Merge "Replacing community.general ipa modules with ansible-freeipa" into stable/wallaby

This commit is contained in:
Zuul 2022-08-08 12:41:32 +00:00 committed by Gerrit Code Review
commit 0363416e47
8 changed files with 118 additions and 191 deletions

View File

@ -5,6 +5,7 @@ collections:
- name: https://github.com/ansible-collections/community.general
type: git
version: main
- freeipa.ansible_freeipa
- ansible.posix
- ansible.netcommon
- openstack.cloud

12
tox.ini
View File

@ -23,9 +23,9 @@ whitelist_externals =
[testenv:molecule]
install_command = pip install {opts} {packages}
setenv =
ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter
ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules
ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles
ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter
ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules
ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles
deps =
-r {toxinidir}/requirements.txt
-r {toxinidir}/molecule-requirements.txt
@ -47,9 +47,9 @@ commands =
[testenv:linters]
setenv =
ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter
ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules
ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles
ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter
ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules
ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles
deps =
-r {toxinidir}/ansible-requirements.txt
-r {toxinidir}/test-requirements.txt

View File

@ -42,70 +42,11 @@
ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}"
ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}"
- name: set keytab permissions facts
set_fact:
tripleo_ipa_perms:
- {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
- {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
- {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
- {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
tripleo_ipa_privilege_perms:
- 'System: add hosts'
- 'System: remove hosts'
- 'Modify host password'
- 'Modify host userclass'
- 'System: Modify hosts'
- 'Modify service managedBy attribute'
- 'System: Add krbPrincipalName to a Host'
- 'System: Add Services'
- 'System: Remove Services'
- 'Revoke certificate'
- 'System: manage host keytab'
- 'System: Manage host certificates'
- 'System: modify services'
- 'System: manage service keytab'
- 'System: read dns entries'
- 'System: remove dns entries'
- 'System: add dns entries'
- 'System: update dns entries'
- 'System: Modify Realm Domains'
- 'Retrieve Certificates from the CA'
# unfortunately we don't have ansible module yet to create perms
# TODO(d34dh0r53): we should be able to obtain a token via curl
# which will allow us to perform these operations without a kinit first.
- name: add nova host management permissions
shell: |
ipa permission-find "{{ item.name }}"
if [ $? -ne 0 ]; then
ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
--type "{{ item.type }}" --attrs "{{ item.attrs }}"
fi
loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}"
# unfortunately we don't have ansible module yet to create privileges
- name: add nova host privilege
shell: |
ipa privilege-find 'Nova Host Management'
if [ $? -ne 0 ]; then
ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
fi
- name: add permissions to the nova host privilege
shell: |
ipa privilege-add-permission 'Nova Host Management' \
--permission "{{ item }}"
register: add_perm_command
failed_when:
- add_perm_command.rc !=0
- '"This entry is already a member" not in add_perm_command.stdout'
loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}"
- name: add nova host manager role
ipa_role:
name: Nova Host Manager
description: Nova Host Manager
ipa_user: "{{ ipa_principal }}"
ipa_pass: "{{ ipa_password }}"
privilege:
- Nova Host Management
- name: set perms, privs, roles
include_role:
name: triple_ipa_setup
tasks_from: setup
apply:
environment:
IPA_USER: "{ ipa_principal }"
IPA_PASS: "{ ipa_password }"

