From d688ab722a53091faf65842f09e6dd03410c7cfe Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Tue, 21 Apr 2020 15:31:47 +0200 Subject: [PATCH] Support TLS-Everywhere without novajoin To run TLS-E without novajoin, set undercloud_enable_novajoin to false. To avoid confusion, this changes the previous behavior of undercloud_enable_novajoin flag and it's default value. The original flag wasn't used, because novajoin is only used for TLS-E, so it doesn't make sense to deploy it otherwise. Depends-On: https://review.opendev.org/731383 Depends-On: https://review.opendev.org/740951 Change-Id: Id97074ff7b1341942e8c85fc709a83b33e0af414 --- roles/freeipa-setup/README.md | 9 ++++ roles/freeipa-setup/defaults/main.yml | 4 ++ roles/freeipa-setup/tasks/ipa_prep.yml | 38 +++++++++++++++ roles/freeipa-setup/tasks/main.yml | 5 ++ roles/freeipa-setup/templates/ipa_prep.sh.j2 | 46 ++++++++++++++++++ roles/overcloud-deploy/README.md | 2 + roles/overcloud-deploy/defaults/main.yml | 1 + .../overcloud-deploy/tasks/create-scripts.yml | 8 ++++ roles/overcloud-deploy/tasks/pre-deploy.yml | 15 +++++- .../templates/tls-everywhere.yaml.j2 | 8 ++++ roles/undercloud-deploy/README.md | 11 ++--- roles/undercloud-deploy/defaults/main.yml | 4 +- roles/undercloud-deploy/tasks/ipa_prep.yml | 47 +++++++++++++++++++ roles/undercloud-deploy/tasks/main.yml | 7 ++- ...adata-overrides-classic-undercloud.yaml.j2 | 2 +- .../templates/ipa_prep.sh.j2 | 25 ++++++++++ .../templates/undercloud.conf.j2 | 4 +- 17 files changed, 222 insertions(+), 14 deletions(-) create mode 100644 roles/freeipa-setup/tasks/ipa_prep.yml create mode 100644 roles/freeipa-setup/templates/ipa_prep.sh.j2 create mode 100644 roles/overcloud-deploy/templates/tls-everywhere.yaml.j2 create mode 100644 roles/undercloud-deploy/tasks/ipa_prep.yml create mode 100644 roles/undercloud-deploy/templates/ipa_prep.sh.j2 diff --git a/roles/freeipa-setup/README.md b/roles/freeipa-setup/README.md index 705b40ad7..3f236f00e 100644 --- a/roles/freeipa-setup/README.md +++ b/roles/freeipa-setup/README.md @@ -20,6 +20,15 @@ Role Variables provisioning interface (which is hardcoded to eth1) - `supplemental_user`: The user which is used to deploy FreeIpa on the supplemental node - `ipa_server_install_params`: <''> -- Additional parameters to pass to the ipa-server-install command +- `prepare_ipa`: If set to true, it will install novajoin or tripleo-ipa in the + undercloud, and run a script that will create the required privileges/permissions + in FreeIPA, as well as the undercloud host entry. This requires + 'enable_tls_everywhere' to be set to true, and the following variables to be + properly defined: 'freeipa_admin_password', 'freeipa_server_hostname', + 'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do + this yourself, you can set this variable to false. Defaults to true. +- `undercloud_enable_novajoin`: <'true'> -- uses old novajoin service to register + overcloud nodes into IPA when 'enable_tls_everywhere' is enabled. Example Playbook ---------------- diff --git a/roles/freeipa-setup/defaults/main.yml b/roles/freeipa-setup/defaults/main.yml index 591c5ae51..dc634280f 100644 --- a/roles/freeipa-setup/defaults/main.yml +++ b/roles/freeipa-setup/defaults/main.yml @@ -6,3 +6,7 @@ undercloud_fqdn: "undercloud.tripleodomain" provisioning_cidr: "{{ undercloud_network_cidr }}" supplemental_user: "stack" freeipa_subcas: [] +prepare_ipa: true +# location which the novajoin-ipa-setup will store the FreeIPA token +undercloud_enable_novajoin: true +freeipa_otp_key: /tmp/ipa-otp.txt diff --git a/roles/freeipa-setup/tasks/ipa_prep.yml b/roles/freeipa-setup/tasks/ipa_prep.yml new file mode 100644 index 000000000..d25d412b6 --- /dev/null +++ b/roles/freeipa-setup/tasks/ipa_prep.yml @@ -0,0 +1,38 @@ +--- + +- name: Validate FreeIPA Admin password was passed + fail: msg="freeipa_admin_password is not