password', 'freeipa_server_hostname',
+  'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do
+  this yourself, you can set this variable to false. Defaults to true.
+- `freeipa_admin_password`: The password for the admin principal for FreeIPA.
+  This will be used to run the script to prepare FreeIPA for novajoin.
+- `freeipa_server_hostname`: The hostname for the FreeIPA server.
+  This will be used to run the script to prepare FreeIPA for novajoin.
 
 Role Network Variables
 ----------------------

roles/undercloud-deploy/defaults/main.yml

@@ -22,3 +22,5 @@ undercloud_ironic_ipxe_port: 3816
 
 enable_vbmc: true
 undercloud_conf_extra: ""
+
+prepare_novajoin: true

roles/undercloud-deploy/files/install_novajoin.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+### --start_docs
+
+## Install the required packages for novajoin/TLS-everywhere
+## =========================================================
+
+## * Install python-novajoin
+## ::
+
+sudo yum install -y python-novajoin
+
+### --stop_docs

roles/undercloud-deploy/tasks/main.yml

@@ -1,3 +1,6 @@
+- include: novajoin_prep.yml
+  when: enable_tls_everywhere|bool and prepare_novajoin|bool
+
 - include: create-scripts.yml
   tags:
     - undercloud-scripts

roles/undercloud-deploy/tasks/novajoin_prep.yml

@@ -0,0 +1,43 @@
+---
+- name: Validate FreeIPA Admin password was passed
+  fail: msg="freeipa_admin_password is not passed and or blank"
+  when: freeipa_admin_password is not defined or ( freeipa_admin_password is defined and freeipa_admin_password == "" )
+
+- name: Validate FreeIPA Server hostname was passed
+  fail: msg="freeipa_server_hostname is not passed and or blank"
+  when: freeipa_server_hostname is not defined or ( freeipa_server_hostname is defined and freeipa_server_hostname == "" )
+
+- name: Validate a domain for the cloud was given
+  fail: msg="overcloud_cloud_domain is not passed and or blank"
+  when: overcloud_cloud_domain is not defined or ( overcloud_cloud_domain is defined and overcloud_cloud_domain == "" )
+
+- name: Validate a undercloud hostname was given
+  fail: msg="undercloud_undercloud_hostname is not passed and or blank"
+  when: undercloud_undercloud_hostname is not defined or ( undercloud_undercloud_hostname is defined and undercloud_undercloud_hostname == "" )
+
+- name: Install novajoin package installation script
+  copy:
+    src: install_novajoin.sh
+    dest: "{{ working_dir }}/install_novajoin.sh"
+    mode: 0755
+
+- name: Run the novajoin installation script
+  shell: "{{ working_dir }}/install_novajoin.sh > {{ working_dir }}/install_novajoin.sh.log 2>&1"
+
+- name: Install novajoin preparation script
+  template:
+    src: novajoin_prep.sh.j2
+    dest: "{{ working_dir }}/novajoin_prep.sh"
+    mode: 0755
+
+- name: Run the novajoin preparation script
+  shell: "{{ working_dir }}/novajoin_prep.sh > {{ working_dir }}/novajoin_prep.sh.log 2>&1"
+
+- name: Register OTP output
+  command: cat /tmp/ipa-otp.txt
+  register: ipa_otp_register
+
+- name: Set OTP Fact for undercloud enrollment
+  set_fact:
+    undercloud_ipa_otp: "{{ ipa_otp_register.stdout }}"
+  when: ipa_otp_register.rc == 0

roles/undercloud-deploy/templates/novajoin_prep.sh.j2

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -eux
+
+### --start_docs
+
+## Set up the necessary permissions/privileges in novajoin
+## =======================================================
+
+
+## * Set up FreeIPA permissions and privileges and get the OTP.
+## ::
+
+sudo /usr/libexec/novajoin-ipa-setup \
+    --principal admin \
+    --password {{freeipa_admin_password}} \
+    --server {{freeipa_server_hostname}} \
+    --realm $(echo {{overcloud_cloud_domain}} | awk '{print toupper($0)}') \
+    --domain {{overcloud_cloud_domain}} \
+    --hostname {{undercloud_undercloud_hostname}} \
+    --otp-file /tmp/ipa-otp.txt \
+    --precreate
+
+### --stop_docs

roles/undercloud-deploy/templates/undercloud.conf.j2

@@ -202,8 +202,8 @@ enable_monitoring = {{undercloud_enable_monitoring}}
 {% endif %}
 
 # Whether to install novajoin metadata service in the Undercloud.
-{% if undercloud_enable_novajoin is defined %}
-enable_novajoin = {{undercloud_enable_novajoin}}
+{% if enable_tls_everywhere %}
+enable_novajoin = {{enable_tls_everywhere}}
 {% else %}
 #enable_novajoin = false
 {% endif %}