From ffe221f4de2bdd4ef791ebc3fe1a2162174d69d6 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 15 Jul 2020 16:10:28 -0400 Subject: [PATCH] Add validation to check status of ipa server The latest changes to tls-e require certain permissions and ACIs to be added to the IPA server in order to successfully add DNS entries and to issue certs with IP SANs (for cinder A/A). These changes cannot be automated as they require IPA admin or DS credentials. This adds a validation to make sure the required permissions and ACLs are present before starting an install. Change-Id: I03575a5717456ad647cb10825b8d5646a55a6378 (cherry picked from commit 9a20e173447043f70f7eb09afb207d084bc93558) --- roles/tls_everywhere/defaults/main.yml | 3 + .../molecule/default/converge.yml | 36 +++++- .../molecule/default/prepare.yml | 21 ++++ .../tasks/ipa-server-check.yaml | 107 ++++++++++++++++++ roles/tls_everywhere/vars/main.yml | 1 - zuul.d/molecule.yaml | 4 +- 6 files changed, 165 insertions(+), 7 deletions(-) create mode 100644 roles/tls_everywhere/molecule/default/prepare.yml create mode 100644 roles/tls_everywhere/tasks/ipa-server-check.yaml delete mode 100644 roles/tls_everywhere/vars/main.yml diff --git a/roles/tls_everywhere/defaults/main.yml b/roles/tls_everywhere/defaults/main.yml index f6cbfdfb3..9552c0f88 100644 --- a/roles/tls_everywhere/defaults/main.yml +++ b/roles/tls_everywhere/defaults/main.yml @@ -1,4 +1,7 @@ --- +ipa_bin: ipa +kinit_bin: kinit +kdestroy_bin: kdestroy helper_status_ok: OK helper_status_error: ERROR helper_status_skipped: SKIPPED diff --git a/roles/tls_everywhere/molecule/default/converge.yml b/roles/tls_everywhere/molecule/default/converge.yml index 6c61a39a2..ce19905b3 100644 --- a/roles/tls_everywhere/molecule/default/converge.yml +++ b/roles/tls_everywhere/molecule/default/converge.yml @@ -17,10 +17,36 @@ - name: Converge hosts: all - gather_facts: false - + vars: + ipa_bin: echo + kinit_bin: echo + kdestroy_bin: echo + tls_everywhere_undercloud_fqdn: "undercloud.example.com" tasks: - - name: Warn developers about the lack of molecule testing + - name: Run ipa_server_check validation + block: + - name: run validation + include_role: + name: tls_everywhere + tasks_from: ipa-server-check + rescue: + - name: clear errors + meta: clear_host_errors + + - name: check command outputs + assert: + that: + - tls_everywhere_aci_check_kinit_output == "host/undercloud.example.com -k -t /etc/krb5.keytab" + - tls_everywhere_aci_check_dns_record_show_output == "dnsrecord-show example.com freeipa-0" + - tls_everywhere_aci_check_service_show_output == "service-show nova/undercloud.example.com --all --raw" + - ipa_server_aci_check_kdestroy_output == "-A" + - ipa_server_aci_check_failures|length == 1 + - '"Modify Realm Domains" in ipa_server_aci_check_failures[0]' + + - name: End play + meta: end_play + + - name: Fail the test fail: - msg: >- - This role needs molecule tests! + msg: | + The ipa-server-check validation didn't fail as expected diff --git a/roles/tls_everywhere/molecule/default/prepare.yml b/roles/tls_everywhere/molecule/default/prepare.yml new file mode 100644 index 000000000..0d5b12436 --- /dev/null +++ b/roles/tls_everywhere/molecule/default/prepare.yml @@ -0,0 +1,21 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: create directory /etc/ipa + file: + path: /etc/ipa + state: directory + - name: create fake ipa default.conf + copy: + dest: /etc/ipa/default.conf + mode: 0600 + content: | + [global] + basedn = dc=example,dc=com + realm = EXAMPLE.COM + domain = example.com + server = freeipa-0.example.com + host = undercloud-0.example.com + xmlrpc_uri = https://freeipa-0.example.com/ipa/xml + enable_ra = True diff --git a/roles/tls_everywhere/tasks/ipa-server-check.yaml b/roles/tls_everywhere/tasks/ipa-server-check.yaml new file mode 100644 index 000000000..b1cd0c701 --- /dev/null +++ b/roles/tls_everywhere/tasks/ipa-server-check.yaml @@ -0,0 +1,107 @@ +--- +# Copyright 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Changes have been - and possibly will be introduced in future - that +# require changes in IPA permissions or ACLs. We do not have the permissions +# to automatically make these changes, but we can include checks here to make +# sure that they have occurred before attempting an overcloud or undercloud +# update in a TLS-E