passed and or blank" + when: + - deploy_supplemental_node|bool and not hostvars['supplemental'].freeipa_admin_password|default('') + - not freeipa_admin_password|default('') + +- name: Validate FreeIPA Server hostname was passed + fail: msg="freeipa_server_hostname is not passed and or blank" + when: freeipa_server_hostname is not defined or ( freeipa_server_hostname is defined and freeipa_server_hostname == "" ) + +- name: Validate a domain for the cloud was given + fail: msg="overcloud_cloud_domain is not passed and or blank" + when: overcloud_cloud_domain is not defined or ( overcloud_cloud_domain is defined and overcloud_cloud_domain == "" ) + +- name: Validate a undercloud hostname was given + fail: msg="undercloud_undercloud_hostname is not passed and or blank" + when: undercloud_undercloud_hostname is not defined or ( undercloud_undercloud_hostname is defined and undercloud_undercloud_hostname == "" ) + +- name: Install tripleo-ipa preparation script + template: + src: ipa_prep.sh.j2 + dest: "~{{ supplemental_user }}/ipa_prep.sh" + mode: 0755 + +- name: Run the tripleo-ipa preparation script + shell: > + set -o pipefail && + ~{{ supplemental_user }}/ipa_prep.sh 2>&1 {{ timestamper_cmd }} > + ~{{ supplemental_user }}/ipa_prep.sh.log + changed_when: true + +- name: Fetch the otp key + fetch: + src: "{{ freeipa_otp_key }}" + dest: "{{ freeipa_otp_key }}" + flat: true diff --git a/roles/freeipa-setup/tasks/main.yml b/roles/freeipa-setup/tasks/main.yml index 868a3b4d1..f29b99df1 100644 --- a/roles/freeipa-setup/tasks/main.yml +++ b/roles/freeipa-setup/tasks/main.yml @@ -22,3 +22,8 @@ - name: Deploy FreeIPA become: true shell: "~{{ supplemental_user }}/deploy_freeipa.sh &> ~{{ supplemental_user }}/deploy_freeipa.log" + +- include: ipa_prep.yml + when: enable_tls_everywhere|bool and prepare_ipa|bool and not undercloud_enable_novajoin|bool + tags: + - undercloud-install diff --git a/roles/freeipa-setup/templates/ipa_prep.sh.j2 b/roles/freeipa-setup/templates/ipa_prep.sh.j2 new file mode 100644 index 000000000..b3b5f72c9 --- /dev/null +++ b/roles/freeipa-setup/templates/ipa_prep.sh.j2 @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +set -eux + +### --start_docs + +## Set up the necessary permissions/privileges in novajoin +## ======================================================= + +## * Install ansible and tripleo-ipa + +sudo {{ ansible_pkg_mgr }} install -yq ansible ansible-tripleo-ipa + +## * Set up FreeIPA permissions and privileges and register the undercloud. +## :: + +export IPA_ADMIN_USER=admin +export IPA_PRINCIPAL=admin +{% if deploy_supplemental_node|bool %} +export IPA_ADMIN_PASSWORD={{ hostvars['supplemental'].freeipa_admin_password }} +export IPA_PASSWORD={{ hostvars['supplemental'].freeipa_admin_password }} +{% else %} +export IPA_ADMIN_PASSWORD={{ freeipa_admin_password }} +export IPA_PASSWORD={{ freeipa_admin_password }} +{% endif %} +export IPA_SERVER_HOSTNAME={{ freeipa_server_hostname }} +export IPA_REALM=$(echo {{ overcloud_cloud_domain }} | awk '{print toupper($0)}') +export IPA_DOMAIN={{ overcloud_cloud_domain }} +export UNDERCLOUD_FQDN={{ undercloud_undercloud_hostname }} +export CLOUD_DOMAIN="{{ overcloud_cloud_domain }}" + +echo $IPA_PASSWORD | kinit $IPA_ADMIN_USER@$IPA_REALM + +ansible-playbook --ssh-extra-args \ + "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ + /usr/share/ansible/tripleo-playbooks/ipa-server-create-role.yaml + +ansible-playbook --ssh-extra-args \ + "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ + /usr/share/ansible/tripleo-playbooks/ipa-server-register-undercloud.yaml \ + | grep -o '"ipa_otp = .