openstack/tripleo-quickstart-extras
Code Issues Proposed changes

Add role for standalone on multinode with IPA

Browse Source 
This review adds the ipa-multinode role to
install and configure a two-node setup -
where the IPA server is running on the
secondary node and a standalone deployment
is run on the primary node.

This review also includes modifications to
standalone role to use the IPA server when
enable_tls is set to true.

Depends-On: https://review.opendev.org/#/c/707419
Depends-On: https://review.opendev.org/#/c/724907
Story: https://tree.taiga.io/project/tripleo-ci-board/us/670
Change-Id: Ibe23ad6465a06e92e295cb419888684e699e945f
This commit is contained in:
Ronelle Landy 2020-04-17 11:46:11 -04:00
parent c601b3215e
commit b4e0a03c14
7 changed files with 413 additions and 1 deletions

28
playbooks/multinode-standalone-ipa.yml Normal file

@ -0,0 +1,28 @@
---
- name: Add the nodes to the generated inventory
hosts: undercloud
gather_facts: true
vars:
inventory: multinode
roles:
- tripleo-inventory
tags:
- standalone
- name: Setup the IPA server
hosts: subnode-1
tags:
- standalone
tasks:
- include_role:
name: ipa-multinode
tasks_from: ipaserver-subnode-install.yml
- name: Setup the undercloud for IPA server
hosts: undercloud
tags:
- standalone
tasks:
- include_role:
name: ipa-multinode
tasks_from: ipaserver-undercloud-setup.yml

69
roles/ipa-multinode/README.md Normal file

@ -0,0 +1,69 @@
ipa-multinode
=============
An Ansible role to install and configure a two-node setup where
the IPA server is running on the secondary node and a standalone
deployment is run on the primary node.
Requirements
------------
* https://opendev.org/x/tripleo-ipa
Role Variables
--------------
* `freeipa_internal_ip` -- IP for the FreeIPA server
* `standalone_hostname` -- Hostname for secondary node
* `freeipa_server_hostname` -- Hostname for the FreeIPA server
* `overcloud_cloud_name` -- Cloud name for overcloud
* `overcloud_cloud_domain` -- Cloud domain for overcloud
* `overcloud_cloud_name_internal` -- Internal name for overcloud
* `overcloud_cloud_name_storage` -- Storage cloud name for overcloud
* `overcloud_cloud_name_storage_management` -- Storage namangement cloud name for overcloud
* `overcloud_cloud_name_ctlplane` -- Controlplane cloud name for overcloud
* `freeipa_admin_password` -- FreeIPA server admin password
* `enable_tls` -- Boolean value if FreeIPA server will be used in the deployment
* `ipa_domain` -- IPA domain name
* `cloud_domain` -- IPA cloud domain name
* `ipa_nameserver` -- IPA name server
* `ipa_realm` -- IPA realm
* `freeipa_directory_password` -- Password for the directory manager
* `freeipa_principal` -- FreeIPA principal
* `undercloud_cloud_domain` -- Undercloud cloud domain
* `tls_packages` -- TLS dependacy packages
* `ipa_packages` -- FreeIPA packages
Example Usage
-------------
```yaml
---
- name: Setup the IPA server
hosts: subnode-1
tags:
- standalone
tasks:
- include_role:
name: ipa-multinode
tasks_from: ipaserver-subnode-install.yml
- name: Setup the undercloud for IPA server
hosts: undercloud
tags:
- standalone
tasks:
- include_role:
name: ipa-multinode
tasks_from: ipaserver-undercloud-setup.yml
```
License
-------
Apache
Author Information
------------------
TripleO-CI Team

