Add validation to check status of ipa server
The latest changes to tls-e require certain permissions and ACIs
to be added to the IPA server in order to successfully add DNS entries
and to issue certs with IP SANs (for cinder A/A).
These changes cannot be automated as they require IPA admin or DS
credentials. This adds a validation to make sure the required
permissions and ACLs are present before starting an install.
Change-Id: I03575a5717456ad647cb10825b8d5646a55a6378
(cherry picked from commit 9a20e17344
)
This commit is contained in:
parent
d1f7935101
commit
ffe221f4de
|
@ -1,4 +1,7 @@
|
||||||
---
|
---
|
||||||
|
ipa_bin: ipa
|
||||||
|
kinit_bin: kinit
|
||||||
|
kdestroy_bin: kdestroy
|
||||||
helper_status_ok: OK
|
helper_status_ok: OK
|
||||||
helper_status_error: ERROR
|
helper_status_error: ERROR
|
||||||
helper_status_skipped: SKIPPED
|
helper_status_skipped: SKIPPED
|
||||||
|
|
|
@ -17,10 +17,36 @@
|
||||||
|
|
||||||
- name: Converge
|
- name: Converge
|
||||||
hosts: all
|
hosts: all
|
||||||
gather_facts: false
|
vars:
|
||||||
|
ipa_bin: echo
|
||||||
|
kinit_bin: echo
|
||||||
|
kdestroy_bin: echo
|
||||||
|
tls_everywhere_undercloud_fqdn: "undercloud.example.com"
|
||||||
tasks:
|
tasks:
|
||||||
- name: Warn developers about the lack of molecule testing
|
- name: Run ipa_server_check validation
|
||||||
|
block:
|
||||||
|
- name: run validation
|
||||||
|
include_role:
|
||||||
|
name: tls_everywhere
|
||||||
|
tasks_from: ipa-server-check
|
||||||
|
rescue:
|
||||||
|
- name: clear errors
|
||||||
|
meta: clear_host_errors
|
||||||
|
|
||||||
|
- name: check command outputs
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- tls_everywhere_aci_check_kinit_output == "host/undercloud.example.com -k -t /etc/krb5.keytab"
|
||||||
|
- tls_everywhere_aci_check_dns_record_show_output == "dnsrecord-show example.com freeipa-0"
|
||||||
|
- tls_everywhere_aci_check_service_show_output == "service-show nova/undercloud.example.com --all --raw"
|
||||||
|
- ipa_server_aci_check_kdestroy_output == "-A"
|
||||||
|
- ipa_server_aci_check_failures|length == 1
|
||||||
|
- '"Modify Realm Domains" in ipa_server_aci_check_failures[0]'
|
||||||
|
|
||||||
|
- name: End play
|
||||||
|
meta: end_play
|
||||||
|
|
||||||
|
- name: Fail the test
|
||||||
fail:
|
fail:
|
||||||
msg: >-
|
msg: |
|
||||||
This role needs molecule tests!
|
The ipa-server-check validation didn't fail as expected
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Prepare
|
||||||
|
hosts: all
|
||||||
|
tasks:
|
||||||
|
- name: create directory /etc/ipa
|
||||||
|
file:
|
||||||
|
path: /etc/ipa
|
||||||
|
state: directory
|
||||||
|
- name: create fake ipa default.conf
|
||||||
|
copy:
|
||||||
|
dest: /etc/ipa/default.conf
|
||||||
|
mode: 0600
|
||||||
|
content: |
|
||||||
|
[global]
|
||||||
|
basedn = dc=example,dc=com
|
||||||
|
realm = EXAMPLE.COM
|
||||||
|
domain = example.com
|
||||||
|
server = freeipa-0.example.com
|
||||||
|
host = undercloud-0.example.com
|
||||||
|
xmlrpc_uri = https://freeipa-0.example.com/ipa/xml
|
||||||
|
enable_ra = True
|
|
@ -0,0 +1,107 @@
|
||||||
|
---
|
||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# Changes have been - and possibly will be introduced in future - that
|
||||||
|
# require changes in IPA permissions or ACLs. We do not have the permissions
|
||||||
|
# to automatically make these changes, but we can include checks here to make
|
||||||
|
# sure that they have occurred before attempting an overcloud or undercloud
|
||||||
|
# update in a TLS-E environment. This playbook is supposed to fail with
|
||||||
|
# an appropriate error message in case a requirement is not met.
|
||||||
|
#
|
||||||
|
# This playbook contains the following parameters
|
||||||
|
# - tls_everywhere_check_dns_aci - which determines if we want to check
|
||||||
|
# for the DNS ACI. This defaults to true.
|
||||||
|
# - tls_everywhere_undercloud_fqdn - which defaults to ansible_fqdn
|
||||||
|
|
||||||
|
- name: check if undercloud is an ipa client
|
||||||
|
stat:
|
||||||
|
path: /etc/ipa/default.conf
|
||||||
|
register: ipa_default_conf
|
||||||
|
|
||||||
|
- name: perform ipa_server tests
|
||||||
|
when: ipa_default_conf.stat.exists
|
||||||
|
vars:
|
||||||
|
check_dns_aci: "{{ tls_everywhere_check_dns_aci | default(True)}}"
|
||||||
|
undercloud_fqdn: "{{ tls_everywhere_undercloud_fqdn | default(ansible_fqdn) }}"
|
||||||
|
ipa_server_aci_check_failures: []
|
||||||
|
fail_1: >-
|
||||||
|
The IPA server does not have the required ACI to allow host
|
||||||
|
entities to view dns records. Please add the ACI.