*"$' | sed 's/ipa_otp = //' > {{ freeipa_otp_key }} + +ansible-playbook --ssh-extra-args \ + "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ + /usr/share/ansible/tripleo-playbooks/ipa-server-create-principal.yaml + +### --stop_docs diff --git a/roles/overcloud-deploy/README.md b/roles/overcloud-deploy/README.md index a92f11bf6..c47f5b7ae 100644 --- a/roles/overcloud-deploy/README.md +++ b/roles/overcloud-deploy/README.md @@ -48,6 +48,8 @@ A description of the settable variables for this role should go here, including * `topology_map`: undefined - a dictionary of roles with their scale (count) and flavor names. Example: topology_map: { 'Controller': { 'scale': 3, 'flavor': 'baremetal' } } * `extra_tht_configs`: -- a list of files to copy to the undercloud and add as extra config to the overcloud-deployment command. +* `undercloud_enable_novajoin`: <'true'> -- uses old novajoin service to register + overcloud nodes into IPA when 'enable_tls_everywhere' is enabled. Dependencies ------------ diff --git a/roles/overcloud-deploy/defaults/main.yml b/roles/overcloud-deploy/defaults/main.yml index 2f47f20dc..c5ea98860 100644 --- a/roles/overcloud-deploy/defaults/main.yml +++ b/roles/overcloud-deploy/defaults/main.yml @@ -91,6 +91,7 @@ use_resource_registry_nic_configs: false ssl_args: "" tls_everywhere_args: "" +undercloud_enable_novajoin: true validation_args: "--validation-warnings-fatal" enable_swap: false diff --git a/roles/overcloud-deploy/tasks/create-scripts.yml b/roles/overcloud-deploy/tasks/create-scripts.yml index dd8d0f52a..37fbdc973 100644 --- a/roles/overcloud-deploy/tasks/create-scripts.yml +++ b/roles/overcloud-deploy/tasks/create-scripts.yml @@ -71,6 +71,14 @@ src: "cloud-names.yaml.j2" dest: "{{ working_dir }}/cloud-names.yaml" +- name: Set OS::TripleO::Services::IpaClient for novajoin-less deployment + when: + - enable_tls_everywhere|bool and not undercloud_enable_novajoin|bool + - release not in ['mitaka', 'liberty', 'newton'] + template: + src: "tls-everywhere.yaml.j2" + dest: "{{ working_dir }}/tls-everywhere.yaml" + - name: Create the hostname_map parameters yaml when: - groups['overcloud'] is defined diff --git a/roles/overcloud-deploy/tasks/pre-deploy.yml b/roles/overcloud-deploy/tasks/pre-deploy.yml index efb9a4e22..ba3da7595 100644 --- a/roles/overcloud-deploy/tasks/pre-deploy.yml +++ b/roles/overcloud-deploy/tasks/pre-deploy.yml @@ -161,14 +161,25 @@ {{ ssl_ca_args }} when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool -- name: set novajoin/TLS everywhere fact +- name: set TLS everywhere fact with novajoin set_fact: tls_everywhere_args: >- -e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml -e {{ overcloud_templates_path }}/environments/ssl/enable-internal-tls.yaml -e {{ overcloud_templates_path }}/environments/ssl/tls-everywhere-endpoints-dns.yaml when: - - enable_tls_everywhere|bool + - enable_tls_everywhere|bool and undercloud_enable_novajoin|bool + - release not in ['mitaka', 'liberty', 'newton'] + +- name: set TLS everywhere fact with tripleo-ipa + set_fact: + tls_everywhere_args: >- + -e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml + -e {{ overcloud_templates_path }}/environments/ssl/enable-internal-tls.yaml + -e {{ overcloud_templates_path }}/environments/ssl/tls-everywhere-endpoints-dns.yaml + -e {{ working_dir }}/tls-everywhere.yaml + when: + - enable_tls_everywhere|bool and not undercloud_enable_novajoin|bool - release not in ['mitaka', 'liberty', 'newton'] - name: set validation_args fact for mitaka/liberty diff --git a/roles/overcloud-deploy/templates/tls-everywhere.yaml.j2 b/roles/overcloud-deploy/templates/tls-everywhere.yaml.j2 new file mode 100644 index 000000000..effe80701 --- /dev/null +++ b/roles/overcloud-deploy/templates/tls-everywhere.yaml.j2 @@ -0,0 +1,8 @@ +# Override the IpaClient path to use tripleo-ipa instead of novajoin for IPA registration + +parameter_defaults: + IdMServer: {{freeipa_server_hostname}} + IdMDomain: {{overcloud_cloud_domain}} + +resource_registry: + OS::TripleO::Services::IpaClient: {{overcloud_templates_path}}/deployment/ipa/ipaservices-baremetal-ansible.yaml