Merge "Add validation to check status of ipa server"
This commit is contained in:
commit
94ef73ad5d
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
ipa_bin: ipa
|
||||
kinit_bin: kinit
|
||||
kdestroy_bin: kdestroy
|
||||
helper_status_ok: OK
|
||||
helper_status_error: ERROR
|
||||
helper_status_skipped: SKIPPED
|
||||
|
|
|
@ -17,10 +17,36 @@
|
|||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
gather_facts: false
|
||||
|
||||
vars:
|
||||
ipa_bin: echo
|
||||
kinit_bin: echo
|
||||
kdestroy_bin: echo
|
||||
tls_everywhere_undercloud_fqdn: "undercloud.example.com"
|
||||
tasks:
|
||||
- name: Warn developers about the lack of molecule testing
|
||||
- name: Run ipa_server_check validation
|
||||
block:
|
||||
- name: run validation
|
||||
include_role:
|
||||
name: tls_everywhere
|
||||
tasks_from: ipa-server-check
|
||||
rescue:
|
||||
- name: clear errors
|
||||
meta: clear_host_errors
|
||||
|
||||
- name: check command outputs
|
||||
assert:
|
||||
that:
|
||||
- tls_everywhere_aci_check_kinit_output == "host/undercloud.example.com -k -t /etc/krb5.keytab"
|
||||
- tls_everywhere_aci_check_dns_record_show_output == "dnsrecord-show example.com freeipa-0"
|
||||
- tls_everywhere_aci_check_service_show_output == "service-show nova/undercloud.example.com --all --raw"
|
||||
- ipa_server_aci_check_kdestroy_output == "-A"
|
||||
- ipa_server_aci_check_failures|length == 1
|
||||
- '"Modify Realm Domains" in ipa_server_aci_check_failures[0]'
|
||||
|
||||
- name: End play
|
||||
meta: end_play
|
||||
|
||||
- name: Fail the test
|
||||
fail:
|
||||
msg: >-
|
||||
This role needs molecule tests!
|
||||
msg: |
|
||||
The ipa-server-check validation didn't fail as expected
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: create directory /etc/ipa
|
||||
file:
|
||||
path: /etc/ipa
|
||||
state: directory
|
||||
- name: create fake ipa default.conf
|
||||
copy:
|
||||
dest: /etc/ipa/default.conf
|
||||
mode: 0600
|
||||
content: |
|
||||
[global]
|
||||
basedn = dc=example,dc=com
|
||||
realm = EXAMPLE.COM
|
||||
domain = example.com
|
||||
server = freeipa-0.example.com
|
||||
host = undercloud-0.example.com
|
||||
xmlrpc_uri = https://freeipa-0.example.com/ipa/xml
|
||||
enable_ra = True
|
|
@ -0,0 +1,107 @@
|
|||
---
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Changes have been - and possibly will be introduced in future - that
|
||||
# require changes in IPA permissions or ACLs. We do not have the permissions
|
||||
# to automatically make these changes, but we can include checks here to make
|
||||
# sure that they have occurred before attempting an overcloud or undercloud
|
||||
# update in a TLS-E environment. This playbook is supposed to fail with
|
||||
# an appropriate error message in case a requirement is not met.
|
||||
#
|
||||
# This playbook contains the following parameters
|
||||
# - tls_everywhere_check_dns_aci - which determines if we want to check
|
||||
# for the DNS ACI. This defaults to true.
|
||||
# - tls_everywhere_undercloud_fqdn - which defaults to ansible_fqdn
|
||||
|
||||
- name: check if undercloud is an ipa client
|
||||
stat:
|
||||
path: /etc/ipa/default.conf
|
||||
register: ipa_default_conf
|
||||
|
||||
- name: perform ipa_server tests
|
||||
when: ipa_default_conf.stat.exists
|
||||
vars:
|
||||
check_dns_aci: "{{ tls_everywhere_check_dns_aci | default(True)}}"
|
||||
undercloud_fqdn: "{{ tls_everywhere_undercloud_fqdn | default(ansible_fqdn) }}"
|
||||
ipa_server_aci_check_failures: []
|
||||
fail_1: >-
|
||||
The IPA server does not have the required ACI to allow host
|
||||
entities to view dns records. Please add the ACI.
