ipa-standalone-victoria-master
34 removals
189 lines
70 additions
224 lines
heat_template_version: rocky
heat_template_version: wallaby
description: Add services and subhosts to IPA server
description: Add services and subhosts to IPA server
parameters:
parameters:
RoleNetIpMap:
RoleNetIpMap:
default: {}
default: {}
type: json
type: json
ServiceData:
ServiceData:
default: {}
default: {}
description: Dictionary packing service data
description: Dictionary packing service data
type: json
type: json
ServiceNetMap:
ServiceNetMap:
default: {}
default: {}
description: Mapping of service_name -> network name. Typically set
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
mapping overrides those in ServiceNetMapDefaults.
type: json
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
RoleName:
default: ''
default: ''
description: Role name on which the service is applied
description: Role name on which the service is applied
type: string
type: string
RoleParameters:
RoleParameters:
default: {}
default: {}
description: Parameters specific to the role
description: Parameters specific to the role
type: json
type: json
EndpointMap:
EndpointMap:
default: {}
default: {}
description: Mapping of service endpoint -> protocol. Typically set
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
via parameter_defaults in the resource registry.
type: json
type: json
PythonInterpreter:
PythonInterpreter:
type: string
type: string
description: The python interpreter to use for python and ansible actions
description: The python interpreter to use for python and ansible actions
default: "$(command -v python3 || command -v python)"
default: "$(command -v python3 || command -v python)"
IdMDomain:
IdMDomain:
default: ''
default: ''
description: IDM domain to register IDM client. Typically, this is discovered
description: IDM domain to register IDM client. Typically, this is discovered
through DNS and does not have to be set explicitly.
through DNS and does not have to be set explicitly.
type: string
type: string
IdMServer:
IdMServer:
default: ''
default: ''
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
description: FQDN for the FreeIPA server. If you set this value, IdMDomain
also has to be provided. Typically, this is discovered
also has to be provided. Typically, this is discovered
through DNS and does not have to be set explicitly.
through DNS and does not have to be set explicitly.
type: string
type: string
IdMNovaKeytab:
IdMNovaKeytab:
default: 'FILE:/etc/novajoin/krb5.keytab'
default: 'FILE:/etc/novajoin/krb5.keytab'
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
type: string
type: string
MakeHomeDir:
MakeHomeDir:
type: boolean
type: boolean
description: Configure PAM to create a users home directory if it does not exist.
description: Configure PAM to create a users home directory if it does not exist.
default: False
default: False
IdMNoNtpSetup:
IdMNoNtpSetup:
default: False
default: False
description: Set to true to add --no-ntp to the IDM client install call.
description: Set to true to add --no-ntp to the IDM client install call.
This will cause IDM client install not to set up NTP.
This will cause IDM client install not to set up NTP.
type: boolean
type: boolean
IdMEnrollBaseServer:
IdMEnrollBaseServer:
default: True
default: True
description: Set to true to enroll the base server (computes, controllers)
description: Set to true to enroll the base server (computes, controllers)
type: boolean
type: boolean
IdMInstallClientPackages:
IdMInstallClientPackages:
default: False
default: False
description: Set to True to have ansible-freeipa install ipa client packages
description: Set to True to have ansible-freeipa install ipa client packages
on the overcloud node.
on the overcloud node.
type: boolean
type: boolean
IdMModifyDNS:
IdMModifyDNS:
default: True
default: True
description: Set to false to disable DNS records manipulation in the FreeIPA server.
description: Set to false to disable DNS records manipulation in the FreeIPA server.
type: boolean
type: boolean
IdMZoneSplitIPv4:
IdMZoneSplitIPv4:
default: 1
default: 1
description: The level by which the PTR DNS record is split when creating zones.
description: The level by which the PTR DNS record is split when creating zones.
type: string
type: string
IdMZoneSplitIPv6:
IdMZoneSplitIPv6:
default: 1
default: 1
description: The level by which the PTR DNS record is split when creating zones.
description: The level by which the PTR DNS record is split when creating zones.