View File

@ -43,17 +43,39 @@
record_type: "{{ 'A' if record_value| ansible.netcommon.ipv4 else 'AAAA' }}"
- name: add dns zone
ipa_dnszone:
zone_name: "{{ zone_name }}"
freeipa.ansible_freeipa.ipadnszone:
name: "{{ zone_name }}"
become: true
- name: add forward dns record
ipa_dnsrecord:
zone_name: "{{ zone_name }}"
record_name: "{{ record_name }}"
record_type: "{{ record_type }}"
record_value: "{{ record_value }}"
become: true
- name: Modify or add forward dns
block:
- name: try modifying forward dns record
freeipa.ansible_freeipa.ipadnsrecord:
zone_name: "{{ zone_name }}"
record_name: "{{ record_name }}"
record_type: "{{ record_type }}"
a_rec: "{{ record_value }}"
a_ip_address: ""
when: record_type == 'A'
become: true
- name: try modifying forward dns record
freeipa.ansible_freeipa.ipadnsrecord:
zone_name: "{{ zone_name }}"
record_name: "{{ record_name }}"
record_type: "{{ record_type }}"
aaaa_rec: "{{ record_value }}"
aaaa_ip_address: ""
when: record_type == 'AAAA'
become: true
rescue:
- name: add forward dns record
freeipa.ansible_freeipa.ipadnsrecord:
zone_name: "{{ zone_name }}"
record_name: "{{ record_name }}"
record_type: "{{ record_type }}"
record_value: "{{ record_value }}"
become: true
- name: get reverse record data
set_fact:
@ -72,23 +94,30 @@
when: record_type == 'AAAA'
- name: add reverse record dns zone
ipa_dnszone:
zone_name: "{{ reverse_record_zone }}"
freeipa.ansible_freeipa.ipadnszone:
name: "{{ reverse_record_zone }}"
register: reverse_zone_result
failed_when:
- "'zone' not in reverse_zone_result"
- "'already exists in DNS' not in reverse_zone_result.msg"
failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg
become: true
- name: add reverse dns record
ipa_dnsrecord:
zone_name: "{{ reverse_record_zone }}"
record_name: "{{ reverse_record_name }}"
record_value: "{{ record_name }}.{{ zone_name }}."
record_type: "PTR"
register: reverse_record_result
failed_when:
- "'record' not in reverse_record_result"
- "'DNS zone not found' not in reverse_record_result.msg"
become: true
- name: Modify or add reverse dns record
block:
- name: try modifying reverse dns record
freeipa.ansible_freeipa.ipadnsrecord:
zone_name: "{{ reverse_record_zone }}"
record_name: "{{ reverse_record_name }}"
record_type: "PTR"
ptr_rec: "{{ record_name }}.{{ zone_name }}."
ptr_hostname: ""
become: true
rescue:
- name: add reverse dns record
freeipa.ansible_freeipa.ipadnsrecord:
zone_name: "{{ reverse_record_zone }}"
record_name: "{{ reverse_record_name }}"
record_type: "PTR"
record_value: "{{ record_name }}.{{ zone_name }}."
register: reverse_record_result
failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg
become: true
when: zone_name is match("^(|.+\.)" + cloud_domain + "$")

View File

@ -44,43 +44,22 @@
when: enroll_base_server|bool
become: true
block:
- name: destroy the old keytab
command: "kdestroy -A"
- name: add new host with one-time password
freeipa.ansible_freeipa.ipahost:
name: "{{ base_server_fqdn }}"
random: true
force: true
state: present
register: ipa_host
failed_when: ipa_host.failed and "Password cannot be set on enrolled host" not in ipa_host.msg
- name: get a new keytab
command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}"
- name: get host raw data and keytab info
command: "ipa host-show --raw --all {{ base_server_fqdn }}"
register: host_raw_data
changed_when: false
failed_when: false
- name: Print debug data
debug: var=host_raw_data
- name: confirm that host is not already registered with current keytab
when: '"has_keytab: TRUE" not in host_raw_data.stdout'
block:
- name: remove stale host if present
when: host_raw_data.rc == 0
ipa_host:
fqdn: "{{ base_server_fqdn }}"
state: absent
- name: add new host with random one-time password
ipa_host:
fqdn: "{{ base_server_fqdn }}"
random_password: true
force: true
register: ipa_host
- name: set otp as a host fact
set_fact:
ipa_host_otp: "{{ ipa_host.host.randompassword }}"
no_log: true
delegate_facts: true
delegate_to: "{{ tripleo_ipa_delegate_server }}"
- name: set otp as a host fact
set_fact:
ipa_host_otp: "{{ ipa_host.host.randompassword }}"
no_log: true
delegate_facts: true
delegate_to: "{{ tripleo_ipa_delegate_server }}"
when: "'host' in ipa_host"
- name: add required services
include: services.yml