30
roles/ipa-multinode/defaults/main.yml Normal file

@ -0,0 +1,30 @@
---
freeipa_internal_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
standalone_hostname: "standalone-0.{{ tripleo_domain }}"
tripleo_domain: ooo.test
undercloud_cloud_domain: "{{ tripleo_domain }}"
freeipa_server_hostname: "ipa.{{ tripleo_domain }}"
overcloud_cloud_name: "overcloud.{{ tripleo_domain }}"
overcloud_cloud_domain: "{{ tripleo_domain }}"
overcloud_cloud_name_internal: "overcloud.internalapi.{{ tripleo_domain }}"
overcloud_cloud_name_storage: "overcloud.storage.{{ tripleo_domain }}"
overcloud_cloud_name_storage_management: "overcloud.storagemgmt.{{ tripleo_domain }}"
overcloud_cloud_name_ctlplane: "overcloud.ctlplane.{{ tripleo_domain }}"
freeipa_admin_password: fce95318204114530f31f885c9df588f
# vars for new tls work
enable_tls: true
ipa_domain: "{{ tripleo_domain }}"
cloud_domain: "{{ tripleo_domain }}"
ipa_nameserver: "ipa.{{ tripleo_domain }}"
ipa_realm: "{{ ipa_domain | upper }}"
freeipa_directory_password: "{{ freeipa_admin_password }}"
freeipa_principal: admin
tls_packages:
- ipa-client
- python3-pip
- openssl-perl
ipa_packages:
- ipa-server
- ipa-server-dns
- curl
- iptables

3
roles/ipa-multinode/meta/main.yml Normal file

@ -0,0 +1,3 @@
---
dependencies:
- extras-common

127
roles/ipa-multinode/tasks/ipaserver-subnode-install.yml Normal file

@ -0,0 +1,127 @@
---
- set_fact:
subnode_1_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
- name: set the freeipa_internal_ip
set_fact:
inventory_hostname: "{{ subnode_1_ip }}"
undercloud_ipv4_address: "{{ hostvars['undercloud']['ansible_default_ipv4'].address }}"
standalone_control_virtual_ip: "{{ undercloud_network_cidr|nthhost(210) }}"
cacheable: true
- include_role:
name: repo-setup
vars:
repo_setup_dir: /home/{{ ansible_user|default('centos') }}
- name: set FQDN
shell: hostnamectl set-hostname --static {{ ipa_nameserver }}
become: true
- name: install required packages
shell: dnf module -y enable pki-deps pki-core idm:DL1
become: true
- name: install FreeIPA packages
become: true
package:
name: '{{ ipa_packages }}'
state: latest
- name: set python_cmd
set_fact:
python_cmd: "python{{ ansible_python.version.major }}"
cacheable: true
when: python_cmd is not defined
- name: check if FreeIPA is configured
shell: >
{{ python_cmd }} -c 'import sys; from ipaserver.install.installutils import is_ipa_configured; print(is_ipa_configured())'
register: ipa_install
- name: Add subnode IP to /etc/hosts
shell:
cmd: |
sed -i "1i{{ subnode_1_ip }} {{ ipa_nameserver }}" /etc/hosts
become: true
- name: configure FreeIPA
shell: >
ipa-server-install --realm {{ ipa_realm }}
--ds-password {{ freeipa_directory_password }}
--admin-password {{ freeipa_admin_password }}
--hostname {{ ipa_nameserver }}
--setup-dns
--forwarder {{ job.public_name_server|default('1.1.1.1') }}
--auto-reverse
--unattended
--ip-address {{ subnode_1_ip }}
become: true
when:
ipa_install.stdout == 'False'
# This needs to be set on the FreeIPA server so that the overcloud nodes
# can pull the certificate. If this isn't set, the overcloud nodes will
# have an HTML 404 Not Found response stored in their certificate files
# instead of a valid DER encoded certificate. This eventually snowballs and
# causes openssl operations to fall during the overcloud installation
# process.
- name: configure FreeIPA to publish Master CRL at start
become: true
lineinfile:
path: /etc/pki/pki-tomcat/ca/CS.cfg
regexp: '^ca.crl.MasterCRL.publishOnStart=(.*)$'
line: 'ca.crl.MasterCRL.publishOnStart=true'
- name: restart FreeIPA server
become: true
service:
name: ipa
state: restarted
- name: installation notice
debug:
msg:
- "FreeIPA has been installed on {{ inventory_hostname }} with the following
administrator credentials:"
- "user: {{ freeipa_principal }}"
- "password: {{ freeipa_admin_password }}"
- name: Check DNS works
shell: >
ping -c 5 redhat.com
register: ping_output_com
- debug:
msg: "{{ ping_output_com.stdout }}"
- name: Add DNS entries
become: true
shell: >
echo "{{ freeipa_admin_password }}" | kinit admin ;
ipa dnsrecord-add ooo.test standalone-0 --a-rec "{{ undercloud_ipv4_address }}";
ipa dnsrecord-add ooo.test overcloud.ctlplane --a-rec "{{ standalone_control_virtual_ip }}";
ipa dnsrecord-add ooo.test overcloud --a-rec "{{ standalone_control_virtual_ip }}";
ipa dnsrecord-add ooo.test overcloud.internalapi --a-rec "{{ standalone_control_virtual_ip }}";
ipa dnsrecord-add ooo.test overcloud.storage --a-rec "{{ standalone_control_virtual_ip }}";
ipa dnsrecord-add ooo.test overcloud.storagemgmt --a-rec "{{ standalone_control_virtual_ip }}";
- name: Show DNS entries - standalone-0
become: true
shell: >
echo "{{ freeipa_admin_password }}" | kinit admin ;
ipa dnsrecord-show ooo.test standalone-0
register: standalone_record
- name: Show DNS entries - overcloud
become: true
shell: >
echo "{{ freeipa_admin_password }}" | kinit admin ;
ipa dnsrecord-show ooo.test overcloud
register: overcloud_record
- debug:
msg: "{{ standalone_record.stdout }}"
- debug:
msg: "{{ overcloud_record.stdout }}"

