Support TLS-Everywhere without novajoin
To run TLS-E without novajoin, set undercloud_enable_novajoin to false. To avoid confusion, this changes the previous behavior of undercloud_enable_novajoin flag and it's default value. The original flag wasn't used, because novajoin is only used for TLS-E, so it doesn't make sense to deploy it otherwise. Depends-On: https://review.opendev.org/731383 Depends-On: https://review.opendev.org/740951 Change-Id: Id97074ff7b1341942e8c85fc709a83b33e0af414
This commit is contained in:
parent
ca7228937c
commit
d688ab722a
@ -20,6 +20,15 @@ Role Variables
|
|||||||
provisioning interface (which is hardcoded to eth1)
|
provisioning interface (which is hardcoded to eth1)
|
||||||
- `supplemental_user`: <stack> The user which is used to deploy FreeIpa on the supplemental node
|
- `supplemental_user`: <stack> The user which is used to deploy FreeIpa on the supplemental node
|
||||||
- `ipa_server_install_params`: <''> -- Additional parameters to pass to the ipa-server-install command
|
- `ipa_server_install_params`: <''> -- Additional parameters to pass to the ipa-server-install command
|
||||||
|
- `prepare_ipa`: If set to true, it will install novajoin or tripleo-ipa in the
|
||||||
|
undercloud, and run a script that will create the required privileges/permissions
|
||||||
|
in FreeIPA, as well as the undercloud host entry. This requires
|
||||||
|
'enable_tls_everywhere' to be set to true, and the following variables to be
|
||||||
|
properly defined: 'freeipa_admin_password', 'freeipa_server_hostname',
|
||||||
|
'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do
|
||||||
|
this yourself, you can set this variable to false. Defaults to true.
|
||||||
|
- `undercloud_enable_novajoin`: <'true'> -- uses old novajoin service to register
|
||||||
|
overcloud nodes into IPA when 'enable_tls_everywhere' is enabled.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
@ -6,3 +6,7 @@ undercloud_fqdn: "undercloud.tripleodomain"
|
|||||||
provisioning_cidr: "{{ undercloud_network_cidr }}"
|
provisioning_cidr: "{{ undercloud_network_cidr }}"
|
||||||
supplemental_user: "stack"
|
supplemental_user: "stack"
|
||||||
freeipa_subcas: []
|
freeipa_subcas: []
|
||||||
|
prepare_ipa: true
|
||||||
|
# location which the novajoin-ipa-setup will store the FreeIPA token
|
||||||
|
undercloud_enable_novajoin: true
|
||||||
|
freeipa_otp_key: /tmp/ipa-otp.txt
|
||||||
|
38
roles/freeipa-setup/tasks/ipa_prep.yml
Normal file
38
roles/freeipa-setup/tasks/ipa_prep.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Validate FreeIPA Admin password was passed
|
||||||
|
fail: msg="freeipa_admin_password is not passed and or blank"
|
||||||
|
when:
|
||||||
|
- deploy_supplemental_node|bool and not hostvars['supplemental'].freeipa_admin_password|default('')
|
||||||
|
- not freeipa_admin_password|default('')
|
||||||
|
|
||||||
|
- name: Validate FreeIPA Server hostname was passed
|
||||||
|
fail: msg="freeipa_server_hostname is not passed and or blank"
|
||||||
|
when: freeipa_server_hostname is not defined or ( freeipa_server_hostname is defined and freeipa_server_hostname == "" )
|
||||||
|
|
||||||
|
- name: Validate a domain for the cloud was given
|
||||||
|
fail: msg="overcloud_cloud_domain is not passed and or blank"
|
||||||
|
when: overcloud_cloud_domain is not defined or ( overcloud_cloud_domain is defined and overcloud_cloud_domain == "" )
|
||||||
|
|
||||||
|
- name: Validate a undercloud hostname was given
|
||||||
|
fail: msg="undercloud_undercloud_hostname is not passed and or blank"
|
||||||
|
when: undercloud_undercloud_hostname is not defined or ( undercloud_undercloud_hostname is defined and undercloud_undercloud_hostname == "" )
|
||||||
|
|
||||||
|
- name: Install tripleo-ipa preparation script
|
||||||
|
template:
|
||||||
|
src: ipa_prep.sh.j2
|
||||||
|
