Browse Source

Add validation to check status of ipa server

The latest changes to tls-e require certain permissions and ACIs
to be added to the IPA server in order to successfully add DNS entries
and to issue certs with IP SANs (for cinder A/A).

These changes cannot be automated as they require IPA admin or DS
credentials.  This adds a validation to make sure the required
permissions and ACLs are present before starting an install.

Change-Id: I03575a5717456ad647cb10825b8d5646a55a6378
tags/12.5.0
Ade Lee 4 months ago
parent
commit
9a20e17344
6 changed files with 165 additions and 7 deletions
  1. +3
    -0
      roles/tls_everywhere/defaults/main.yml
  2. +31
    -5
      roles/tls_everywhere/molecule/default/converge.yml
  3. +21
    -0
      roles/tls_everywhere/molecule/default/prepare.yml
  4. +107
    -0
      roles/tls_everywhere/tasks/ipa-server-check.yaml
  5. +0
    -1
      roles/tls_everywhere/vars/main.yml
  6. +3
    -1
      zuul.d/molecule.yaml

+ 3
- 0
roles/tls_everywhere/defaults/main.yml View File

@@ -1,4 +1,7 @@
---
ipa_bin: ipa
kinit_bin: kinit
kdestroy_bin: kdestroy
helper_status_ok: OK
helper_status_error: ERROR
helper_status_skipped: SKIPPED


+ 31
- 5
roles/tls_everywhere/molecule/default/converge.yml View File

@@ -17,10 +17,36 @@

- name: Converge
hosts: all
gather_facts: false

vars:
ipa_bin: echo
kinit_bin: echo
kdestroy_bin: echo
tls_everywhere_undercloud_fqdn: "undercloud.example.com"
tasks:
- name: Warn developers about the lack of molecule testing
- name: Run ipa_server_check validation
block:
- name: run validation
include_role:
name: tls_everywhere
tasks_from: ipa-server-check
rescue:
- name: clear errors
meta: clear_host_errors

- name: check command outputs
assert:
that:
- tls_everywhere_aci_check_kinit_output == "host/undercloud.example.com -k -t /etc/krb5.keytab"
- tls_everywhere_aci_check_dns_record_show_output == "dnsrecord-show example.com freeipa-0"
- tls_everywhere_aci_check_service_show_output == "service-show nova/undercloud.example.com --all --raw"
- ipa_server_aci_check_kdestroy_output == "-A"
- ipa_server_aci_check_failures|length == 1
- '"Modify Realm Domains" in ipa_server_aci_check_failures[0]'

- name: End play
meta: end_play

- name: Fail the test
fail:
msg: >-
This role needs molecule tests!
msg: |
The ipa-server-check validation didn't fail as expected

+ 21
- 0
roles/tls_everywhere/molecule/default/prepare.yml View File

@@ -0,0 +1,21 @@
---
- name: Prepare
hosts: all
tasks:
- name: create directory /etc/ipa
file:
path: /etc/ipa
state: directory
- name: create fake ipa default.conf
copy:
dest: /etc/ipa/default.conf
mode: 0600
content: |
[global]
basedn = dc=example,dc=com
realm = EXAMPLE.COM
domain = example.com
server = freeipa-0.example.com
host = undercloud-0.example.com
xmlrpc_uri = https://freeipa-0.example.com/ipa/xml
enable_ra = True

+ 107
- 0
roles/tls_everywhere/tasks/ipa-server-check.yaml View File

@@ -0,0 +1,107 @@
---
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Changes have been - and possibly will be introduced in future - that
# require changes in IPA permissions or ACLs. We do not have the permissions
# to automatically make these changes, but we can include checks here to make
# sure that they have occurred before attempting an overcloud or undercloud
# update in a TLS-E environment. This playbook is supposed to fail with
# an appropriate error message in case a requirement is not met.
#
# This playbook contains the following parameters
# - tls_everywhere_check_dns_aci - which determines if we want to check
# for the DNS ACI. This defaults to true.
# - tls_everywhere_undercloud_fqdn - which defaults to ansible_fqdn

- name: check if undercloud is an ipa client
stat:
path: /etc/ipa/default.conf
register: ipa_default_conf

