Add role for standalone on multinode with IPA
This review adds the ipa-multinode role to install and configure a two-node setup - where the IPA server is running on the secondary node and a standalone deployment is run on the primary node. This review also includes modifications to standalone role to use the IPA server when enable_tls is set to true. Depends-On: https://review.opendev.org/#/c/707419 Depends-On: https://review.opendev.org/#/c/724907 Story: https://tree.taiga.io/project/tripleo-ci-board/us/670 Change-Id: Ibe23ad6465a06e92e295cb419888684e699e945f
This commit is contained in:
parent
c601b3215e
commit
b4e0a03c14
28
playbooks/multinode-standalone-ipa.yml
Normal file
28
playbooks/multinode-standalone-ipa.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
- name: Add the nodes to the generated inventory
|
||||
hosts: undercloud
|
||||
gather_facts: true
|
||||
vars:
|
||||
inventory: multinode
|
||||
roles:
|
||||
- tripleo-inventory
|
||||
tags:
|
||||
- standalone
|
||||
|
||||
- name: Setup the IPA server
|
||||
hosts: subnode-1
|
||||
tags:
|
||||
- standalone
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ipa-multinode
|
||||
tasks_from: ipaserver-subnode-install.yml
|
||||
|
||||
- name: Setup the undercloud for IPA server
|
||||
hosts: undercloud
|
||||
tags:
|
||||
- standalone
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ipa-multinode
|
||||
tasks_from: ipaserver-undercloud-setup.yml
|
69
roles/ipa-multinode/README.md
Normal file
69
roles/ipa-multinode/README.md
Normal file
@ -0,0 +1,69 @@
|
||||
ipa-multinode
|
||||
=============
|
||||
|
||||
An Ansible role to install and configure a two-node setup where
|
||||
the IPA server is running on the secondary node and a standalone
|
||||
deployment is run on the primary node.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
* https://opendev.org/x/tripleo-ipa
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
* `freeipa_internal_ip` -- IP for the FreeIPA server
|
||||
* `standalone_hostname` -- Hostname for secondary node
|
||||
* `freeipa_server_hostname` -- Hostname for the FreeIPA server
|
||||
* `overcloud_cloud_name` -- Cloud name for overcloud
|
||||
* `overcloud_cloud_domain` -- Cloud domain for overcloud
|
||||
* `overcloud_cloud_name_internal` -- Internal name for overcloud
|
||||
* `overcloud_cloud_name_storage` -- Storage cloud name for overcloud
|
||||
* `overcloud_cloud_name_storage_management` -- Storage namangement cloud name for overcloud
|
||||
* `overcloud_cloud_name_ctlplane` -- Controlplane cloud name for overcloud
|
||||
* `freeipa_admin_password` -- FreeIPA server admin password
|
||||
* `enable_tls` -- Boolean value if FreeIPA server will be used in the deployment
|
||||
* `ipa_domain` -- IPA domain name
|
||||
* `cloud_domain` -- IPA cloud domain name
|
||||
* `ipa_nameserver` -- IPA name server
|
||||
* `ipa_realm` -- IPA realm
|
||||
* `freeipa_directory_password` -- Password for the directory manager
|
||||
* `freeipa_principal` -- FreeIPA principal
|
||||
* `undercloud_cloud_domain` -- Undercloud cloud domain
|
||||
* `tls_packages` -- TLS dependacy packages
|
||||
* `ipa_packages` -- FreeIPA packages
|
||||
|
||||
Example Usage
|
||||
-------------
|
||||
|
||||
```yaml
|
||||
---
|
||||
- name: Setup the IPA server
|
||||
hosts: subnode-1
|
||||
tags:
|
||||
- standalone
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ipa-multinode
|
||||
tasks_from: ipaserver-subnode-install.yml
|
||||
|
||||
- name: Setup the undercloud for IPA server
|
||||
hosts: undercloud
|
||||
tags:
|
||||
- standalone
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ipa-multinode
|
||||
tasks_from: ipaserver-undercloud-setup.yml
|
||||
```
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
Apache
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