124
roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml Normal file

@ -0,0 +1,124 @@
---
- set_fact:
subnode_1_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
standalone_hostname: "standalone-0.{{ tripleo_domain }}"
tripleo_domain: ooo.test
ipa_domain: "{{ tripleo_domain }}"
ipa_realm: "{{ ipa_domain | upper }}"
ipa_user: admin
ipa_password: "{{ freeipa_admin_password }}"
ipa_nameserver: "ipa.{{ tripleo_domain }}"
undercloud_hostname: "standalone-0.{{ tripleo_domain }}"
cloud_domain: "{{ tripleo_domain }}"
undercloud_cloud_domain: "{{ tripleo_domain }}"
freeipa_server_hostname: "ipa.{{ tripleo_domain }}"
freeipa_admin_password: fce95318204114530f31f885c9df588f
enable_tls: true
cacheable: true
- name: Add subnode IP to /etc/hosts
lineinfile:
line: "{{ subnode_1_ip }} {{ freeipa_server_hostname }}"
path: /etc/hosts
become: true
- name: Add {{ subnode_1_ip }} host to freeipa group
add_host:
name: "{{ freeipa_internal_ip }}"
groups: freeipa
- name: set FQDN
become: true
hostname:
name: "{{ undercloud_hostname }}"
- name: set hostname properly
become: true
lineinfile:
dest: /etc/hosts
line: "127.0.0.1 undercloud.localdomain localhost localhost.localdomain"
regexp: '^127\.0\.0\.1'
- name: Prepare the undercloud for installation
include_role:
name: undercloud-setup
tags:
- standalone
# We need to update /etc/resolv.conf so that the undercloud can use FreeIPA
# for DNS. We also need to make sure it's the first line in
# /etc/resolv.conf otherwise we'll fail to find FreeIPA (e.g.,
# ipa.ooo.test).
- name: ensure that DHCP doesn't overwite DNS settings (CentOS/RHEL >= 8)
become: true
lineinfile:
path: /etc/NetworkManager/NetworkManager.conf
regexp: '^dns='
insertafter: '^[main]'
line: 'dns=none'
when:
- ansible_os_family == 'RedHat'
- ansible_lsb.major_release is version(8, '>=')
- name: set search domain
become: true
lineinfile:
path: /etc/resolv.conf
regexp: '^search'
line: 'search {{ cloud_domain }}'
state: present
when:
- cloud_domain == ipa_domain
- name: set IPA server as primary DNS provider
become: true
lineinfile:
path: /etc/resolv.conf
insertafter: '^search'
line: "nameserver {{ freeipa_internal_ip }}"
state: present
- name: install tls dependencies
become: true
package:
name: '{{ tls_packages }}'
state: latest
when:
- enable_tls | bool
- name: run undercloud ipa installer
become: true
become_user: zuul
shell: >
ansible-playbook -vvv
--ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
/usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
| tee undercloud-ipa-install.log
environment:
IPA_DOMAIN: "{{ ipa_domain }}"
IPA_REALM: "{{ ipa_realm }}"
IPA_ADMIN_USER: "{{ ipa_user }}"
IPA_ADMIN_PASSWORD: "{{ ipa_password }}"
IPA_SERVER_HOSTNAME: "{{ ipa_nameserver }}"
UNDERCLOUD_FQDN: "{{ undercloud_hostname }}"
USER: zuul
CLOUD_DOMAIN: "{{ cloud_domain }}"
# yamllint disable-line rule:line-length
ANSIBLE_ROLES_PATH: "/usr/share/ansible/tripleo-playbooks/roles:/home/zuul/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/usr/share/ansible/tripleo-playbooks:/home/zuul/{{ zuul.projects['opendev.org/openstack/tripleo-ansible'].src_dir }}/tripleo_ansible/roles"
when:
- enable_tls | bool
- name: remove all other nameservers from resolv.conf
become: true
lineinfile:
path: /etc/resolv.conf
regexp: '^nameserver 127.0.0.1'
state: absent
- name: Check that the DNS works
shell: >
ping -c 5 redhat.com
register: dig_ouput_com
- debug:
msg: "dig_ouput_com is {{ dig_ouput_com.stdout }}"