dest: "~{{ supplemental_user }}/ipa_prep.sh"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Run the tripleo-ipa preparation script
|
||||||
|
shell: >
|
||||||
|
set -o pipefail &&
|
||||||
|
~{{ supplemental_user }}/ipa_prep.sh 2>&1 {{ timestamper_cmd }} >
|
||||||
|
~{{ supplemental_user }}/ipa_prep.sh.log
|
||||||
|
changed_when: true
|
||||||
|
|
||||||
|
- name: Fetch the otp key
|
||||||
|
fetch:
|
||||||
|
src: "{{ freeipa_otp_key }}"
|
||||||
|
dest: "{{ freeipa_otp_key }}"
|
||||||
|
flat: true
|
@ -22,3 +22,8 @@
|
|||||||
- name: Deploy FreeIPA
|
- name: Deploy FreeIPA
|
||||||
become: true
|
become: true
|
||||||
shell: "~{{ supplemental_user }}/deploy_freeipa.sh &> ~{{ supplemental_user }}/deploy_freeipa.log"
|
shell: "~{{ supplemental_user }}/deploy_freeipa.sh &> ~{{ supplemental_user }}/deploy_freeipa.log"
|
||||||
|
|
||||||
|
- include: ipa_prep.yml
|
||||||
|
when: enable_tls_everywhere|bool and prepare_ipa|bool and not undercloud_enable_novajoin|bool
|
||||||
|
tags:
|
||||||
|
- undercloud-install
|
||||||
|
46
roles/freeipa-setup/templates/ipa_prep.sh.j2
Normal file
46
roles/freeipa-setup/templates/ipa_prep.sh.j2
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
### --start_docs
|
||||||
|
|
||||||
|
## Set up the necessary permissions/privileges in novajoin
|
||||||
|
## =======================================================
|
||||||
|
|
||||||
|
## * Install ansible and tripleo-ipa
|
||||||
|
|
||||||
|
sudo {{ ansible_pkg_mgr }} install -yq ansible ansible-tripleo-ipa
|
||||||
|
|
||||||
|
## * Set up FreeIPA permissions and privileges and register the undercloud.
|
||||||
|
## ::
|
||||||
|
|
||||||
|
export IPA_ADMIN_USER=admin
|
||||||
|
export IPA_PRINCIPAL=admin
|
||||||
|
{% if deploy_supplemental_node|bool %}
|
||||||
|
export IPA_ADMIN_PASSWORD={{ hostvars['supplemental'].freeipa_admin_password }}
|
||||||
|
export IPA_PASSWORD={{ hostvars['supplemental'].freeipa_admin_password }}
|
||||||
|
{% else %}
|
||||||
|
export IPA_ADMIN_PASSWORD={{ freeipa_admin_password }}
|
||||||
|
export IPA_PASSWORD={{ freeipa_admin_password }}
|
||||||
|
{% endif %}
|
||||||
|
export IPA_SERVER_HOSTNAME={{ freeipa_server_hostname }}
|
||||||
|
export IPA_REALM=$(echo {{ overcloud_cloud_domain }} | awk '{print toupper($0)}')
|
||||||
|
export IPA_DOMAIN={{ overcloud_cloud_domain }}
|
||||||
|
export UNDERCLOUD_FQDN={{ undercloud_undercloud_hostname }}
|
||||||
|
export CLOUD_DOMAIN="{{ overcloud_cloud_domain }}"
|
||||||
|
|
||||||
|
echo $IPA_PASSWORD | kinit $IPA_ADMIN_USER@$IPA_REALM
|
||||||
|
|
||||||
|
ansible-playbook --ssh-extra-args \
|
||||||
|
"-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
|
||||||
|
/usr/share/ansible/tripleo-playbooks/ipa-server-create-role.yaml
|
||||||
|
|
||||||
|
ansible-playbook --ssh-extra-args \
|
||||||
|
"-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
|
||||||
|
/usr/share/ansible/tripleo-playbooks/ipa-server-register-undercloud.yaml \
|
||||||
|
| grep -o '"ipa_otp = .*"$' | sed 's/ipa_otp = //' > {{ freeipa_otp_key }}
|
||||||
|
|
||||||
|
ansible-playbook --ssh-extra-args \
|
||||||
|
"-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
|
||||||
|
/usr/share/ansible/tripleo-playbooks/ipa-server-create-principal.yaml
|
||||||
|
|
||||||
|
### --stop_docs
|
@ -48,6 +48,8 @@ A description of the settable variables for this role should go here, including
|
|||||||
* `topology_map`: undefined - a dictionary of roles with their scale (count) and flavor names. Example: topology_map: { 'Controller': { 'scale': 3, 'flavor': 'baremetal' } }
|
* `topology_map`: undefined - a dictionary of roles with their scale (count) and flavor names. Example: topology_map: { 'Controller': { 'scale': 3, 'flavor': 'baremetal' } }
|
||||||
* `extra_tht_configs`: -- a list of files to copy to the undercloud and add as
|
* `extra_tht_configs`: -- a list of files to copy to the undercloud and add as
|
||||||
extra config to the overcloud-deployment command.
|
extra config to the overcloud-deployment command.
|
||||||
|
* `undercloud_enable_novajoin`: <'true'> -- uses old novajoin service to register
|
||||||
|
overcloud nodes into IPA when 'enable_tls_everywhere' is enabled.
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
@ -91,6 +91,7 @@ use_resource_registry_nic_configs: false
|
|||||||
|
|
||||||
ssl_args: ""
|
ssl_args: ""
|
||||||
tls_everywhere_args: ""
|
tls_everywhere_args: ""
|
||||||
|
undercloud_enable_novajoin: true
|
||||||
validation_args: "--validation-warnings-fatal"
|
validation_args: "--validation-warnings-fatal"
|
||||||
|
|
||||||
enable_swap: false
|
enable_swap: false
|
||||||
|
@ -71,6 +71,14 @@
|
|||||||
src: "cloud-names.yaml.j2"
|
src: "cloud-names.yaml.j2"
|
||||||
dest: "{{ working_dir }}/cloud-names.yaml"
|
dest: "{{ working_dir }}/cloud-names.yaml"
|
||||||
|
|
||||||
|
- name: Set OS::TripleO::Services::IpaClient for novajoin-less deployment
|
||||||
|
when:
|
||||||
|
- enable_tls_everywhere|bool and not undercloud_enable_novajoin|bool
|
||||||
|
- release not in ['mitaka', 'liberty', 'newton']
|
||||||
|
template:
|
||||||
|
src: "tls-everywhere.yaml.j2"
|
||||||
|
dest: "{{ working_dir }}/tls-everywhere.yaml"
|
||||||
|
|
||||||
- name: Create the hostname_map parameters yaml
|
- name: Create the hostname_map parameters yaml
|
||||||
when:
|
when:
|
||||||
- groups['overcloud'] is defined
|
- groups['overcloud'] is defined
|
||||||
|
@ -161,14 +161,25 @@
|
|||||||
{{ ssl_ca_args }}
|
{{ ssl_ca_args }}
|
||||||
when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool
|
when: ssl_overcloud|bool or undercloud_generate_service_certificate|bool
|
||||||
|
|
||||||
- name: set novajoin/TLS everywhere fact
|
- name: set TLS everywhere fact with novajoin
|
||||||
set_fact:
|
set_fact:
|
||||||
tls_everywhere_args: >-
|
tls_everywhere_args: >-
|
||||||
-e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml
|
-e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml
|
||||||
-e {{ overcloud_templates_path }}/environments/ssl/enable-internal-tls.yaml
|
-e {{ overcloud_templates_path }}/environments/ssl/enable-internal-tls.yaml
|
||||||
-e {{ overcloud_templates_path }}/environments/ssl/tls-everywhere-endpoints-dns.yaml
|
-e {{ overcloud_templates_path }}/environments/ssl/tls-everywhere-endpoints-dns.yaml
|
||||||
when:
|
when:
|
||||||
- enable_tls_everywhere|bool
|
- enable_tls_everywhere|bool and undercloud_enable_novajoin|bool
|
||||||
|
- release not in ['mitaka', 'liberty', 'newton']
|
||||||
|
|
||||||
|
- name: set TLS everywhere fact with tripleo-ipa
|
||||||
|
set_fact:
|
||||||
|
tls_everywhere_args: >-
|
||||||
|
-e {{ overcloud_templates_path }}/environments/services/haproxy-public-tls-certmonger.yaml
|
||||||
|
-e {{ overcloud_templates_path }}/environments/ssl/enable-internal-tls.yaml
|
||||||
|
-e {{ overcloud_templates_path }}/environments/ssl/tls-everywhere-endpoints-dns.yaml
|
||||||
|
-e {{ working_dir }}/tls-everywhere.yaml
|
||||||
|
when:
|
||||||
|
- enable_tls_everywhere|bool and not undercloud_enable_novajoin|bool
|
||||||
- release not in ['mitaka', 'liberty', 'newton']
|
