From 551bc63f641c262145bb91d9a4a230ba3533653d Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 17 Aug 2020 12:08:01 +0200 Subject: [PATCH] First commit, containing the ipa-server playbooks This also adds Zuul configuration with linter job. Change-Id: I8bc54901002c14f9b352d0f74705801082f4c08b --- .gitignore | 11 ++ .pre-commit-config.yaml | 49 +++++ .yamllint | 33 ++++ LICENSE | 175 ++++++++++++++++++ README.rst | 18 ++ requirements.txt | 0 setup.cfg | 30 +++ setup.py | 19 ++ test-requirements.txt | 9 + tox.ini | 22 +++ tripleo_ipa_server/playbooks/README.md | 55 ++++++ .../ipa-server-create-principal.yaml | 68 +++++++ .../playbooks/ipa-server-create-role.yaml | 111 +++++++++++ .../ipa-server-register-undercloud.yaml | 67 +++++++ zuul.d/layout.yaml | 12 ++ 15 files changed, 679 insertions(+) create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .yamllint create mode 100644 LICENSE create mode 100644 README.rst create mode 100644 requirements.txt create mode 100644 setup.cfg create mode 100644 setup.py create mode 100644 test-requirements.txt create mode 100644 tox.ini create mode 100644 tripleo_ipa_server/playbooks/README.md create mode 100644 tripleo_ipa_server/playbooks/ipa-server-create-principal.yaml create mode 100644 tripleo_ipa_server/playbooks/ipa-server-create-role.yaml create mode 100644 tripleo_ipa_server/playbooks/ipa-server-register-undercloud.yaml create mode 100644 zuul.d/layout.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..547b7c0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +# interpreted and compiled python files +*.py[cod] + +# Virtual environments and testing +.tox +.venv +.stestr +*.swp + +tripleo_ipa.egg-info/ +.eggs/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..f219aa9 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,49 @@ +--- +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v2.1.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - id: mixed-line-ending + - id: check-byte-order-marker + - id: check-executables-have-shebangs + - id: check-merge-conflict + - id: debug-statements + - id: flake8 + entry: flake8 --ignore=E24,E121,E122,E123,E124,E126,E226,E265,E305,E402,F401,F405,E501,E704,F403,F841,W503 + # TODO(cloudnull): These codes were added to pass the lint check. + # All of these ignore codes should be resolved in + # future PRs. + - id: check-yaml + files: .*\.(yaml|yml)$ + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.15.0 + hooks: + - id: yamllint + files: \.(yaml|yml)$ + types: [file, yaml] + entry: yamllint --strict -f parsable + - repo: https://github.com/ansible/ansible-lint + rev: v4.1.1a2 + hooks: + - id: ansible-lint + files: \.(yaml|yml)$ + entry: >- + ansible-lint --force-color -v -x "ANSIBLE0006,ANSIBLE0007,ANSIBLE0010,ANSIBLE0012,ANSIBLE0013,ANSIBLE0016" + --exclude=tripleo_ipa_server/roles.galaxy + # TODO(cloudnull): These codes were added to pass the lint check. + # Things found within roles.galaxy are external + # and not something maintained here. + - repo: https://github.com/openstack-dev/bashate.git + rev: 0.6.0 + hooks: + - id: bashate + entry: bashate --error . --verbose --ignore=E006,E040 + # Run bashate check for all bash scripts + # Ignores the following rules: + # E006: Line longer than 79 columns (as many scripts use jinja + # templating, this is very difficult) + # E040: Syntax error determined using `bash -n` (as many scripts + # use jinja templating, this will often fail and the syntax + # error will be discovered in execution anyway) diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..67db858 --- /dev/null +++ b/LICENSE @@ -0,0 +1,175 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..f0aaa3f --- /dev/null +++ b/README.rst @@ -0,0 +1,18 @@ +=========== +tripleo-ipa +=========== + +This repository contains Ansible for configuring the FreeIPA server for TripleO. + +Installation +============ + +.. code-block:: bash + + $ pip install --prefix=/usr ansible-tripleo-ipa-server + +Or, if you are installing from source, in the project directory: + +.. code-block:: bash + + $ python setup.py install --prefix=/usr diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..e69de29 diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..3cfdf21 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,30 @@ +[metadata] +name = ansible-tripleo-ipa-server +summary = Ansible assets for configuring the FreeIPA server for TripleO. +description-file = + README.rst + +author = RedHat +home-page = https://opendev.org/x/ansible-tripleo-ipa-server +classifier = + License :: OSI Approved :: Apache Software License + Development Status :: 4 - Beta + Intended Audience :: Developers + Intended Audience :: System Administrators + Intended Audience :: Information Technology + Topic :: Utilities + +[global] +setup-hooks = + pbr.hooks.setup_hook + +[files] +data_files = + share/ansible/tripleo-playbooks/ = tripleo_ipa_server/playbooks/* + +[wheel] +universal = 1 + +[pbr] +skip_authors = True +skip_changelog = True diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..6a931a6 --- /dev/null +++ b/setup.py @@ -0,0 +1,19 @@ +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import setuptools + +setuptools.setup( + setup_requires=['pbr'], + pbr=True) diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..64f45bf --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,9 @@ +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. + +ansible-lint # MIT +pre-commit # MIT +mock>=2.0.0 # BSD +stestr>=2.0.0 # Apache-2.0 +oslotest>=3.2.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..8b15a69 --- /dev/null +++ b/tox.ini @@ -0,0 +1,22 @@ +[tox] +minversion = 2.0 +envlist = linters +skipdist = True + +[testenv] +usedevelop = True +install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt} {opts} {packages} +passenv = * +sitepackages = True +deps = + -r {toxinidir}/requirements.txt + -r {toxinidir}/test-requirements.txt +commands = stestr run {posargs} +whitelist_externals = + tox + +[testenv:linters] +deps = + -r {toxinidir}/test-requirements.txt +commands = + python -m pre_commit run -a diff --git a/tripleo_ipa_server/playbooks/README.md b/tripleo_ipa_server/playbooks/README.md new file mode 100644 index 0000000..32050c0 --- /dev/null +++ b/tripleo_ipa_server/playbooks/README.md @@ -0,0 +1,55 @@ +# TLS-e IPA Server Configuration Roles + +## Included Roles + +This directory includes 3 playbooks (`ipa-server-*.yaml`) to be used for the TripleO TLS-e configuration of a FreeIPA server. The playbooks need to be run in the order that follows, however certain playbooks only need to be run once per IPA server: + +--- +1. `ipa-sever-create-role.yaml` The purpose of this playbook is to create a role on the IPA server with the appropriate permissions and privileges to add and remove hosts, principals, services and dns entries. +> Currently this playbook is required to be executed on an IPA client host with an active Kerberos token. + +> This playbook only needs to be run once per IPA server. +--- +2. `ipa-server-register-undercloud.yaml` This playbook registers the undercloud host as an IPA client and provides a one time password(OTP) to the operator for use in the undercloud configuration. An example of the final output of a successful run of this play will look like this: +``` +TASK [provide OTP generated by IPA server] **************************** +ok: [localhost] => { + "msg": [ + "The OTP provided by the IPA server is 9Ok~JEz!ul;&Sf:V This playbook does not require an active Kerberos token. + +> This playbook needs to be run once per openstack deployment. +--- +3. `ipa-server-create-principal.yaml` This playbook creates the nova user for the undercloud host created with `ipa-register-undercloud.yaml` and adds it to the Nova Host Manager IPA role created by `ipa-server-create-role.yaml`. +> This playbook does not require an active Kerberos token. + +> This playbook needs to be run once per openstack deployment. +--- +## Environment/Ansible variables +The playbooks currently require the following variables to be set. These can either be environment variables or ansible variables passed either in a file or on the command line with the `-e` argument to the `ansible-playbook` command. + +### `ENVIRONMENT/ansible` variable +* `tripleo_ipa_host` this is the host which ansible will connect to for playbook execution, this is the host that needs to be an IPA client. Defaults to `localhost`. +* `IPA_PRINCIPAL/tripleo_ipa_principal` is the IPA username with appropriate permissions and privileges to add roles and privileges. This value is required and has no default. +* `IPA_PASSWORD/tripleo_ipa_password` is the password for the IPA_PRINCIPAL. This value is required and has no default. +* `UNDERCLOUD_FQDN/tripleo_undercloud_fqdn` is the fully qualified domain name of the undercloud host. This value is required and has no default. + +#### Example environment variables +```bash +export IPA_PRINCIPAL=admin +export IPA_PASSWORD=password +export UNDERCLOUD_FQDN=undercloud.ooo.test +``` + +#### Example ansible variables file +```yaml +--- +tripleo_ipa_principal: admin +tripleo_ipa_password: password +tripleo_undercloud_fqdn: undercloud.ooo.test +``` diff --git a/tripleo_ipa_server/playbooks/ipa-server-create-principal.yaml b/tripleo_ipa_server/playbooks/ipa-server-create-principal.yaml new file mode 100644 index 0000000..3632fd5 --- /dev/null +++ b/tripleo_ipa_server/playbooks/ipa-server-create-principal.yaml @@ -0,0 +1,68 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# This playbook creates the nova user and adds it to the Nova Host Manager IPA +# role. This needs to be executed by a user that has permissions to add services +# and to add them to roles. This needs to be run once per openstack deployment. + +- name: Playbook to setup a principal for use with tripleo-ipa + connection: "{{ (tripleo_ipa_host is defined) | ternary('ssh', 'local') }}" + hosts: "{{ tripleo_ipa_host | default('localhost') }}" + tasks: + - name: ensure definitions + fail: + msg: >- + {{ item }} is undefined + when: not item.ansible_var and not item.env_var + with_items: + - name: ipa_principal + ansible_var: "{{ ipa_principal | default('') }}" + env_var: "{{ lookup('env', 'IPA_PRINCIPAL') }}" + - name: ipa_password + ansible_var: "{{ ipa_password | default('') }}" + env_var: "{{ lookup('env', 'IPA_PASSWORD') }}" + - name: undercloud_fqdn + ansible_var: "{{ tripleo_undercloud_fqdn | default('') }}" + env_var: "{{ lookup('env', 'UNDERCLOUD_FQDN') }}" + + - name: set IPA server facts + set_fact: + ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}" + ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}" + undercloud_fqdn: "{{ tripleo_undercloud_fqdn | default(lookup('env', 'UNDERCLOUD_FQDN')) }}" + + - name: set nova service user facts + set_fact: + nova_service: "nova/{{ undercloud_fqdn }}" + + - name: add nova service + ipa_service: + name: "{{ nova_service }}" + ipa_user: "{{ ipa_principal }}" + ipa_pass: "{{ ipa_password }}" + state: present + force: true + + - name: add nova host manager role + ipa_role: + name: Nova Host Manager + ipa_user: "{{ ipa_principal }}" + ipa_pass: "{{ ipa_password }}" + description: Nova Host Manager + privilege: + - Nova Host Management + service: + - "{{ nova_service }}" diff --git a/tripleo_ipa_server/playbooks/ipa-server-create-role.yaml b/tripleo_ipa_server/playbooks/ipa-server-create-role.yaml new file mode 100644 index 0000000..a5650c3 --- /dev/null +++ b/tripleo_ipa_server/playbooks/ipa-server-create-role.yaml @@ -0,0 +1,111 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# This playbook adds a role with the correct privileges needed by tripleo-ipa +# and TLS-e to add hosts and services to the IPA server. The operations in +# this playbook likely need admin privileges and should be executed on an +# IPA client. This playbook only needs to be run once per IPA server as +# multiple tripleo deployments can utilize the same role. + +- name: Playbook to setup an IPA role with correct privileges for TLS-e + connection: "{{ (tripleo_ipa_host is defined) | ternary('ssh', 'local') }}" + hosts: "{{ tripleo_ipa_host | default('localhost') }}" + tasks: + - name: ensure definitions + fail: + msg: >- + {{ item }} is undefined + when: not item.ansible_var and not item.env_var + with_items: + - name: ipa_principal + ansible_var: "{{ ipa_principal | default('') }}" + env_var: "{{ lookup('env', 'IPA_PRINCIPAL') }}" + - name: ipa_password + ansible_var: "{{ ipa_password | default('') }}" + env_var: "{{ lookup('env', 'IPA_PASSWORD') }}" + + - name: set IPA server facts + set_fact: + ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}" + ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}" + + - name: set keytab permissions facts + set_fact: + tripleo_ipa_perms: + - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"} + - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"} + - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"} + - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"} + tripleo_ipa_privilege_perms: + - 'System: add hosts' + - 'System: remove hosts' + - 'Modify host password' + - 'Modify host userclass' + - 'System: Modify hosts' + - 'Modify service managedBy attribute' + - 'System: Add krbPrincipalName to a Host' + - 'System: Add Services' + - 'System: Remove Services' + - 'Revoke certificate' + - 