Replacing community.general ipa modules with ansible-freeipa

The community.general ipa modules used in tripleo-ipa don't work
under FIPS deployment. This patch is fixing that by replacing it
with the ansible-freeipa ipa modules.

Co-Author: Ade Lee <alee@redhat.com>
Co-Author: Grzegorz Grasza <xek@redhat.com>
Change-Id: Ibfd1b34fdf3d533579512f531ac8619b356f9ba0

ansible-collections-requirements.yml

@@ -5,6 +5,7 @@ collections:
   - name: https://github.com/ansible-collections/community.general
     type: git
     version: main
+  - freeipa.ansible_freeipa
   - ansible.posix
   - ansible.netcommon
   - openstack.cloud

tox.ini

@@ -23,9 +23,9 @@ whitelist_externals =
 [testenv:molecule]
 install_command = pip install {opts} {packages}
 setenv =
-  ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter
-  ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules
-  ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles
+  ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter
+  ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules
+  ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles
 deps =
    -r {toxinidir}/requirements.txt
    -r {toxinidir}/molecule-requirements.txt
@@ -47,9 +47,9 @@ commands =
 
 [testenv:linters]
 setenv =
-  ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter
-  ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules
-  ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles
+  ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter
+  ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules
+  ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles
 deps =
    -r {toxinidir}/ansible-requirements.txt
    -r {toxinidir}/test-requirements.txt

tripleo_ipa/playbooks/ipa-server-create-role.yaml

@@ -42,70 +42,11 @@
         ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}"
         ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}"
 
-    - name: set keytab permissions facts
-      set_fact:
-        tripleo_ipa_perms:
-          - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
-          - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
-          - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
-          - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
-        tripleo_ipa_privilege_perms:
-          - 'System: add hosts'
-          - 'System: remove hosts'
-          - 'Modify host password'
-          - 'Modify host userclass'
-          - 'System: Modify hosts'
-          - 'Modify service managedBy attribute'
-          - 'System: Add krbPrincipalName to a Host'
-          - 'System: Add Services'
-          - 'System: Remove Services'
-          - 'Revoke certificate'
-          - 'System: manage host keytab'
-          - 'System: Manage host certificates'
-          - 'System: modify services'
-          - 'System: manage service keytab'
-          - 'System: read dns entries'
-          - 'System: remove dns entries'
-          - 'System: add dns entries'
-          - 'System: update dns entries'
-          - 'System: Modify Realm Domains'
-          - 'Retrieve Certificates from the CA'
-
-    # unfortunately we don't have ansible module yet to create perms
-    # TODO(d34dh0r53): we should be able to obtain a token via curl
-    # which will allow us to perform these operations without a kinit first.
-    - name: add nova host management permissions
-      shell: |
-        ipa permission-find "{{ item.name }}"
-        if [ $? -ne 0 ]; then
-          ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
-            --type "{{ item.type }}" --attrs "{{ item.attrs }}"
-        fi
-      loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}"
-
-    # unfortunately we don't have ansible module yet to create privileges
-    - name: add nova host privilege
-      shell: |
-        ipa privilege-find 'Nova Host Management'
-        if [ $? -ne 0 ]; then
-          ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
-        fi
-
-    - name: add permissions to the nova host privilege
-      shell: |
-        ipa privilege-add-permission 'Nova Host Management' \
-          --permission "{{ item }}"
-      register: add_perm_command
-      failed_when:
-        - add_perm_command.rc !=0
-        - '"This entry is already a member" not in add_perm_command.stdout'
-      loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}"
-
-    - name: add nova host manager role
-      ipa_role:
-        name: Nova Host Manager
-        description: Nova Host Manager
-        ipa_user: "{{ ipa_principal }}"
-        ipa_pass: "{{ ipa_password }}"
-        privilege:
-          - Nova Host Management
+    - name: set perms, privs, roles
+      include_role:
+        name: triple_ipa_setup
+        tasks_from: setup
+        apply:
+          environment:
+            IPA_USER: "{ ipa_principal }"
+            IPA_PASS: "{ ipa_password }"

tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml

@@ -43,17 +43,39 @@
         record_type: "{{ 'A' if record_value| ansible.netcommon.ipv4 else 'AAAA' }}"
 
     - name: add dns zone
-      ipa_dnszone:
-        zone_name: "{{ zone_name }}"
+      freeipa.ansible_freeipa.ipadnszone:
+        name: "{{ zone_name }}"
       become: true
 