TripleO-CI Team
|
30
roles/ipa-multinode/defaults/main.yml
Normal file
30
roles/ipa-multinode/defaults/main.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
freeipa_internal_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
|
||||
standalone_hostname: "standalone-0.{{ tripleo_domain }}"
|
||||
tripleo_domain: ooo.test
|
||||
undercloud_cloud_domain: "{{ tripleo_domain }}"
|
||||
freeipa_server_hostname: "ipa.{{ tripleo_domain }}"
|
||||
overcloud_cloud_name: "overcloud.{{ tripleo_domain }}"
|
||||
overcloud_cloud_domain: "{{ tripleo_domain }}"
|
||||
overcloud_cloud_name_internal: "overcloud.internalapi.{{ tripleo_domain }}"
|
||||
overcloud_cloud_name_storage: "overcloud.storage.{{ tripleo_domain }}"
|
||||
overcloud_cloud_name_storage_management: "overcloud.storagemgmt.{{ tripleo_domain }}"
|
||||
overcloud_cloud_name_ctlplane: "overcloud.ctlplane.{{ tripleo_domain }}"
|
||||
freeipa_admin_password: fce95318204114530f31f885c9df588f
|
||||
# vars for new tls work
|
||||
enable_tls: true
|
||||
ipa_domain: "{{ tripleo_domain }}"
|
||||
cloud_domain: "{{ tripleo_domain }}"
|
||||
ipa_nameserver: "ipa.{{ tripleo_domain }}"
|
||||
ipa_realm: "{{ ipa_domain | upper }}"
|
||||
freeipa_directory_password: "{{ freeipa_admin_password }}"
|
||||
freeipa_principal: admin
|
||||
tls_packages:
|
||||
- ipa-client
|
||||
- python3-pip
|
||||
- openssl-perl
|
||||
ipa_packages:
|
||||
- ipa-server
|
||||
- ipa-server-dns
|
||||
- curl
|
||||
- iptables
|
3
roles/ipa-multinode/meta/main.yml
Normal file
3
roles/ipa-multinode/meta/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
dependencies:
|
||||
- extras-common
|
127
roles/ipa-multinode/tasks/ipaserver-subnode-install.yml
Normal file
127
roles/ipa-multinode/tasks/ipaserver-subnode-install.yml
Normal file
@ -0,0 +1,127 @@
|
||||
---
|
||||
- set_fact:
|
||||
subnode_1_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
|
||||
|
||||
- name: set the freeipa_internal_ip
|
||||
set_fact:
|
||||
inventory_hostname: "{{ subnode_1_ip }}"
|
||||
undercloud_ipv4_address: "{{ hostvars['undercloud']['ansible_default_ipv4'].address }}"
|
||||
standalone_control_virtual_ip: "{{ undercloud_network_cidr|nthhost(210) }}"
|
||||
cacheable: true
|
||||
|
||||
- include_role:
|
||||
name: repo-setup
|
||||
vars:
|
||||
repo_setup_dir: /home/{{ ansible_user|default('centos') }}
|
||||
|
||||
- name: set FQDN
|
||||
shell: hostnamectl set-hostname --static {{ ipa_nameserver }}
|
||||
become: true
|
||||
|
||||
- name: install required packages
|
||||
shell: dnf module -y enable pki-deps pki-core idm:DL1
|
||||
become: true
|
||||
|
||||
- name: install FreeIPA packages
|
||||
become: true
|
||||
package:
|
||||
name: '{{ ipa_packages }}'
|
||||
state: latest
|
||||
|
||||
- name: set python_cmd
|
||||
set_fact:
|
||||
python_cmd: "python{{ ansible_python.version.major }}"
|
||||
cacheable: true
|
||||
when: python_cmd is not defined
|
||||
|
||||
- name: check if FreeIPA is configured
|
||||
shell: >
|
||||
{{ python_cmd }} -c 'import sys; from ipaserver.install.installutils import is_ipa_configured; print(is_ipa_configured())'
|
||||
register: ipa_install
|
||||
|
||||
- name: Add subnode IP to /etc/hosts
|
||||
shell:
|
||||
cmd: |
|
||||
sed -i "1i{{ subnode_1_ip }} {{ ipa_nameserver }}" /etc/hosts
|
||||
become: true
|
||||
|
||||
- name: configure FreeIPA
|
||||
shell: >
|
||||
ipa-server-install --realm {{ ipa_realm }}
|
||||
--ds-password {{ freeipa_directory_password }}
|
||||
--admin-password {{ freeipa_admin_password }}
|
||||
--hostname {{ ipa_nameserver }}
|
||||
--setup-dns
|
||||
--forwarder {{ job.public_name_server|default('1.1.1.1') }}
|
||||
--auto-reverse
|
||||
--unattended
|
||||
--ip-address {{ subnode_1_ip }}
|
||||
become: true
|
||||
when:
|
||||
ipa_install.stdout == 'False'