|
||||||
|
fail_2: >-
|
||||||
|
The nova/{{undercloud_fqdn}} user does not have the
|
||||||
|
"System: Modify Realm Domains" privilege. Please add this privilege for
|
||||||
|
this user on the IPA server.
|
||||||
|
block:
|
||||||
|
- name: Get the ipa server hostname
|
||||||
|
validations_read_ini:
|
||||||
|
path: "/etc/ipa/default.conf"
|
||||||
|
section: global
|
||||||
|
key: server
|
||||||
|
register: ipa_server_fqdn
|
||||||
|
|
||||||
|
- name: set dns zone and shortname
|
||||||
|
set_fact:
|
||||||
|
dns_zone: "{{ ipa_server_fqdn.value.split('.', 1)[1] }}"
|
||||||
|
short_hostname: "{{ ipa_server_fqdn.value.split('.')[0] }}"
|
||||||
|
|
||||||
|
- name: kinit as the host entity
|
||||||
|
command: "{{ kinit_bin }} host/{{ undercloud_fqdn }} -k -t /etc/krb5.keytab"
|
||||||
|
register: kinit
|
||||||
|
become: true
|
||||||
|
changed_when: kinit.rc == 0
|
||||||
|
|
||||||
|
- name: check if ipa server has correct DNS ACI on host entries
|
||||||
|
when: check_dns_aci
|
||||||
|
block:
|
||||||
|
- name: try to view the dns record for the ipa server
|
||||||
|
become: true
|
||||||
|
command: "{{ ipa_bin }} dnsrecord-show {{dns_zone}} {{short_hostname}}"
|
||||||
|
register: dnsrecord_show
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: add failure message when zone is not found
|
||||||
|
set_fact:
|
||||||
|
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_1] }}"
|
||||||
|
when:
|
||||||
|
"'DNS zone not found' in dnsrecord_show.stderr"
|
||||||
|
|
||||||
|
- name: check if nova service has the added permissions
|
||||||
|
become: true
|
||||||
|
command: "{{ ipa_bin}} service-show nova/{{ undercloud_fqdn }} --all --raw"
|
||||||
|
register: service_show
|
||||||
|
|
||||||
|
- name: parse service data and fail if permission not present
|
||||||
|
set_fact:
|
||||||
|
ipa_server_aci_check_failures: "{{ ipa_server_aci_check_failures + [fail_2] }}"
|
||||||
|
when:
|
||||||
|
- "'memberof: cn=System: Modify Realm Domains' not in service_show.stdout"
|
||||||
|
|
||||||
|
- name: fail if failures detected
|
||||||
|
fail:
|
||||||
|
msg: "{{ ipa_server_aci_check_failures }}"
|
||||||
|
when: 'ipa_server_aci_check_failures|length > 0'
|
||||||
|
always:
|
||||||
|
- name: clean up the keytab
|
||||||
|
command: "{{ kdestroy_bin }} -A"
|
||||||
|
register: kdestroy
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: set output for molecule testing
|
||||||
|
set_fact:
|
||||||
|
ipa_server_aci_check_kdestroy_output: "{{ kdestroy.stdout }}"
|
||||||
|
tls_everywhere_aci_check_kinit_output: "{{ kinit.stdout }}"
|
||||||
|
tls_everywhere_aci_check_dns_record_show_output: "{{ dnsrecord_show.stdout }}"
|
||||||
|
tls_everywhere_aci_check_service_show_output: "{{ service_show.stdout }}"
|
||||||
|
when: not ansible_check_mode
|
|
@ -1 +0,0 @@
|
||||||
---
|
|
|
@ -15,6 +15,7 @@
|
||||||
- tripleo-validations-centos-8-molecule-rabbitmq_limits
|
- tripleo-validations-centos-8-molecule-rabbitmq_limits
|
||||||
- tripleo-validations-centos-8-molecule-repos
|
- tripleo-validations-centos-8-molecule-repos
|
||||||
- tripleo-validations-centos-8-molecule-stonith_exists
|
- tripleo-validations-centos-8-molecule-stonith_exists
|
||||||
|
- tripleo-validations-centos-8-molecule-tls_everywhere
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
||||||
|
@ -37,6 +38,7 @@
|
||||||
- tripleo-validations-centos-8-molecule-rabbitmq_limits
|
- tripleo-validations-centos-8-molecule-rabbitmq_limits
|
||||||
- tripleo-validations-centos-8-molecule-repos
|
- tripleo-validations-centos-8-molecule-repos
|
||||||
- tripleo-validations-centos-8-molecule-stonith_exists
|
- tripleo-validations-centos-8-molecule-stonith_exists
|
||||||
|
- tripleo-validations-centos-8-molecule-tls_everywhere
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
- tripleo-validations-centos-8-molecule-undercloud_cpu
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_debug
|
- tripleo-validations-centos-8-molecule-undercloud_debug
|
||||||
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
- tripleo-validations-centos-8-molecule-undercloud_disk_space
|
||||||
|
@ -124,7 +126,7 @@
|
||||||
parent: tripleo-validations-centos-8-base
|
parent: tripleo-validations-centos-8-base
|
||||||
vars:
|
vars:
|
||||||
tripleo_validations_role_name: tls_everywhere
|
tripleo_validations_role_name: tls_everywhere
|
||||||
voting: false
|
voting: true
|
||||||
- job:
|
- job:
|
||||||
files:
|
files:
|
||||||
- ^roles/undercloud_process_count/.*
|
- ^roles/undercloud_process_count/.*
|
||||||
|
|
Loading…
Reference in New Issue