View File

@ -31,28 +31,22 @@
service: "{{ item.1 }}"
- name: add sub_host
ipa_host:
freeipa.ansible_freeipa.ipahost:
fqdn: "{{ sub_host }}"
force: true
state: present
validate_certs: false
become: true
- name: add service
ipa_service:
freeipa.ansible_freeipa.ipaservice:
name: "{{ service }}/{{ sub_host }}"
force: true
state: present
validate_certs: false
become: true
register: my_service
- name: add host to managed_hosts if needed
when: base_server_fqdn not in my_service['host']['managedby_host']
ipa_service:
name: "{{ service }}/{{ sub_host }}"
force: true
state: present
hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}"
validate_certs: false
- name: add host to managed_hosts if needed (shell)
shell: |
ipa service-add-host --hosts "{{ base_server_fqdn }}" "{{ service }}"/"{{ sub_host }}"
register: service_add_out
failed_when: service_add_out.failed and 'This entry is already a member' not in service_add_out.stdout
become: true

View File

@ -24,33 +24,20 @@
nova_service: "nova/{{ undercloud_fqdn }}"
- name: add nova service
ipa_service:
freeipa.ansible_freeipa.ipaservice:
name: "{{ nova_service }}"
state: present
force: true
# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
# From looking at the ansible-freeipa modules they take into account exsisting
# services assigned to the role
# https://review.opendev.org/c/x/tripleo-ipa/+/771065
- name: get current list of services assigned role Nova Host Manager
ipa_role:
name: Nova Host Manager
register: services_roles
# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
# From looking at the ansible-freeipa modules they take into account exsisting
# services assigned to the role
# https://review.opendev.org/c/x/tripleo-ipa/+/771065
- name: create list of services for role
set_fact:
nova_service: "{{ [ nova_service ] + services_roles.role.member_service }}"
when: services_roles.role.member_service is defined
- name: add Nova Host Manager role
ipa_role:
freeipa.ansible_freeipa.iparole:
name: Nova Host Manager
description: Nova Host Manager
privilege:
- Nova Host Management
- name: add service to the Nova Host Manager role
freeipa.ansible_freeipa.iparole:
name: Nova Host Manager
service: "{{ nova_service }}"
action: member

View File

@ -23,10 +23,10 @@
- name: set keytab permissions facts
set_fact:
novajoin_perms:
- {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
- {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
- {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
- {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
- {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]}
- {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]}
- {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]}
- {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]}
novajoin_privilege_perms:
- 'System: add hosts'
- 'System: remove hosts'
@ -49,36 +49,32 @@
- 'System: Modify Realm Domains'
- 'Retrieve Certificates from the CA'
# unfortunately we don't have ansible module yet to create perms
- name: add nova host management permissions
shell: |
ipa permission-find "{{ item.name }}"
if [ $? -ne 0 ]; then
ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
--type "{{ item.type }}" --attrs "{{ item.attrs }}"
fi
freeipa.ansible_freeipa.ipapermission:
name: "{{ item.name }}"
right: "{{ item.right }}"
object_type: "{{ item.type }}"
attrs: "{{ item.attrs }}"
loop: "{{ novajoin_perms|flatten(levels=1) }}"
# unfortunately we don't have ansible module yet to create privileges
- name: add Nova Host privilege
shell: |
ipa privilege-find 'Nova Host Management'
if [ $? -ne 0 ]; then
ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
fi
freeipa.ansible_freeipa.ipaprivilege:
name: Nova Host Management
description: Nova Host Management
- name: add permissions to the Nova Host privilege
shell: |
ipa privilege-add-permission 'Nova Host Management' \
--permission "{{ item }}"
freeipa.ansible_freeipa.ipaprivilege:
name: Nova Host Management
action: member
permission: "{{ item }}"
register: add_perm_command
failed_when:
- add_perm_command.rc !=0
- '"This entry is already a member" not in add_perm_command.stdout'
loop: "{{ novajoin_privilege_perms|flatten(levels=1) }}"
- add_perm_command.failed
- '"This entry is already a member" not in add_perm_command.msg'
loop: "{{ novajoin_privilege_perms }}"
- name: add Nova Host Manager role
ipa_role:
freeipa.ansible_freeipa.iparole:
name: Nova Host Manager
description: Nova Host Manager
privilege: