Add validation for tripleo-ipa

On Train release user could use TLS Everywhere with novajoin or tripleo-api. This patch adds the tripleo-api validation. Change-Id: Ifeaf8975dd8227884c8534a787d5f1b2ce5b4807
2022-01-11 12:05:01 -05:00
parent 3f2c537ef0
commit 65e009c1ba
4 changed files with 91 additions and 12 deletions
--- a/roles/tls_everywhere/tasks/pre-deployment-containerized.yaml
+++ b/roles/tls_everywhere/tasks/pre-deployment-containerized.yaml
--- a/roles/tls_everywhere/tasks/pre-deployment-tripleo-ipa.yaml
+++ b/roles/tls_everywhere/tasks/pre-deployment-tripleo-ipa.yaml
@@ -0,0 +1,60 @@
+---
+### verify that the keytab and principal are usable ###
+
+- name: Set the novajoin keytab path
+  set_fact:
+    novajoin_keytab_path: '/etc/novajoin/krb5.keytab'
+
+- name: Verify the novajoin keytab is usable (non-containerized)
+  become: true
+  block:
+    - name: Set fact for novajoin user principal
+      set_fact:
+        novajoin_principal: "nova/{{ host_entry }}"
+
+    - name: Check for novajoin kerberos host keytab
+      stat:
+        path: "{{ novajoin_keytab_path }}"
+      register: non_containerized_novajoin_krb5_keytab_stat
+
+    - name: Test if novajoin principal in novajoin keytab is usable
+      command: kinit -kt "{{ novajoin_keytab_path }}" -c /tmp/my_novajoin_krb5_ccache "{{ novajoin_principal }}"
+      become: true
+      register: non_containerized_novajoin_principal_usable_result
+      ignore_errors: true
+      when: non_containerized_novajoin_krb5_keytab_stat.stat.exists
+
+    - name: Set facts for novajoin principal is usable skipped
+      set_fact:
+        principal_usable_status: "{{ helper_status_skipped }}"
+        principal_usable_reason: "skipped checking if the novajoin principal is usable for host {{ ansible_host }} because there is no keytab file"
+        principal_usable_recommendations: null
+      when: not non_containerized_novajoin_krb5_keytab_stat.stat.exists
+
+    - name: Set facts for novajoin principal is usable success
+      set_fact:
+        principal_usable_status: "{{ helper_status_ok }}"
+        principal_usable_reason: "The principal {{ novajoin_principal }} is able to obtain a kerberos ticket"
+        principal_usable_recommendations: null
+        temp_krb_caches: "{{ novajoin_temp_krb_caches + [ '/tmp/my_novajoin_krb5_ccache' ] }}"
+      changed_when: true
+      when:
+        - non_containerized_novajoin_krb5_keytab_stat.stat.exists
+        - non_containerized_novajoin_principal_usable_result is succeeded
+      notify:  # (hrybacki): novajoin server running on the undercloud -- it's okay to use this handler
+        - clean_up_temp_krb_caches
+
+    - name: Set facts for principal is usable failure
+      set_fact:
+        principal_usable_status: "{{ helper_status_error }}"
+        principal_usable_reason: "Tho principal {{ novajoin_principal }} is unable to obtain a kerberos ticket"
+        principal_usable_recommendations: null
+      when:
+        - non_containerized_novajoin_krb5_keytab_stat.stat.exists
+        - non_containerized_novajoin_principal_usable_result is failed
+
+    - name: Report on Kerberos principal in novajoin keytab is usable check
+      reportentry:
+        report_status: "{{ principal_usable_status }}"
+        report_reason: "{{ principal_usable_reason }}"
+        report_recommendations: "{{ principal_usable_recommendations }}"
--- a/roles/tls_everywhere/tasks/pre-deployment.yaml
+++ b/roles/tls_everywhere/tasks/pre-deployment.yaml
@@ -1,4 +1,12 @@
 ---
+- name: Ensure we get needed facts
+  setup:
+    gather_subset:
+      - '!all'
+      - '!any'
+      - '!min'
+      - env
+
 - name: Set facts for undercloud handlers to clean up
  set_fact:
    novajoin_temp_krb_caches: []
@@ -7,4 +15,18 @@
  set_fact:
    command_prefix: "podman"

- include: pre-deployment-containerized.yaml
+- name: Get enable_novajoin flag from undercloud.conf
+  become: true
+  validations_read_ini:
+    path: "{{ ansible_env.HOME }}/undercloud.conf"
+    section: DEFAULT
+    key: enable_novajoin
+    ignore_missing_file: false
+  register: undercloud_enable_novajoin
+  check_mode: false
+
+- include: pre-deployment-novajoin.yaml
+  when: undercloud_enable_novajoin|bool
+
+- include: pre-deployment-tripleo-ipa.yaml
+  when: not undercloud_enable_novajoin|bool
--- a/roles/tls_everywhere/tasks/prep.yaml
+++ b/roles/tls_everywhere/tasks/prep.yaml
@@ -54,23 +54,20 @@
  register: undercloud_enable_novajoin
  check_mode: false

- name: Set facts undercloud.conf enable novajoin is disabled
-  set_fact:
-    undercloud_conf_enable_novajoin_status: "{{ helper_status_error }}"
-    undercloud_conf_enable_novajoin_reason: "enable_novajoin is not enabled undercloud.conf"
-    undercloud_conf_enable_novajoin_recommendations:
-      - "Please set 'enable_novajoin' to True in undercloud.conf"
-  when: not undercloud_enable_novajoin.value|bool
-
 - name: Set facts undercloud.conf enable novajoin is enabled
  set_fact:
    undercloud_conf_enable_novajoin_status: "{{ helper_status_ok }}"
    undercloud_conf_enable_novajoin_reason: "enable_novajoin is enabled undercloud.conf"
-    undercloud_conf_enable_novajoin_recommendations: null
-  when: undercloud_enable_novajoin.value|bool
+  when: undercloud_enable_novajoin|bool
+
+- name: Set facts undercloud.conf enable novajoin is disabled
+  set_fact:
+    undercloud_conf_enable_novajoin_status: "{{ helper_status_ok }}"
+    undercloud_conf_enable_novajoin_reason: "enable_novajoin is disabled undercloud.conf, using tripleo-ipa"
+  when: not undercloud_enable_novajoin|bool

 - name: Report on enable novajoin setup in undercloud.conf check
  reportentry:
    report_status: "{{ undercloud_conf_enable_novajoin_status }}"
    report_reason: "{{ undercloud_conf_enable_novajoin_reason }}"
-    report_recommendations: "{{ undercloud_conf_enable_novajoin_recommendations }}"
+    report_recommendations: null