|
||||
fail_2: >-
|
||||
The nova/{{undercloud_fqdn}} user does not have the
|
||||
"System: Modify Realm Domains" privilege. Please add this privilege for
|
||||
this user on the IPA server.
|
||||
block:
|
||||
- name: Get the ipa server hostname
|
||||
validations_read_ini:
|
||||
path: "/etc/ipa/default.conf"
|
||||
section: global
|
||||
key: server
|
||||
register: ipa_server_fqdn
|
||||
|
||||
- name: set dns zone and shortname
|
||||
set_fact:
|
||||
dns_zone: "{{ ipa_server_fqdn.value.split('.', 1)[1] }}"
|
||||
short_hostname: "{{ ipa_server_fqdn.value.split('.')[0] }}"
|
||||
|
||||
- name: kinit as the host entity
|
||||
command: "{{ kinit_bin }} host/{{ undercloud_fqdn }} -k -t /etc/krb5.keytab"
|
||||
register: kinit
|
||||
become: true
|
||||
changed_when: kinit.rc == 0
|
||||
|
||||
- name: check if ipa server has correct DNS ACI on host entries
|
||||
when: check_dns_aci
|
||||
block:
|
||||
- name: try to view the dns record for the ipa server
|
||||
become: true
|
||||
command: "{{ ipa_bin }} dnsrecord-show {{dns_zone}} {{short_hostname}}"
|
||||
register: dnsrecord_show
|
||||
ignore_errors: true
|
||||
|
||||
- name: add failure message when zone is not found
|
||||
set_fact:
|
||||
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_1] }}"
|
||||
when:
|
||||
"'DNS zone not found' in dnsrecord_show.stderr"
|
||||
|
||||
- name: check if nova service has the added permissions
|
||||
become: true
|
||||
command: "{{ ipa_bin}} service-show nova/{{ undercloud_fqdn }} --all --raw"
|
||||
register: service_show
|
||||
|
||||
- name: parse service data and fail if permission not present
|
||||
set_fact:
|
||||
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_2] }}"
|
||||
when:
|
||||
- "'memberof: cn=System: Modify Realm Domains' not in service_show.stdout"
|
||||
|
||||
- name: fail if failures detected
|
||||
fail:
|
||||
msg: "{{ ipa_server_aci_check_failures }}"
|
||||
when: 'ipa_server_aci_check_failures|length > 0'
|
||||
always:
|
||||
- name: clean up the keytab
|
||||
command: "{{ kdestroy_bin }} -A"
|
||||
register: kdestroy
|
||||
become: true
|
||||
|
||||
- name: set output for molecule testing
|
||||
set_fact:
|
||||
ipa_server_aci_check_kdestroy_output: "{{ kdestroy.stdout }}"
|
||||
tls_everywhere_aci_check_kinit_output: "{{ kinit.stdout }}"
|
||||
tls_everywhere_aci_check_dns_record_show_output: "{{ dnsrecord_show.stdout }}"
|
||||
tls_everywhere_aci_check_service_show_output: "{{ service_show.stdout }}"
|
||||
when: not ansible_check_mode
|
|
@ -1 +0,0 @@
|
|||
---
|
|
@ -17,6 +17,7 @@
|
|||
- tripleo-validations-centos-8-molecule-repos
|
||||
- tripleo-validations-centos-8-molecule-stonith_exists
|
||||
- tripleo-validations-centos-8-molecule-system_encoding
|
||||
- tripleo-validations-centos-8-molecule-tls_everywhere
|
||||
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
||||
|
@ -43,6 +44,7 @@
|
|||
- tripleo-validations-centos-8-molecule-repos
|
||||
- tripleo-validations-centos-8-molecule-stonith_exists
|
||||
- tripleo-validations-centos-8-molecule-system_encoding
|
||||
- tripleo-validations-centos-8-molecule-tls_everywhere
|
||||
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
||||
|
@ -130,7 +132,7 @@
|
|||
parent: tripleo-validations-centos-8-base
|
||||
vars:
|
||||
tripleo_validations_role_name: tls_everywhere
|
||||
voting: false
|
||||
voting: true
|
||||
- job:
|
||||
files:
|
||||
- ^roles/undercloud_process_count/.*
|
||||
|
|
Loading…
Reference in New Issue