33
roles/standalone/tasks/main.yml

@ -15,6 +15,24 @@
hostname:
name: "{{ standalone_hostname }}"
become: true
when: not enable_tls|default(false)|bool
- name: set virtual-control-ip for TLS deployments
set_fact:
standalone_control_virtual_ip: "{{ undercloud_network_cidr|nthhost(210) }}"
cacheable: true
when: enable_tls|default(false)|bool
- name: Add DNS and NTP server settings for TLS deployments
become: true
blockinfile:
path: "{{ overcloud_templates_path }}/ci/environments/standalone-ipa.yaml"
insertafter: " HAProxyExternalNetwork: ctlplane"
block: |
# Custom IPA params
DnsServers: ["{{ subnode_1_ip }}"]
NtpServer: "{{ job.standalone_ntp_servers|default(['clock.redhat.com']) }}"
when: enable_tls|default(false)|bool
# standalone params
- name: Create the standalone params
@ -23,6 +41,18 @@
dest: "{{ working_dir }}/standalone_parameters.yaml"
mode: 0755
- name: Remove settings that will be added with TLS
lineinfile:
path: "{{ working_dir }}/standalone_parameters.yaml"
regexp: "{{ item }}"
state: absent
backup: true
with_items:
- ' CloudName: 192.168.24.1'
- ' CertmongerCA: local'
- ' DnsServers: (.*)'
when: enable_tls|default(false)|bool
- name: Run container prepare legacy
when:
- release in ['queens', 'rocky', 'stein', 'train']
@ -192,12 +222,13 @@
vars:
tripleo_deploy_debug: true
tripleo_deploy_local_ip: "{{ standalone_ip }}/{{ standalone_network_prefix }}"
tripleo_deploy_control_virtual_ip: "{{ standalone_control_virtual_ip|default() }}"
tripleo_deploy_roles_file: "{{ overcloud_templates_path }}/roles/{{ standalone_role }}"
tripleo_deploy_output_dir: "{{ working_dir }}"
tripleo_deploy_environment_files: |-
{% set env_files = [overcloud_templates_path + '/environments/standalone/standalone-tripleo.yaml',
working_dir + '/containers-prepare-parameters.yaml',
working_dir + '/standalone_parameters.yaml'] %}
working_dir + '/standalone_parameters.yaml']%}
{% if standalone_custom_env_files %}
{% set env_files = env_files + standalone_custom_env_files %}
{% endif %}