a05078d292
With certmonger management moving to ansible, we lose the
"certmonger_user" service, hence the ansible inventory group.
We can therefore use the "allovercloud" group instead - it will clean
the OC nodes while preserving the undercloud node.
This patch also drops the "loop" setting the "hosts_list" fact in favor
of a more efficient |map() filter.
Resolves: rhbz#2017849
Change-Id: Icd662f74fc40bb6c1b5e4e01a236e1994ca3cc83
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| cli-cleanup-ipa.yml | ||
| ipa-server-create-principal.yaml | ||
| ipa-server-create-role.yaml | ||
| ipa-server-register-undercloud.yaml | ||
| README.md | ||
| undercloud-ipa-install.yaml | ||
TLS-e IPA Server Configuration Roles
Included Roles
This directory includes 3 playbooks (ipa-server-*.yaml) to be used for the TripleO TLS-e configuration of a FreeIPA server. The playbooks need to be run in the order that follows, however certain playbooks only need to be run once per IPA server:
ipa-sever-create-role.yamlThe purpose of this playbook is to create a role on the IPA server with the appropriate permissions and privileges to add and remove hosts, principals, services and dns entries.
Currently this playbook is required to be executed on an IPA client host with an active Kerberos token.
This playbook only needs to be run once per IPA server.
ipa-server-register-undercloud.yamlThis playbook registers the undercloud host as an IPA client and provides a one time password(OTP) to the operator for use in the undercloud configuration. An example of the final output of a successful run of this play will look like this:
TASK [provide OTP generated by IPA server] ****************************
ok: [localhost] => {
"msg": [
"The OTP provided by the IPA server is 9Ok~JEz!ul;&Sf:V<FOi-+",
"Please add the following to your undercloud.conf:",
"ipa_otp = 9Ok~JEz!ul;&Sf:V<FOi-+"
]
}
If you're including this playbook via another ansible execution, you can fetch
the one-time password via the tripleo_ipa_host_otp variable.
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
ipa-server-create-principal.yamlThis playbook creates the nova user for the undercloud host created withipa-register-undercloud.yamland adds it to the Nova Host Manager IPA role created byipa-server-create-role.yaml.
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
Environment/Ansible variables
The playbooks currently require the following variables to be set. These can either be environment variables or ansible variables passed either in a file or on the command line with the -e argument to the ansible-playbook command.
ENVIRONMENT/ansible variable
tripleo_ipa_hostthis is the host which ansible will connect to for playbook execution, this is the host that needs to be an IPA client. Defaults tolocalhost.IPA_PRINCIPAL/tripleo_ipa_principalis the IPA username with appropriate permissions and privileges to add roles and privileges. This value is required and has no default.IPA_PASSWORD/tripleo_ipa_passwordis the password for the IPA_PRINCIPAL. This value is required and has no default.UNDERCLOUD_FQDN/tripleo_undercloud_fqdnis the fully qualified domain name of the undercloud host. This value is required and has no default.
Example environment variables
export IPA_PRINCIPAL=admin
export IPA_PASSWORD=password
export UNDERCLOUD_FQDN=undercloud.ooo.test
Example ansible variables file
---
tripleo_ipa_principal: admin
tripleo_ipa_password: password
tripleo_undercloud_fqdn: undercloud.ooo.test