|
||||
|
||||
# This needs to be set on the FreeIPA server so that the overcloud nodes
|
||||
# can pull the certificate. If this isn't set, the overcloud nodes will
|
||||
# have an HTML 404 Not Found response stored in their certificate files
|
||||
# instead of a valid DER encoded certificate. This eventually snowballs and
|
||||
# causes openssl operations to fall during the overcloud installation
|
||||
# process.
|
||||
- name: configure FreeIPA to publish Master CRL at start
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/pki/pki-tomcat/ca/CS.cfg
|
||||
regexp: '^ca.crl.MasterCRL.publishOnStart=(.*)$'
|
||||
line: 'ca.crl.MasterCRL.publishOnStart=true'
|
||||
|
||||
- name: restart FreeIPA server
|
||||
become: true
|
||||
service:
|
||||
name: ipa
|
||||
state: restarted
|
||||
|
||||
- name: installation notice
|
||||
debug:
|
||||
msg:
|
||||
- "FreeIPA has been installed on {{ inventory_hostname }} with the following
|
||||
administrator credentials:"
|
||||
- "user: {{ freeipa_principal }}"
|
||||
- "password: {{ freeipa_admin_password }}"
|
||||
|
||||
- name: Check DNS works
|
||||
shell: >
|
||||
ping -c 5 redhat.com
|
||||
register: ping_output_com
|
||||
|
||||
- debug:
|
||||
msg: "{{ ping_output_com.stdout }}"
|
||||
|
||||
- name: Add DNS entries
|
||||
become: true
|
||||
shell: >
|
||||
echo "{{ freeipa_admin_password }}" | kinit admin ;
|
||||
ipa dnsrecord-add ooo.test standalone-0 --a-rec "{{ undercloud_ipv4_address }}";
|
||||
ipa dnsrecord-add ooo.test overcloud.ctlplane --a-rec "{{ standalone_control_virtual_ip }}";
|
||||
ipa dnsrecord-add ooo.test overcloud --a-rec "{{ standalone_control_virtual_ip }}";
|
||||
ipa dnsrecord-add ooo.test overcloud.internalapi --a-rec "{{ standalone_control_virtual_ip }}";
|
||||
ipa dnsrecord-add ooo.test overcloud.storage --a-rec "{{ standalone_control_virtual_ip }}";
|
||||
ipa dnsrecord-add ooo.test overcloud.storagemgmt --a-rec "{{ standalone_control_virtual_ip }}";
|
||||
|
||||
- name: Show DNS entries - standalone-0
|
||||
become: true
|
||||
shell: >
|
||||
echo "{{ freeipa_admin_password }}" | kinit admin ;
|
||||
ipa dnsrecord-show ooo.test standalone-0
|
||||
register: standalone_record
|
||||
|
||||
- name: Show DNS entries - overcloud
|
||||
become: true
|
||||
shell: >
|
||||
echo "{{ freeipa_admin_password }}" | kinit admin ;
|
||||
ipa dnsrecord-show ooo.test overcloud
|
||||
register: overcloud_record
|
||||
|
||||
- debug:
|
||||
msg: "{{ standalone_record.stdout }}"
|
||||
|
||||
- debug:
|
||||
msg: "{{ overcloud_record.stdout }}"
|
124
roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml
Normal file
124
roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml
Normal file
@ -0,0 +1,124 @@
|
||||
---
|
||||
- set_fact:
|
||||
subnode_1_ip: "{{ hostvars['subnode-1'].inventory_ip }}"
|
||||
standalone_hostname: "standalone-0.{{ tripleo_domain }}"
|
||||
tripleo_domain: ooo.test
|
||||
ipa_domain: "{{ tripleo_domain }}"
|
||||
ipa_realm: "{{ ipa_domain | upper }}"
|
||||
ipa_user: admin
|
||||
ipa_password: "{{ freeipa_admin_password }}"
|
||||
ipa_nameserver: "ipa.{{ tripleo_domain }}"