type: string
type: string
conditions:
conditions:
idm_server_provided:
idm_server_provided:
not:
not:
equals: [{get_param: IdMServer}, ""]
equals: [{get_param: IdMServer}, ""]
outputs:
outputs:
role_data:
role_data:
description: Role data for the ipaservice service
description: Role data for the ipaservice service
value:
value:
service_name: ipaservice
service_name: ipaservice
upgrade_tasks: []
upgrade_tasks: []
step_config: ''
step_config: ''
external_deploy_tasks:
external_deploy_tasks:
- name: add the ipa services for this node in step 1
- name: add the ipa services for this node in step 1
when: step|int == 1
when: step|int == 1
block:
block:
- include_role:
- include_role:
name: tripleo_ipa_registration
name: tripleo_ipa_registration
vars:
vars:
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_delegate_server: "{{ item }}"
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
tripleo_ipa_base_server_fqdn: "{{ hostvars[item]['fqdn_canonical'] }}"
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
tripleo_ipa_server_metadata: "{{ hostvars[item]['service_metadata_settings'] | to_json }}"
loop: "{{ groups.certmonger_user }}"
loop: "{{ groups.ipaservice }}"
- include_role:
- include_role:
name: tripleo_ipa_dns
name: tripleo_ipa_dns
vars:
vars:
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
tripleo_ipa_ptr_zone_split_ipv4: {get_param: IdMZoneSplitIPv4}
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
when: {get_param: IdMModifyDNS}
when: {get_param: IdMModifyDNS}
environment:
environment:
if:
if:
- idm_server_provided
- idm_server_provided
- IPA_HOST: {get_param: IdMServer}
- IPA_HOST: {get_param: IdMServer}
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
deploy_steps_tasks:
- name: enroll the node as an ipa client
- name: enroll the node as an ipa client
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
when: step|int == 1
when: step|int == 1
vars:
vars:
map_merge:
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
-
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
state: present
ipaclient_otp: "{{ ipa_host_otp }}"
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: yes
ipaclient_hostname: "{{ fqdn_canonical }}"
ipaclient_install_packages: {get_param: IdMInstallClientPackages}
ipaclients:
- "{{ inventory_hostname }}"
-
if:
- idm_server_provided
- ipaclient_servers: {get_param: IdMServer}
ipaclient_domain: {get_param: IdMDomain}
- {}
block:
block:
- name: check if default.conf exists
- name: check if default.conf exists
delegate_to: "{{ item }}"
stat:
stat:
path: /etc/ipa/default.conf
path: /etc/ipa/default.conf
register: ipa_conf_exists
register: ipa_conf_exists
loop: "{{ groups.ipaservice }}"
- name: install openssl-perl
- name: install openssl-perl
delegate_to: "{{ item }}"
become: true
package:
package:
name: openssl-perl
name: openssl-perl
state: present
state: present
loop: "{{ groups.ipaservice }}"
when:
when:
- ipaclient_install_packages|bool
- ipaclient_install_packages|bool
- block:
- name: register as an ipa client
- name: register as an ipa client
include_role:
import_role:
name: ipaclient
name: ipaclient
apply:
- name: restart certmonger service
delegate_to: "{{ outer_item.0 }}"
systemd:
become: true
state: restarted
vars:
daemon_reload: true
map_merge:
name: certmonger.service
-
state: present
ipaclient_otp: "{{ hostvars[outer_item.0]['ipa_host_otp'] }}"
ipaclient_mkhomedir: {get_param: MakeHomeDir}
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
ipaclient_force: yes
ipaclient_hostname: "{{ hostvars[outer_item.0]['fqdn_canonical'] }}"
ipaclients:
- "{{ outer_item.0 }}"
#NOTE(xek): The following is a workaround till ipaclient is fixed to use ansible_facts
# see: https://github.com/freeipa/ansible-freeipa/pull/517
ansible_distribution: "{{ ansible_facts['distribution'] }}"
ansible_distribution_major_version: "{{ ansible_facts['distribution_major_version'] }}"
ansible_distribution_release: "{{ ansible_facts['distribution_release'] }}"
ansible_distribution_version: "{{ ansible_facts['distribution_version'] }}"
ansible_os_family: "{{ ansible_facts['os_family'] }}"
-
if:
- idm_server_provided
- ipaclient_servers: {get_param: IdMServer}
ipaclient_domain: {get_param: IdMDomain}
- {}
when:
when:
- idm_enroll_base_server|bool
- idm_enroll_base_server|bool
- not ipa_conf_exists.stat.exists
- not outer_item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
loop_control:
loop_var: outer_item
- name: restart certmonger service
delegate_to: "{{ item.0 }}"
become: true
systemd:
state: restarted
daemon_reload: true
name: certmonger.service
when:
- idm_enroll_base_server|bool
- not item.1.stat.exists
loop: "{{ groups.ipaservice|zip(ipa_conf_exists.results)|list }}"
- name: set discovered ipa realm
delegate_to: "{{ item }}"
delegate_facts: true
set_fact:
idm_realm:
str_replace:
template:
"{{ lookup('ini', 'realm default=DEFAULT section=global file=/etc/ipa/default.conf')}}"
params:
DEFAULT:
yaql:
expression: $.data.toUpper()
data: {get_param: IdMDomain}
loop: "{{ groups.ipaservice }}"
scale_tasks:
scale_tasks:
- when: step|int == 1
- when: step|int == 1
tags: down
tags: down
block:
block:
- name: unregister node from ipa server
- name: unregister node from ipa server
import_role:
import_role:
name: tripleo_ipa_cleanup
name: tripleo_ipa_cleanup
delegate_to: undercloud
delegate_to: undercloud
vars:
vars:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:
tripleo_ipa_hosts_to_delete:
- "{{ fqdn_canonical }}"
- "{{ fqdn_canonical }}"
external_upgrade_tasks:
external_upgrade_tasks:
- when: step|int == 1
- when: step|int == 1
block:
block:
- name: check if ipa server has required permissions
- name: check if ipa server has required permissions
import_role:
import_role:
name: tls_everywhere
name: tls_everywhere
tasks_from: ipa-server-check
tasks_from: ipa-server-check
tags:
tags:
- opendev-validation
- opendev-validation
- opendev-validation-tls-everywhere
- opendev-validation-tls-everywhere