- name: perform ipa_server tests
when: ipa_default_conf.stat.exists
vars:
check_dns_aci: "{{ tls_everywhere_check_dns_aci | default(True)}}"
undercloud_fqdn: "{{ tls_everywhere_undercloud_fqdn | default(ansible_fqdn) }}"
ipa_server_aci_check_failures: []
fail_1: >-
The IPA server does not have the required ACI to allow host
entities to view dns records. Please add the ACI.
fail_2: >-
The nova/{{undercloud_fqdn}} user does not have the
"System: Modify Realm Domains" privilege. Please add this privilege for
this user on the IPA server.
block:
- name: Get the ipa server hostname
validations_read_ini:
path: "/etc/ipa/default.conf"
section: global
key: server
register: ipa_server_fqdn

- name: set dns zone and shortname
set_fact:
dns_zone: "{{ ipa_server_fqdn.value.split('.', 1)[1] }}"
short_hostname: "{{ ipa_server_fqdn.value.split('.')[0] }}"

- name: kinit as the host entity
command: "{{ kinit_bin }} host/{{ undercloud_fqdn }} -k -t /etc/krb5.keytab"
register: kinit
become: true
changed_when: kinit.rc == 0

- name: check if ipa server has correct DNS ACI on host entries
when: check_dns_aci
block:
- name: try to view the dns record for the ipa server
become: true
command: "{{ ipa_bin }} dnsrecord-show {{dns_zone}} {{short_hostname}}"
register: dnsrecord_show
ignore_errors: true

- name: add failure message when zone is not found
set_fact:
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_1] }}"
when:
"'DNS zone not found' in dnsrecord_show.stderr"

- name: check if nova service has the added permissions
become: true
command: "{{ ipa_bin}} service-show nova/{{ undercloud_fqdn }} --all --raw"
register: service_show

- name: parse service data and fail if permission not present
set_fact:
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_2] }}"
when:
- "'memberof: cn=System: Modify Realm Domains' not in service_show.stdout"

- name: fail if failures detected
fail:
msg: "{{ ipa_server_aci_check_failures }}"
when: 'ipa_server_aci_check_failures|length > 0'
always:
- name: clean up the keytab
command: "{{ kdestroy_bin }} -A"
register: kdestroy
become: true

- name: set output for molecule testing
set_fact:
ipa_server_aci_check_kdestroy_output: "{{ kdestroy.stdout }}"
tls_everywhere_aci_check_kinit_output: "{{ kinit.stdout }}"
tls_everywhere_aci_check_dns_record_show_output: "{{ dnsrecord_show.stdout }}"
tls_everywhere_aci_check_service_show_output: "{{ service_show.stdout }}"
when: not ansible_check_mode

+ 0
- 1
roles/tls_everywhere/vars/main.yml View File

@@ -1 +0,0 @@
---

+ 3
- 1
zuul.d/molecule.yaml View File

@@ -17,6 +17,7 @@
- tripleo-validations-centos-8-molecule-repos
- tripleo-validations-centos-8-molecule-stonith_exists
- tripleo-validations-centos-8-molecule-system_encoding
- tripleo-validations-centos-8-molecule-tls_everywhere
- tripleo-validations-centos-8-molecule-undercloud_cpu
- tripleo-validations-centos-8-molecule-undercloud_debug
- tripleo-validations-centos-8-molecule-undercloud_disk_space
@@ -43,6 +44,7 @@
- tripleo-validations-centos-8-molecule-repos
- tripleo-validations-centos-8-molecule-stonith_exists
- tripleo-validations-centos-8-molecule-system_encoding
- tripleo-validations-centos-8-molecule-tls_everywhere
- tripleo-validations-centos-8-molecule-undercloud_cpu
- tripleo-validations-centos-8-molecule-undercloud_debug
- tripleo-validations-centos-8-molecule-undercloud_disk_space
@@ -130,7 +132,7 @@
parent: tripleo-validations-centos-8-base
vars:
tripleo_validations_role_name: tls_everywhere
voting: false
voting: true
- job:
files:
- ^roles/undercloud_process_count/.*


Loading…
Cancel
Save