|
||||
undercloud_hostname: "standalone-0.{{ tripleo_domain }}"
|
||||
cloud_domain: "{{ tripleo_domain }}"
|
||||
undercloud_cloud_domain: "{{ tripleo_domain }}"
|
||||
freeipa_server_hostname: "ipa.{{ tripleo_domain }}"
|
||||
freeipa_admin_password: fce95318204114530f31f885c9df588f
|
||||
enable_tls: true
|
||||
cacheable: true
|
||||
|
||||
- name: Add subnode IP to /etc/hosts
|
||||
lineinfile:
|
||||
line: "{{ subnode_1_ip }} {{ freeipa_server_hostname }}"
|
||||
path: /etc/hosts
|
||||
become: true
|
||||
|
||||
- name: Add {{ subnode_1_ip }} host to freeipa group
|
||||
add_host:
|
||||
name: "{{ freeipa_internal_ip }}"
|
||||
groups: freeipa
|
||||
|
||||
- name: set FQDN
|
||||
become: true
|
||||
hostname:
|
||||
name: "{{ undercloud_hostname }}"
|
||||
|
||||
- name: set hostname properly
|
||||
become: true
|
||||
lineinfile:
|
||||
dest: /etc/hosts
|
||||
line: "127.0.0.1 undercloud.localdomain localhost localhost.localdomain"
|
||||
regexp: '^127\.0\.0\.1'
|
||||
|
||||
- name: Prepare the undercloud for installation
|
||||
include_role:
|
||||
name: undercloud-setup
|
||||
tags:
|
||||
- standalone
|
||||
|
||||
# We need to update /etc/resolv.conf so that the undercloud can use FreeIPA
|
||||
# for DNS. We also need to make sure it's the first line in
|
||||
# /etc/resolv.conf otherwise we'll fail to find FreeIPA (e.g.,
|
||||
# ipa.ooo.test).
|
||||
- name: ensure that DHCP doesn't overwite DNS settings (CentOS/RHEL >= 8)
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/NetworkManager/NetworkManager.conf
|
||||
regexp: '^dns='
|
||||
insertafter: '^[main]'
|
||||
line: 'dns=none'
|
||||
when:
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_lsb.major_release is version(8, '>=')
|
||||
|
||||
- name: set search domain
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/resolv.conf
|
||||
regexp: '^search'
|
||||
line: 'search {{ cloud_domain }}'
|
||||
state: present
|
||||
when:
|
||||
- cloud_domain == ipa_domain
|
||||
|
||||
- name: set IPA server as primary DNS provider
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/resolv.conf
|
||||
insertafter: '^search'
|
||||
line: "nameserver {{ freeipa_internal_ip }}"
|
||||
state: present
|
||||
|
||||
- name: install tls dependencies
|
||||
become: true
|
||||
package:
|
||||
name: '{{ tls_packages }}'
|
||||
state: latest
|
||||
when:
|
||||
- enable_tls | bool
|
||||
|
||||
- name: run undercloud ipa installer
|
||||
become: true
|
||||
become_user: zuul
|
||||
shell: >
|
||||
ansible-playbook -vvv
|
||||
--ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
|
||||
/usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
|
||||
| tee undercloud-ipa-install.log
|
||||
environment:
|
||||
IPA_DOMAIN: "{{ ipa_domain }}"
|
||||
IPA_REALM: "{{ ipa_realm }}"
|
||||
IPA_ADMIN_USER: "{{ ipa_user }}"
|
||||
IPA_ADMIN_PASSWORD: "{{ ipa_password }}"
|
||||
IPA_SERVER_HOSTNAME: "{{ ipa_nameserver }}"
|
||||
UNDERCLOUD_FQDN: "{{ undercloud_hostname }}"
|
||||
USER: zuul
|
||||
CLOUD_DOMAIN: "{{ cloud_domain }}"
|
||||
# yamllint disable-line rule:line-length
|
||||
