diff --git a/roles/tls_everywhere/tasks/pre-deployment-containerized.yaml b/roles/tls_everywhere/tasks/pre-deployment-novajoin.yaml similarity index 100% rename from roles/tls_everywhere/tasks/pre-deployment-containerized.yaml rename to roles/tls_everywhere/tasks/pre-deployment-novajoin.yaml diff --git a/roles/tls_everywhere/tasks/pre-deployment-tripleo-ipa.yaml b/roles/tls_everywhere/tasks/pre-deployment-tripleo-ipa.yaml new file mode 100644 index 000000000..962f08f0b --- /dev/null +++ b/roles/tls_everywhere/tasks/pre-deployment-tripleo-ipa.yaml @@ -0,0 +1,60 @@ +--- +### verify that the keytab and principal are usable ### + +- name: Set the novajoin keytab path + set_fact: + novajoin_keytab_path: '/etc/novajoin/krb5.keytab' + +- name: Verify the novajoin keytab is usable (non-containerized) + become: true + block: + - name: Set fact for novajoin user principal + set_fact: + novajoin_principal: "nova/{{ host_entry }}" + + - name: Check for novajoin kerberos host keytab + stat: + path: "{{ novajoin_keytab_path }}" + register: non_containerized_novajoin_krb5_keytab_stat + + - name: Test if novajoin principal in novajoin keytab is usable + command: kinit -kt "{{ novajoin_keytab_path }}" -c /tmp/my_novajoin_krb5_ccache "{{ novajoin_principal }}" + become: true + register: non_containerized_novajoin_principal_usable_result + ignore_errors: true + when: non_containerized_novajoin_krb5_keytab_stat.stat.exists + + - name: Set facts for novajoin principal is usable skipped + set_fact: + principal_usable_status: "{{ helper_status_skipped }}" + principal_usable_reason: "skipped checking if the novajoin principal is usable for host {{ ansible_host }} because there is no keytab file" + principal_usable_recommendations: null + when: not non_containerized_novajoin_krb5_keytab_stat.stat.exists + + - name: Set facts for novajoin principal is usable success + set_fact: + principal_usable_status: "{{ helper_status_ok }}" + principal_usable_reason: "The principal {{ novajoin_principal }} is able to obtain a kerberos ticket" + principal_usable_recommendations: null + temp_krb_caches: "{{ novajoin_temp_krb_caches + [ '/tmp/my_novajoin_krb5_ccache' ] }}" + changed_when: true + when: + - non_containerized_novajoin_krb5_keytab_stat.stat.exists + - non_containerized_novajoin_principal_usable_result is succeeded + notify: # (hrybacki): novajoin server running on the undercloud -- it's okay to use this handler + - clean_up_temp_krb_caches + + - name: Set facts for principal is usable failure + set_fact: + principal_usable_status: "{{ helper_status_error }}" + principal_usable_reason: "Tho principal {{ novajoin_principal }} is unable to obtain a kerberos ticket" + principal_usable_recommendations: null + when: + - non_containerized_novajoin_krb5_keytab_stat.stat.exists + - non_containerized_novajoin_principal_usable_result is failed + + - name: Report on Kerberos principal in novajoin keytab is usable check + reportentry: + report_status: "{{ principal_usable_status }}" + report_reason: "{{ principal_usable_reason }}" + report_recommendations: "{{ principal_usable_recommendations }}" diff --git a/roles/tls_everywhere/tasks/pre-deployment.yaml b/roles/tls_everywhere/tasks/pre-deployment.yaml index dc843b49a..c6ee7d0be 100644 --- a/roles/tls_everywhere/tasks/pre-deployment.yaml +++ b/roles/tls_everywhere/tasks/pre-deployment.yaml @@ -1,4 +1,12 @@ --- +- name: Ensure we get needed facts + setup: + gather_subset: + - '!all' + - '!any' + - '!min' + - env + - name: Set facts for undercloud handlers to clean up set_fact: novajoin_temp_krb_caches: [] @@ -7,4 +15,18 @@ set_fact: command_prefix: "podman" -- include: pre-deployment-containerized.yaml +- name: Get enable_novajoin flag from undercloud.conf + become: true + validations_read_ini: + path: "{{ ansible_env.HOME }}/undercloud.conf" + section: DEFAULT + key: enable_novajoin + ignore_missing_file: false + register: undercloud_enable_novajoin + check_mode: false + +- include: pre-deployment-novajoin.yaml + when: undercloud_enable_novajoin|bool + +- include: pre-deployment-tripleo-ipa.yaml + when: not undercloud_enable_novajoin|bool diff --git a/roles/tls_everywhere/tasks/prep.yaml b/roles/tls_everywhere/tasks/prep.yaml index 0376af5f3..cd6d8b1bf 100644 --- a/roles/tls_everywhere/tasks/prep.yaml +++ b/roles/tls_everywhere/tasks/prep.yaml @@ -54,23 +54,20 @@ register: undercloud_enable_novajoin check_mode: false -- name: Set facts undercloud.conf enable novajoin is disabled - set_fact: - undercloud_conf_enable_novajoin_status: "{{ helper_status_error }}" - undercloud_conf_enable_novajoin_reason: "enable_novajoin is not enabled undercloud.conf" - undercloud_conf_enable_novajoin_recommendations: - - "Please set 'enable_novajoin' to True in undercloud.conf" - when: not undercloud_enable_novajoin.value|bool - - name: Set facts undercloud.conf enable novajoin is enabled set_fact: undercloud_conf_enable_novajoin_status: "{{ helper_status_ok }}" undercloud_conf_enable_novajoin_reason: "enable_novajoin is enabled undercloud.conf" - undercloud_conf_enable_novajoin_recommendations: null - when: undercloud_enable_novajoin.value|bool + when: undercloud_enable_novajoin|bool + +- name: Set facts undercloud.conf enable novajoin is disabled + set_fact: + undercloud_conf_enable_novajoin_status: "{{ helper_status_ok }}" + undercloud_conf_enable_novajoin_reason: "enable_novajoin is disabled undercloud.conf, using tripleo-ipa" + when: not undercloud_enable_novajoin|bool - name: Report on enable novajoin setup in undercloud.conf check reportentry: report_status: "{{ undercloud_conf_enable_novajoin_status }}" report_reason: "{{ undercloud_conf_enable_novajoin_reason }}" - report_recommendations: "{{ undercloud_conf_enable_novajoin_recommendations }}" + report_recommendations: null