'System: manage host keytab' + - 'System: Manage host certificates' + - 'System: modify services' + - 'System: manage service keytab' + - 'System: read dns entries' + - 'System: remove dns entries' + - 'System: add dns entries' + - 'System: update dns entries' + - 'System: Modify Realm Domains' + - 'Retrieve Certificates from the CA' + + # unfortunately we don't have ansible module yet to create perms + # TODO(d34dh0r53): we should be able to obtain a token via curl + # which will allow us to perform these operations without a kinit first. + - name: add nova host management permissions + shell: | + ipa permission-find "{{ item.name }}" + if [ $? -ne 0 ]; then + ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \ + --type "{{ item.type }}" --attrs "{{ item.attrs }}" + fi + loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}" + + # unfortunately we don't have ansible module yet to create privileges + - name: add nova host privilege + shell: | + ipa privilege-find 'Nova Host Management' + if [ $? -ne 0 ]; then + ipa privilege-add --desc='Nova Host Management' 'Nova Host Management' + fi + + - name: add permissions to the nova host privilege + shell: | + ipa privilege-add-permission 'Nova Host Management' \ + --permission "{{ item }}" + register: add_perm_command + failed_when: + - add_perm_command.rc !=0 + - '"This entry is already a member" not in add_perm_command.stdout' + loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}" + + - name: add nova host manager role + ipa_role: + name: Nova Host Manager + description: Nova Host Manager + ipa_user: "{{ ipa_principal }}" + ipa_pass: "{{ ipa_password }}" + privilege: + - Nova Host Management diff --git a/tripleo_ipa_server/playbooks/ipa-server-register-undercloud.yaml b/tripleo_ipa_server/playbooks/ipa-server-register-undercloud.yaml new file mode 100644 index 0000000..e5d76e4 --- /dev/null +++ b/tripleo_ipa_server/playbooks/ipa-server-register-undercloud.yaml @@ -0,0 +1,67 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# This playbook registers the undercloud host as an IPA client and provices a +# one time password to be used in the undercloud configuration file. This needs +# to be executed by a user that has permissions to add services and to add them +# to roles. This needs to be run once per openstack deployment. + +- name: Playbook to register the undercloud node and generate OTP + connection: "{{ (tripleo_ipa_host is defined) | ternary('ssh', 'local') }}" + hosts: "{{ tripleo_ipa_host | default('localhost') }}" + remote_user: root + tasks: + - name: ensure definitions + fail: + msg: >- + {{ item }} is undefined + when: not item.ansible_var and not item.env_var + with_items: + - name: ipa_principal + ansible_var: "{{ ipa_principal | default('') }}" + env_var: "{{ lookup('env', 'IPA_PRINCIPAL') }}" + - name: ipa_password + ansible_var: "{{ ipa_password | default('') }}" + env_var: "{{ lookup('env', 'IPA_PASSWORD') }}" + - name: undercloud_fqdn + ansible_var: "{{ tripleo_undercloud_fqdn | default('') }}" + env_var: "{{ lookup('env', 'UNDERCLOUD_FQDN') }}" + - name: undercloud_description + ansible_var: "{{ tripleo_undercloud_description | default('Undercloud') }}" + env_var: "{{ lookup('env', 'UNDERCLOUD_DESCRIPTION') }}" + + - name: set IPA server facts + set_fact: + ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}" + ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}" + undercloud_fqdn: "{{ tripleo_undercloud_fqdn | default(lookup('env', 'UNDERCLOUD_FQDN')) }}" + undercloud_description: "{{ tripleo_undercloud_description | default(lookup('env', 'UNDERCLOUD_DESCRIPTION')) }}" + + - name: register undercloud as IPA client + ipa_host: + ipa_user: "{{ ipa_principal }}" + ipa_pass: "{{ ipa_password }}" + fqdn: "{{ undercloud_fqdn }}" + random_password: true + force: true + register: host_otp + + - name: provide OTP generated by IPA server + debug: + msg: + - "The OTP provided by the IPA server is {{ host_otp.host.randompassword }}" + - "Please add the following to your undercloud.conf:" + - "ipa_otp = {{ host_otp.host.randompassword }}" diff --git a/zuul.d/layout.yaml b/zuul.d/layout.yaml new file mode 100644 index 0000000..2be5832 --- /dev/null +++ b/zuul.d/layout.yaml @@ -0,0 +1,12 @@ +--- +- project: + templates: + - check-requirements + - publish-to-pypi + check: + jobs: + - openstack-tox-linters: &tripleo-linters + nodeset: centos-8 + gate: + jobs: + - openstack-tox-linters: *tripleo-linters