e65f11baed
Molecule job fails with: ModuleNotFoundError: No module named 'setuptools_rust' This error appeared following the release of cryptography 3.4, which now includes Rust code. It can be installed without Rust using a Python wheel, but only with more recent pip than version 9.0.3 available as RPM on CentOS 8. The cryptography bug report [1] recommends pip>=19.1.1 The new pip is not supported on Python 2 / CentOS 7, so this change also upgrades to CentOS 8 images. This change also upgrades and fixes the ansible-lint job dependencies and configuration. [1] https://github.com/pyca/cryptography/issues/5753 Change-Id: I923020e7ec1f2ecbd7089096f22dd92fb36254a5 |
||
|---|---|---|
| .. | ||
| README.md | ||
| cli-cleanup-ipa.yml | ||
| ipa-server-create-principal.yaml | ||
| ipa-server-create-role.yaml | ||
| ipa-server-register-undercloud.yaml | ||
| undercloud-ipa-install.yaml | ||
README.md
TLS-e IPA Server Configuration Roles
Included Roles
This directory includes 3 playbooks (ipa-server-*.yaml) to be used for the TripleO TLS-e configuration of a FreeIPA server. The playbooks need to be run in the order that follows, however certain playbooks only need to be run once per IPA server:
ipa-sever-create-role.yamlThe purpose of this playbook is to create a role on the IPA server with the appropriate permissions and privileges to add and remove hosts, principals, services and dns entries.
Currently this playbook is required to be executed on an IPA client host with an active Kerberos token.
This playbook only needs to be run once per IPA server.
ipa-server-register-undercloud.yamlThis playbook registers the undercloud host as an IPA client and provides a one time password(OTP) to the operator for use in the undercloud configuration. An example of the final output of a successful run of this play will look like this:
TASK [provide OTP generated by IPA server] ****************************
ok: [localhost] => {
"msg": [
"The OTP provided by the IPA server is 9Ok~JEz!ul;&Sf:V<FOi-+",
"Please add the following to your undercloud.conf:",
"ipa_otp = 9Ok~JEz!ul;&Sf:V<FOi-+"
]
}
If you're including this playbook via another ansible execution, you can fetch
the one-time password via the tripleo_ipa_host_otp variable.
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
ipa-server-create-principal.yamlThis playbook creates the nova user for the undercloud host created withipa-register-undercloud.yamland adds it to the Nova Host Manager IPA role created byipa-server-create-role.yaml.
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
Environment/Ansible variables
The playbooks currently require the following variables to be set. These can either be environment variables or ansible variables passed either in a file or on the command line with the -e argument to the ansible-playbook command.
ENVIRONMENT/ansible variable
tripleo_ipa_hostthis is the host which ansible will connect to for playbook execution, this is the host that needs to be an IPA client. Defaults tolocalhost.IPA_PRINCIPAL/tripleo_ipa_principalis the IPA username with appropriate permissions and privileges to add roles and privileges. This value is required and has no default.IPA_PASSWORD/tripleo_ipa_passwordis the password for the IPA_PRINCIPAL. This value is required and has no default.UNDERCLOUD_FQDN/tripleo_undercloud_fqdnis the fully qualified domain name of the undercloud host. This value is required and has no default.
Example environment variables
export IPA_PRINCIPAL=admin
export IPA_PASSWORD=password
export UNDERCLOUD_FQDN=undercloud.ooo.test
Example ansible variables file
---
tripleo_ipa_principal: admin
tripleo_ipa_password: password
tripleo_undercloud_fqdn: undercloud.ooo.test