- release not in ['mitaka', 'liberty', 'newton']
|
||||||
|
|
||||||
- name: set validation_args fact for mitaka/liberty
|
- name: set validation_args fact for mitaka/liberty
|
||||||
|
8
roles/overcloud-deploy/templates/tls-everywhere.yaml.j2
Normal file
8
roles/overcloud-deploy/templates/tls-everywhere.yaml.j2
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Override the IpaClient path to use tripleo-ipa instead of novajoin for IPA registration
|
||||||
|
|
||||||
|
parameter_defaults:
|
||||||
|
IdMServer: {{freeipa_server_hostname}}
|
||||||
|
IdMDomain: {{overcloud_cloud_domain}}
|
||||||
|
|
||||||
|
resource_registry:
|
||||||
|
OS::TripleO::Services::IpaClient: {{overcloud_templates_path}}/deployment/ipa/ipaservices-baremetal-ansible.yaml
|
@ -51,14 +51,13 @@ https://docs.openstack.org/tripleo-quickstart/latest/accessing-libvirt.html
|
|||||||
undercloud.conf.
|
undercloud.conf.
|
||||||
- `undercloud_enable_validations`: <'true'> -- sets up the 'enable_validations'
|
- `undercloud_enable_validations`: <'true'> -- sets up the 'enable_validations'
|
||||||
option in undercloud.conf.
|
option in undercloud.conf.
|
||||||
- `undercloud_enable_novajoin`: <'false'> -- sets up the 'enable_novajoin'
|
- `undercloud_enable_novajoin`: <'true'> -- sets up the 'enable_novajoin'
|
||||||
value from undercloud.conf. Note that using 'enable_tls_everywhere' will have
|
value from undercloud.conf when 'enable_tls_everywhere' is enabled.
|
||||||
the same effect.
|
|
||||||
- `novajoin_connect_timeout`: <5> Sets vendordata_dynamic_connect_timeout when novajoin is enabled
|
- `novajoin_connect_timeout`: <5> Sets vendordata_dynamic_connect_timeout when novajoin is enabled
|
||||||
- `novajoin_read_timeout:` <20> Sets vendordata_dynamic_read_timeout when novajoin is enabled
|
- `novajoin_read_timeout:` <20> Sets vendordata_dynamic_read_timeout when novajoin is enabled
|
||||||
- `prepare_novajoin`: If set to true, it will install novajoin in the undercloud,
|
- `prepare_ipa`: If set to true, it will install novajoin or tripleo-ipa in the
|
||||||
and run a script that will create the required privileges/permissions in
|
undercloud, and run a script that will create the required privileges/permissions
|
||||||
FreeIPA, as well as the undercloud host entry. this requires
|
in FreeIPA, as well as the undercloud host entry. This requires
|
||||||
'enable_tls_everywhere' to be set to true, and the following variables to be
|
'enable_tls_everywhere' to be set to true, and the following variables to be
|
||||||
properly defined: 'freeipa_admin_password', 'freeipa_server_hostname',
|
properly defined: 'freeipa_admin_password', 'freeipa_server_hostname',
|
||||||
'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do
|
'overcloud_cloud_domain', 'undercloud_undercloud_hostname'. If you plan to do
|
||||||
|
@ -37,8 +37,8 @@ undercloud_ironic_ipxe_port: 3816
|
|||||||
|
|
||||||
undercloud_conf_extra: ""
|
undercloud_conf_extra: ""
|
||||||
|
|
||||||
undercloud_enable_novajoin: false
|
undercloud_enable_novajoin: true
|
||||||
prepare_novajoin: true
|
prepare_ipa: true
|
||||||
|
|
||||||
# location which the novajoin-ipa-setup will store the FreeIPA token
|
# location which the novajoin-ipa-setup will store the FreeIPA token
|
||||||
freeipa_otp_key: /tmp/ipa-otp.txt
|
freeipa_otp_key: /tmp/ipa-otp.txt
|
||||||
|
47
roles/undercloud-deploy/tasks/ipa_prep.yml
Normal file
47
roles/undercloud-deploy/tasks/ipa_prep.yml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Validate FreeIPA Admin password was passed
|
||||||
|
fail: msg="freeipa_admin_password is not passed and or blank"
|
||||||
|
when:
|
||||||
|
- deploy_supplemental_node|bool and not hostvars['supplemental'].freeipa_admin_password|default('')
|
||||||
|
- not freeipa_admin_password|default('')
|
||||||
|
|
||||||
|
- name: Validate FreeIPA Server hostname was passed
|
||||||
|
fail: msg="freeipa_server_hostname is not passed and or blank"
|
||||||
|
when: freeipa_server_hostname is not defined or ( freeipa_server_hostname is defined and freeipa_server_hostname == "" )
|
||||||
|
|
||||||
|
- name: Validate a domain for the cloud was given
|
||||||
|
fail: msg="overcloud_cloud_domain is not passed and or blank"
|
||||||
|
when: overcloud_cloud_domain is not defined or ( overcloud_cloud_domain is defined and overcloud_cloud_domain == "" )
|
||||||
|
|
||||||
|
- name: Validate a undercloud hostname was given
|
||||||
|
fail: msg="undercloud_undercloud_hostname is not passed and or blank"
|
||||||
|
when: undercloud_undercloud_hostname is not defined or ( undercloud_undercloud_hostname is defined and undercloud_undercloud_hostname == "" )
|
||||||
|
|
||||||
|
- name: Install tripleo-ipa preparation script
|
||||||
|
template:
|
||||||
|
src: ipa_prep.sh.j2
|
||||||
|
dest: "{{ working_dir }}/ipa_prep.sh"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Run the tripleo-ipa preparation script
|
||||||
|
shell: >
|
||||||
|
set -o pipefail &&
|
||||||
|
{{ working_dir }}/ipa_prep.sh 2>&1 {{ timestamper_cmd }} >
|
||||||
|
{{ working_dir }}/ipa_prep.sh.log
|
||||||
|
changed_when: true
|
||||||
|
|
||||||
|
- name: Copy the otp key to the undercloud
|
||||||
|
copy:
|
||||||
|
src: "{{ freeipa_otp_key }}"
|
||||||
|
dest: "{{ freeipa_otp_key }}"
|
||||||
|
|
||||||
|
- name: Register OTP output
|
||||||
|
command: cat {{ freeipa_otp_key }}
|
||||||
|
register: ipa_otp_register
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Set OTP Fact for undercloud enrollment
|
||||||
|
set_fact:
|
||||||
|
undercloud_ipa_otp: "{{ ipa_otp_register.stdout }}"
|
||||||
|
when: ipa_otp_register.rc == 0
|
@ -25,7 +25,12 @@
|
|||||||
|
|
||||||
|
|
||||||
- include: novajoin_prep.yml
|
- include: novajoin_prep.yml
|
||||||
when: enable_tls_everywhere|bool and prepare_novajoin|bool
|
when: enable_tls_everywhere|bool and prepare_ipa|bool and undercloud_enable_novajoin|bool
|
||||||
|
tags:
|
||||||
|
- undercloud-install
|
||||||
|
|
||||||
|
- include: ipa_prep.yml
|
||||||
|
when: enable_tls_everywhere|bool and prepare_ipa|bool and not undercloud_enable_novajoin|bool
|
||||||
tags:
|
tags:
|
||||||
- undercloud-install
|
- undercloud-install
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@ ironic::rpc_response_timeout: {{undercloud_ironic_rpc_response_timeout}}
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
{% if undercloud_enable_novajoin or enable_tls_everywhere %}
|
{% if undercloud_enable_novajoin and enable_tls_everywhere %}
|
||||||
nova::api::vendordata_dynamic_connect_timeout: {{ novajoin_connect_timeout }}
|
nova::api::vendordata_dynamic_connect_timeout: {{ novajoin_connect_timeout }}
|
||||||
nova::api::vendordata_dynamic_read_timeout: {{ novajoin_read_timeout }}
|
nova::api::vendordata_dynamic_read_timeout: {{ novajoin_read_timeout }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
25
roles/undercloud-deploy/templates/ipa_prep.sh.j2
Normal file
25
roles/undercloud-deploy/templates/ipa_prep.sh.j2
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
### --start_docs
|
||||||
|
|
||||||
|
## Set up the necessary permissions/privileges in novajoin
|
||||||
|
## =======================================================
|
||||||
|
|
||||||
|
|
||||||
|
## * Ensure that the undercloud is using the FreeIPA server
|
||||||
|
## as its DNS server
|
||||||
|
## * Make sure that the undercloud_undercloud_hostname resolves
|
||||||
|
## (undercloud.openstacklocal is originally set in prepare-slave.yml)
|
||||||
|
## * Set the hostname to undercloud_undercloud_hostname
|
||||||
|
## * Make sure the /etc/novajoin directory is created, so that the keytab can
|
||||||
|
## be saved there (ipa-getkeytab doesn't create that directory)
|
||||||
|
|
||||||
|
## .. Note:: You may not use sudo and use output redirection '>'::
|
||||||
|
|
||||||
|
sudo /bin/su -c "echo -e 'search {{ overcloud_cloud_domain }}\nnameserver {{ undercloud_undercloud_nameservers[-1] }}' > /etc/resolv.conf"
|
||||||
|
sudo sed -i "s/undercloud.openstacklocal/{{ undercloud_undercloud_hostname }} undercloud.openstacklocal/" /etc/hosts
|
||||||
|
sudo hostnamectl set-hostname {{ undercloud_undercloud_hostname }}
|
||||||
|
|
||||||
|
sudo install -d -m 755 --context=system_u:object_r:etc_t:s0 /etc/novajoin
|
||||||
|
### --stop_docs
|
@ -274,7 +274,7 @@ ipxe_deploy = {{undercloud_ipxe_deploy}}
|
|||||||
enable_monitoring = {{undercloud_enable_monitoring}}
|
enable_monitoring = {{undercloud_enable_monitoring}}
|
||||||
|
|
||||||
# Whether to install novajoin metadata service in the Undercloud.
|
# Whether to install novajoin metadata service in the Undercloud.
|
||||||
{% if undercloud_enable_novajoin or enable_tls_everywhere %}
|
{% if undercloud_enable_novajoin and enable_tls_everywhere %}
|
||||||
enable_novajoin = true
|
enable_novajoin = true
|
||||||
{% else %}
|
{% else %}
|
||||||
enable_novajoin = false
|
enable_novajoin = false
|
||||||
@ -283,7 +283,7 @@ enable_novajoin = false
|
|||||||
# One Time Password to register Undercloud node with IPA server.
|
# One Time Password to register Undercloud node with IPA server.
|
||||||
# Required when enable_novajoin = true.
|
# Required when enable_novajoin = true.
|
||||||
{% if undercloud_ipa_otp is defined %}
|
{% if undercloud_ipa_otp is defined %}
|
||||||
ipa_otp = {{undercloud_ipa_otp}}
|
ipa_otp = {{ undercloud_ipa_otp }}
|
||||||
{% else %}
|
{% else %}
|
||||||
# ipa_otp =
|
# ipa_otp =
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user