ANSIBLE_ROLES_PATH: "/usr/share/ansible/tripleo-playbooks/roles:/home/zuul/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/usr/share/ansible/tripleo-playbooks:/home/zuul/{{ zuul.projects['opendev.org/openstack/tripleo-ansible'].src_dir }}/tripleo_ansible/roles"
|
||||
when:
|
||||
- enable_tls | bool
|
||||
|
||||
- name: remove all other nameservers from resolv.conf
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/resolv.conf
|
||||
regexp: '^nameserver 127.0.0.1'
|
||||
state: absent
|
||||
|
||||
- name: Check that the DNS works
|
||||
shell: >
|
||||
ping -c 5 redhat.com
|
||||
register: dig_ouput_com
|
||||
|
||||
- debug:
|
||||
msg: "dig_ouput_com is {{ dig_ouput_com.stdout }}"
|
@ -15,6 +15,24 @@
|
||||
hostname:
|
||||
name: "{{ standalone_hostname }}"
|
||||
become: true
|
||||
when: not enable_tls|default(false)|bool
|
||||
|
||||
- name: set virtual-control-ip for TLS deployments
|
||||
set_fact:
|
||||
standalone_control_virtual_ip: "{{ undercloud_network_cidr|nthhost(210) }}"
|
||||
cacheable: true
|
||||
when: enable_tls|default(false)|bool
|
||||
|
||||
- name: Add DNS and NTP server settings for TLS deployments
|
||||
become: true
|
||||
blockinfile:
|
||||
path: "{{ overcloud_templates_path }}/ci/environments/standalone-ipa.yaml"
|
||||
insertafter: " HAProxyExternalNetwork: ctlplane"
|
||||
block: |
|
||||
# Custom IPA params
|
||||
DnsServers: ["{{ subnode_1_ip }}"]
|
||||
NtpServer: "{{ job.standalone_ntp_servers|default(['clock.redhat.com']) }}"
|
||||
when: enable_tls|default(false)|bool
|
||||
|
||||
# standalone params
|
||||
- name: Create the standalone params
|
||||
@ -23,6 +41,18 @@
|
||||
dest: "{{ working_dir }}/standalone_parameters.yaml"
|
||||
mode: 0755
|
||||
|
||||
- name: Remove settings that will be added with TLS
|
||||
lineinfile:
|
||||
path: "{{ working_dir }}/standalone_parameters.yaml"
|
||||
regexp: "{{ item }}"
|
||||
state: absent
|
||||
backup: true
|
||||
with_items:
|
||||
- ' CloudName: 192.168.24.1'
|
||||
- ' CertmongerCA: local'
|
||||
- ' DnsServers: (.*)'
|
||||
when: enable_tls|default(false)|bool
|
||||
|
||||
- name: Run container prepare legacy
|
||||
when:
|
||||
- release in ['queens', 'rocky', 'stein', 'train']
|
||||
@ -192,12 +222,13 @@
|
||||
vars:
|
||||
tripleo_deploy_debug: true
|
||||
tripleo_deploy_local_ip: "{{ standalone_ip }}/{{ standalone_network_prefix }}"
|
||||
tripleo_deploy_control_virtual_ip: "{{ standalone_control_virtual_ip|default() }}"
|
||||
tripleo_deploy_roles_file: "{{ overcloud_templates_path }}/roles/{{ standalone_role }}"
|
||||
tripleo_deploy_output_dir: "{{ working_dir }}"
|
||||
tripleo_deploy_environment_files: |-
|
||||
{% set env_files = [overcloud_templates_path + '/environments/standalone/standalone-tripleo.yaml',
|
||||
working_dir + '/containers-prepare-parameters.yaml',
|
||||
working_dir + '/standalone_parameters.yaml'] %}
|
||||
working_dir + '/standalone_parameters.yaml']%}
|
||||
{% if standalone_custom_env_files %}
|
||||
{% set env_files = env_files + standalone_custom_env_files %}
|
||||
{% endif %}
|
||||
|
Loading…
x
Reference in New Issue
Block a user