environment. This playbook is supposed to fail with +# an appropriate error message in case a requirement is not met. +# +# This playbook contains the following parameters +# - tls_everywhere_check_dns_aci - which determines if we want to check +# for the DNS ACI. This defaults to true. +# - tls_everywhere_undercloud_fqdn - which defaults to ansible_fqdn + +- name: check if undercloud is an ipa client + stat: + path: /etc/ipa/default.conf + register: ipa_default_conf + +- name: perform ipa_server tests + when: ipa_default_conf.stat.exists + vars: + check_dns_aci: "{{ tls_everywhere_check_dns_aci | default(True)}}" + undercloud_fqdn: "{{ tls_everywhere_undercloud_fqdn | default(ansible_fqdn) }}" + ipa_server_aci_check_failures: [] + fail_1: >- + The IPA server does not have the required ACI to allow host + entities to view dns records. Please add the ACI. + fail_2: >- + The nova/{{undercloud_fqdn}} user does not have the + "System: Modify Realm Domains" privilege. Please add this privilege for + this user on the IPA server. + block: + - name: Get the ipa server hostname + validations_read_ini: + path: "/etc/ipa/default.conf" + section: global + key: server + register: ipa_server_fqdn + + - name: set dns zone and shortname + set_fact: + dns_zone: "{{ ipa_server_fqdn.value.split('.', 1)[1] }}" + short_hostname: "{{ ipa_server_fqdn.value.split('.')[0] }}" + + - name: kinit as the host entity + command: "{{ kinit_bin }} host/{{ undercloud_fqdn }} -k -t /etc/krb5.keytab" + register: kinit + become: true + changed_when: kinit.rc == 0 + + - name: check if ipa server has correct DNS ACI on host entries + when: check_dns_aci + block: + - name: try to view the dns record for the ipa server + become: true + command: "{{ ipa_bin }} dnsrecord-show {{dns_zone}} {{short_hostname}}" + register: dnsrecord_show + ignore_errors: true + + - name: add failure message when zone is not found + set_fact: + ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_1] }}" + when: + "'DNS zone not found' in dnsrecord_show.stderr" + + - name: check if nova service has the added permissions + become: true + command: "{{ ipa_bin}} service-show nova/{{ undercloud_fqdn }} --all --raw" + register: service_show + + - name: parse service data and fail if permission not present + set_fact: + ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_2] }}" + when: + - "'memberof: cn=System: Modify Realm Domains' not in service_show.stdout" + + - name: fail if failures detected + fail: + msg: "{{ ipa_server_aci_check_failures }}" + when: 'ipa_server_aci_check_failures|length > 0' + always: + - name: clean up the keytab + command: "{{ kdestroy_bin }} -A" + register: kdestroy + become: true + + - name: set output for molecule testing + set_fact: + ipa_server_aci_check_kdestroy_output: "{{ kdestroy.stdout }}" + tls_everywhere_aci_check_kinit_output: "{{ kinit.stdout }}" + tls_everywhere_aci_check_dns_record_show_output: "{{ dnsrecord_show.stdout }}" + tls_everywhere_aci_check_service_show_output: "{{ service_show.stdout }}" + when: not ansible_check_mode diff --git a/roles/tls_everywhere/vars/main.yml b/roles/tls_everywhere/vars/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/tls_everywhere/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index ad6ffafd9..599018ca4 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -15,6 +15,7 @@ - tripleo-validations-centos-8-molecule-rabbitmq_limits - tripleo-validations-centos-8-molecule-repos - tripleo-validations-centos-8-molecule-stonith_exists + - tripleo-validations-centos-8-molecule-tls_everywhere - tripleo-validations-centos-8-molecule-undercloud_cpu - tripleo-validations-centos-8-molecule-undercloud_debug - tripleo-validations-centos-8-molecule-undercloud_disk_space @@ -37,6 +38,7 @@ - tripleo-validations-centos-8-molecule-rabbitmq_limits - tripleo-validations-centos-8-molecule-repos - tripleo-validations-centos-8-molecule-stonith_exists + - tripleo-validations-centos-8-molecule-tls_everywhere - tripleo-validations-centos-8-molecule-undercloud_cpu - tripleo-validations-centos-8-molecule-undercloud_debug - tripleo-validations-centos-8-molecule-undercloud_disk_space @@ -124,7 +126,7 @@ parent: tripleo-validations-centos-8-base vars: tripleo_validations_role_name: tls_everywhere - voting: false + voting: true - job: files: - ^roles/undercloud_process_count/.*