diff --git a/roles/undercloud-deploy/README.md b/roles/undercloud-deploy/README.md index a3b6e004c..0a6b6017c 100644 --- a/roles/undercloud-deploy/README.md +++ b/roles/undercloud-deploy/README.md @@ -51,14 +51,13 @@ https://docs.openstack.org/tripleo-quickstart/latest/accessing-libvirt.html undercloud.conf. - `undercloud_enable_validations`: <'true'> -- sets up the 'enable_validations' option in undercloud.conf. -- `undercloud_enable_novajoin`: <'false'> -- sets up the 'enable_novajoin' - value from undercloud.conf. Note that using 'enable_tls_everywhere' will have - the same effect. +- `undercloud_enable_novajoin`: <'true'> -- sets up the 'enable_novajoin' + value from undercloud.conf when 'enable_tls_everywhere' is enabled. - `novajoin_connect_timeout`: <5> Sets vendordata_dynamic_connect_timeout when novajoin is enabled - `novajoin_read_timeout:` <20> Sets vendordata_dynamic_read_timeout when novajoin is enabled -- `prepare_novajoin`: If set to true, it will install novajoin in the undercloud, - and run a script that will create the required privileges/permissions in - FreeIPA, as well as the undercloud host entry. this requires +- `prepare_ipa`: If set to true, it will install novajoin or tripleo-ipa in the + undercloud, and run a script that will create the required privileges/permissions + in FreeIPA, as well as the undercloud host entry. This requires 'enable_tls_everywhere' to be set to true, and the following variables to be properly defined: 'freeipa_admin_password', 'freeipa_server_hostname', 'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do diff --git a/roles/undercloud-deploy/defaults/main.yml b/roles/undercloud-deploy/defaults/main.yml index ee9344b1e..e6115ecd5 100644 --- a/roles/undercloud-deploy/defaults/main.yml +++ b/roles/undercloud-deploy/defaults/main.yml @@ -37,8 +37,8 @@ undercloud_ironic_ipxe_port: 3816 undercloud_conf_extra: "" -undercloud_enable_novajoin: false -prepare_novajoin: true +undercloud_enable_novajoin: true +prepare_ipa: true # location which the novajoin-ipa-setup will store the FreeIPA token freeipa_otp_key: /tmp/ipa-otp.txt diff --git a/roles/undercloud-deploy/tasks/ipa_prep.yml b/roles/undercloud-deploy/tasks/ipa_prep.yml new file mode 100644 index 000000000..ccd48450a --- /dev/null +++ b/roles/undercloud-deploy/tasks/ipa_prep.yml @@ -0,0 +1,47 @@ +--- + +- name: Validate FreeIPA Admin password was passed + fail: msg="freeipa_admin_password is not passed and or blank" + when: + - deploy_supplemental_node|bool and not hostvars['supplemental'].freeipa_admin_password|default('') + - not freeipa_admin_password|default('') + +- name: Validate FreeIPA Server hostname was passed + fail: msg="freeipa_server_hostname is not passed and or blank" + when: freeipa_server_hostname is not defined or ( freeipa_server_hostname is defined and freeipa_server_hostname == "" ) + +- name: Validate a domain for the cloud was given + fail: msg="overcloud_cloud_domain is not passed and or blank" + when: overcloud_cloud_domain is not defined or ( overcloud_cloud_domain is defined and overcloud_cloud_domain == "" ) + +- name: Validate a undercloud hostname was given + fail: msg="undercloud_undercloud_hostname is not passed and or blank" + when: undercloud_undercloud_hostname is not defined or ( undercloud_undercloud_hostname is defined and undercloud_undercloud_hostname == "" ) + +- name: Install tripleo-ipa preparation script + template: + src: ipa_prep.sh.j2 + dest: "{{ working_dir }}/ipa_prep.sh" + mode: 0755 + +- name: Run the tripleo-ipa preparation script + shell: > + set -o pipefail && + {{ working_dir }}/ipa_prep.sh 2>&1 {{ timestamper_cmd }} > + {{ working_dir }}/ipa_prep.sh.log + changed_when: true + +- name: Copy the otp key to the undercloud + copy: + src: "{{ freeipa_otp_key }}" + dest: "{{ freeipa_otp_key }}" + +- name: Register OTP output + command: cat {{ freeipa_otp_key }} + register: ipa_otp_register + changed_when: false + +- name: Set OTP Fact for undercloud enrollment + set_fact: + undercloud_ipa_otp: "{{ ipa_otp_register.stdout }}" + when: ipa_otp_register.rc == 0 diff --git a/roles/undercloud-deploy/tasks/main.yml b/roles/undercloud-deploy/tasks/main.yml index 622877d9c..7c091af93 100644 --- a/roles/undercloud-deploy/tasks/main.yml +++ b/roles/undercloud-deploy/tasks/main.yml @@ -25,7 +25,12 @@ - include: novajoin_prep.yml - when: enable_tls_everywhere|bool and prepare_novajoin|bool + when: enable_tls_everywhere|bool and prepare_ipa|bool and undercloud_enable_novajoin|bool + tags: + - undercloud-install + +- include: ipa_prep.yml + when: enable_tls_everywhere|bool and prepare_ipa|bool and not undercloud_enable_novajoin|bool tags: - undercloud-install diff --git a/roles/undercloud-deploy/templates/hieradata-overrides-classic-undercloud.yaml.j2 b/roles/undercloud-deploy/templates/hieradata-overrides-classic-undercloud.yaml.j2 index ee54f07b8..87fec9f4d 100644 --- a/roles/undercloud-deploy/templates/hieradata-overrides-classic-undercloud.yaml.j2 +++ b/roles/undercloud-deploy/templates/hieradata-overrides-classic-undercloud.yaml.j2 @@ -82,7 +82,7 @@ ironic::rpc_response_timeout: {{undercloud_ironic_rpc_response_timeout}} -{% if undercloud_enable_novajoin or enable_tls_everywhere %} +{% if undercloud_enable_novajoin and enable_tls_everywhere %} nova::api::vendordata_dynamic_connect_timeout: {{ novajoin_connect_timeout }} nova::api::vendordata_dynamic_read_timeout: {{ novajoin_read_timeout }} {% endif %} diff --git a/roles/undercloud-deploy/templates/ipa_prep.sh.j2 b/roles/undercloud-deploy/templates/ipa_prep.sh.j2 new file mode 100644 index 000000000..6b7f2d32b --- /dev/null +++ b/roles/undercloud-deploy/templates/ipa_prep.sh.j2 @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +set -eux + +### --start_docs + +## Set up the necessary permissions/privileges in novajoin +## ======================================================= + + +## * Ensure that the undercloud is using the FreeIPA server +## as its DNS server +## * Make sure that the undercloud_undercloud_hostname resolves +## (undercloud.openstacklocal is originally set in prepare-slave.yml) +## * Set the hostname to undercloud_undercloud_hostname +## * Make sure the /etc/novajoin directory is created, so that the keytab can +## be saved there (ipa-getkeytab doesn't create that directory) + +## .. Note:: You may not use sudo and use output redirection '>':: + +sudo /bin/su -c "echo -e 'search {{ overcloud_cloud_domain }}\nnameserver {{ undercloud_undercloud_nameservers[-1] }}' > /etc/resolv.conf" +sudo sed -i "s/undercloud.openstacklocal/{{ undercloud_undercloud_hostname }} undercloud.openstacklocal/" /etc/hosts +sudo hostnamectl set-hostname {{ undercloud_undercloud_hostname }} + +sudo install -d -m 755 --context=system_u:object_r:etc_t:s0 /etc/novajoin +### --stop_docs diff --git a/roles/undercloud-deploy/templates/undercloud.conf.j2 b/roles/undercloud-deploy/templates/undercloud.conf.j2 index ee6c8eb33..a24e60955 100644 --- a/roles/undercloud-deploy/templates/undercloud.conf.j2 +++ b/roles/undercloud-deploy/templates/undercloud.conf.j2 @@ -274,7 +274,7 @@ ipxe_deploy = {{undercloud_ipxe_deploy}} enable_monitoring = {{undercloud_enable_monitoring}} # Whether to install novajoin metadata service in the Undercloud. -{% if undercloud_enable_novajoin or enable_tls_everywhere %} +{% if undercloud_enable_novajoin and enable_tls_everywhere %} enable_novajoin = true {% else %} enable_novajoin = false @@ -283,7 +283,7 @@ enable_novajoin = false # One Time Password to register Undercloud node with IPA server. # Required when enable_novajoin = true. {% if undercloud_ipa_otp is defined %} -ipa_otp = {{undercloud_ipa_otp}} +ipa_otp = {{ undercloud_ipa_otp }} {% else %} # ipa_otp = {% endif %}