Merge "Add new composable service for IpaClient" into stable/train
This commit is contained in:
commit
97bc46c444
|
@ -0,0 +1,122 @@
|
|||
heat_template_version: rocky
|
||||
|
||||
description: Add services and subhosts to IPA server
|
||||
|
||||
parameters:
|
||||
RoleNetIpMap:
|
||||
default: {}
|
||||
type: json
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
PythonInterpreter:
|
||||
type: string
|
||||
description: The python interpreter to use for python and ansible actions
|
||||
default: "/usr/bin/python"
|
||||
IdMDomain:
|
||||
default: ''
|
||||
description: IDM domain to register IDM client. Typically, this is discovered
|
||||
through DNS and does not have to be set explicitly.
|
||||
type: string
|
||||
IdMServer:
|
||||
default: ''
|
||||
description: FQDN for the FreeIPA server. Typically, this is discovered
|
||||
through DNS and does not have to set explicitly.
|
||||
type: string
|
||||
IdMNovaKeytab:
|
||||
default: 'FILE:/etc/novajoin/krb5.keytab'
|
||||
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
|
||||
type: string
|
||||
MakeHomeDir:
|
||||
type: boolean
|
||||
description: Configure PAM to create a users home directory if it does not exist.
|
||||
default: False
|
||||
IdMNoNtpSetup:
|
||||
default: False
|
||||
description: Set to true to add --no-ntp to the IDM client install call.
|
||||
This will cause IDM client install not to set up NTP.
|
||||
type: boolean
|
||||
IdMEnrollBaseServer:
|
||||
default: True
|
||||
description: Set to true to enroll the base server (computes, controllers)
|
||||
type: boolean
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the ipaservice service
|
||||
value:
|
||||
service_name: ipaservice
|
||||
upgrade_tasks: []
|
||||
step_config: ''
|
||||
external_deploy_tasks:
|
||||
- name: add the ipa services for this node in step 1
|
||||
when: step|int == 1
|
||||
block:
|
||||
- include_role:
|
||||
name: tripleo_ipa_registration
|
||||
apply:
|
||||
environment:
|
||||
IPA_USER: "nova/{{ ansible_fqdn }}"
|
||||
IPA_HOST: {get_param: IdMServer}
|
||||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
vars:
|
||||
tripleo_ipa_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
tripleo_ipa_delegate_server: "{{ item }}"
|
||||
tripleo_ipa_base_server_fqdn: "{{hostvars[item]['fqdn_canonical']}}"
|
||||
tripleo_ipa_server_metadata: "{{hostvars[item]['service_metadata_settings'] | to_json }}"
|
||||
loop: "{{ groups.certmonger_user }}"
|
||||
deploy_steps_tasks:
|
||||
- name: enroll the node as an ipa client
|
||||
when: step|int == 1
|
||||
vars:
|
||||
state: present
|
||||
ipaclient_otp: "{{ ipa_host_otp }}"
|
||||
idm_enroll_base_server: {get_param: IdMEnrollBaseServer}
|
||||
ipaclient_mkhomedir: {get_param: MakeHomeDir}
|
||||
ipaclient_domain: {get_param: IdMDomain}
|
||||
ipaclient_no_ntp: {get_param: IdMNoNtpSetup}
|
||||
ipaclient_force: yes
|
||||
ipaclient_servers: {get_param: IdMServer}
|
||||
ipaclient_hostname: "{{ fqdn_canonical }}"
|
||||
ipaclients:
|
||||
- "{{ inventory_hostname }}"
|
||||
block:
|
||||
- name: check if default.conf exists
|
||||
stat:
|
||||
path: /etc/ipa/default.conf
|
||||
register: ipa_conf_exists
|
||||
- block:
|
||||
- name: register as an ipa client
|
||||
import_role:
|
||||
name: ipaclient
|
||||
- name: restart certmonger service
|
||||
systemd:
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
name: certmonger.service
|
||||
when:
|
||||
- idm_enroll_base_server|bool
|
||||
- not ipa_conf_exists.stat.exists
|
|
@ -37,6 +37,8 @@ resource_registry:
|
|||
OS::TripleO::Services::CertmongerUser: ../../deployment/certs/certmonger-user-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
|
||||
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
||||
# FIXME(xek): after removal of novajoin, switch to using this service instead
|
||||
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
{%- for role in roles %}
|
||||
OS::TripleO::{{role.name}}ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals/{{role.name.lower()}}-role.yaml
|
||||
|
|
|
@ -72,6 +72,7 @@ resource_registry:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
OS::TripleO::Services::IronicInspector: OS::Heat::None
|
||||
|
|
|
@ -85,6 +85,7 @@ resource_registry:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
OS::TripleO::Services::IronicInspector: OS::Heat::None
|
||||
|
|
|
@ -61,6 +61,8 @@ environments:
|
|||
# We use apache as a TLS proxy
|
||||
# FIXME(bogdando): switch it, once it is containerized
|
||||
OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaclient-baremetal-ansible.yaml
|
||||
# FIXME(xek): after removal of novajoin, switch to using this service instead
|
||||
# OS::TripleO::Services::IpaClient: ../../deployment/ipa/ipaservices-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TLSProxyBase: ../../deployment/apache/apache-baremetal-puppet.yaml
|
||||
# Creates nova metadata that will create the extra service principals per
|
||||
# node.
|
||||
|
|
|
@ -112,6 +112,8 @@ environments:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
# TLS
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
# Ironic
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
|
@ -228,6 +230,8 @@ environments:
|
|||
OS::TripleO::Services::HeatApiCfn: OS::Heat::None
|
||||
OS::TripleO::Services::HeatApiCloudwatch: OS::Heat::None
|
||||
OS::TripleO::Services::HeatEngine: OS::Heat::None
|
||||
# TLS
|
||||
OS::TripleO::Services::IpaClient: OS::Heat::None
|
||||
# Ironic
|
||||
OS::TripleO::Services::IronicApi: OS::Heat::None
|
||||
OS::TripleO::Services::IronicConductor: OS::Heat::None
|
||||
|
|
Loading…
Reference in New Issue