Ian Wienand c1aff2ed38 kerberos-kdc: role to manage Kerberos KDC servers
This adds a role and related testing to manage our Kerberos KDC
servers, intended to replace the puppet modules currently performing
this task.

This role automates realm creation, initial setup, key material
distribution and replica host configuration.  None of this is intended
to run on the production servers which are already setup with an
active database, and the role should be effectively idempotent in
production.

Note that this does not yet switch the production servers into the new
groups; this can be done in a separate step under controlled
conditions and with related upgrades of the host OS to Focal.

Change-Id: I60b40897486b29beafc76025790c501b5055313d
2021-03-17 08:30:52 +11:00

28 lines
831 B
ReStructuredText

Configure a Kerberos KDC server
All KDC servers (primary and replicas) should be in a common
``kerberos-kdc`` group that defines ``kerberos_kdc_realm`` and
``kerberos_kdc_master_key``.
The ``kerberos-kdc-primary`` group should have a single primary KDC
host. It will be configured to replicate its database to hosts in
the ``kerberos-kdc-replica`` group.
Hosts in the ``kerberos-kdc-replica`` group will be configured to
receive updates from the ``kerberos-kdc-primary`` host.
The role should be run twice; once limited to the primary group and
then a second time limited to the secondary group.
**Role Variables**
.. zuul:rolevar:: kerberos_kdc_relam
The realm for all KDC servers.
.. zuul:rolevar:: kerberos_kdc_master_key
The master key written into the *stash* file for each KDC, which
allows them to auth.