-    - name: add forward dns record
-      ipa_dnsrecord:
-        zone_name: "{{ zone_name }}"
-        record_name: "{{ record_name }}"
-        record_type: "{{ record_type }}"
-        record_value: "{{ record_value }}"
-      become: true
+    - name: Modify or add forward dns
+      block:
+        - name: try modifying forward dns record
+          freeipa.ansible_freeipa.ipadnsrecord:
+            zone_name: "{{ zone_name }}"
+            record_name: "{{ record_name }}"
+            record_type: "{{ record_type }}"
+            a_rec: "{{ record_value }}"
+            a_ip_address: ""
+          when: record_type == 'A'
+          become: true
+
+        - name: try modifying forward dns record
+          freeipa.ansible_freeipa.ipadnsrecord:
+            zone_name: "{{ zone_name }}"
+            record_name: "{{ record_name }}"
+            record_type: "{{ record_type }}"
+            aaaa_rec: "{{ record_value }}"
+            aaaa_ip_address: ""
+          when: record_type == 'AAAA'
+          become: true
+      rescue:
+        - name: add forward dns record
+          freeipa.ansible_freeipa.ipadnsrecord:
+            zone_name: "{{ zone_name }}"
+            record_name: "{{ record_name }}"
+            record_type: "{{ record_type }}"
+            record_value: "{{ record_value }}"
+          become: true
 
     - name: get reverse record data
       set_fact:
@@ -72,23 +94,30 @@
       when: record_type == 'AAAA'
 
     - name: add reverse record dns zone
-      ipa_dnszone:
-        zone_name: "{{ reverse_record_zone }}"
+      freeipa.ansible_freeipa.ipadnszone:
+        name: "{{ reverse_record_zone }}"
       register: reverse_zone_result
-      failed_when:
-        - "'zone' not in reverse_zone_result"
-        - "'already exists in DNS' not in reverse_zone_result.msg"
+      failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg
       become: true
 
-    - name: add reverse dns record
-      ipa_dnsrecord:
-        zone_name: "{{ reverse_record_zone }}"
-        record_name: "{{ reverse_record_name }}"
-        record_value: "{{ record_name }}.{{ zone_name }}."
-        record_type: "PTR"
-      register: reverse_record_result
-      failed_when:
-        - "'record' not in reverse_record_result"
-        - "'DNS zone not found' not in reverse_record_result.msg"
-      become: true
+    - name: Modify or add reverse dns record
+      block:
+        - name: try modifying reverse dns record
+          freeipa.ansible_freeipa.ipadnsrecord:
+            zone_name: "{{ reverse_record_zone }}"
+            record_name: "{{ reverse_record_name }}"
+            record_type: "PTR"
+            ptr_rec: "{{ record_name }}.{{ zone_name }}."
+            ptr_hostname: ""
+          become: true
+      rescue:
+        - name: add reverse dns record
+          freeipa.ansible_freeipa.ipadnsrecord:
+            zone_name: "{{ reverse_record_zone }}"
+            record_name: "{{ reverse_record_name }}"
+            record_type: "PTR"
+            record_value: "{{ record_name }}.{{ zone_name }}."
+          register: reverse_record_result
+          failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg
+          become: true
   when: zone_name is match("^(|.+\.)" + cloud_domain + "$")

tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml

@@ -44,43 +44,22 @@
   when: enroll_base_server|bool
   become: true
   block:
-    - name: destroy the old keytab
-      command: "kdestroy -A"
+    - name: add new host with one-time password
+      freeipa.ansible_freeipa.ipahost:
+        name: "{{ base_server_fqdn }}"
+        random: true
+        force: true
+        state: present
+      register: ipa_host
+      failed_when: ipa_host.failed and "Password cannot be set on enrolled host" not in ipa_host.msg
 
-    - name: get a new keytab
-      command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}"
-
-    - name: get host raw data and keytab info
-      command: "ipa host-show --raw --all {{ base_server_fqdn }}"
-      register: host_raw_data
-      changed_when: false
-      failed_when: false
-
-    - name: Print debug data
-      debug: var=host_raw_data
-
-    - name: confirm that host is not already registered with current keytab
-      when: '"has_keytab: TRUE" not in host_raw_data.stdout'
-      block:
-        - name: remove stale host if present
-          when: host_raw_data.rc == 0
-          ipa_host:
-            fqdn: "{{ base_server_fqdn }}"
-            state: absent
-
-        - name: add new host with random one-time password
-          ipa_host:
-            fqdn: "{{ base_server_fqdn }}"
-            random_password: true
-            force: true
-          register: ipa_host
-
-        - name: set otp as a host fact
-          set_fact:
-            ipa_host_otp: "{{ ipa_host.host.randompassword }}"
-          no_log: true
-          delegate_facts: true
-          delegate_to: "{{ tripleo_ipa_delegate_server }}"
+    - name: set otp as a host fact
+      set_fact:
+        ipa_host_otp: "{{ ipa_host.host.randompassword }}"
+      no_log: true
+      delegate_facts: true
+      delegate_to: "{{ tripleo_ipa_delegate_server }}"
+      when: "'host' in ipa_host"
 
 - name: add required services
   include: services.yml

tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml

@@ -31,28 +31,22 @@
     service: "{{ item.1 }}"
 
 - name: add sub_host
-  ipa_host:
+  freeipa.ansible_freeipa.ipahost:
     fqdn: "{{ sub_host }}"
     force: true
     state: present
-    validate_certs: false
   become: true
 
 - name: add service
-  ipa_service:
+  freeipa.ansible_freeipa.ipaservice:
     name: "{{ service }}/{{ sub_host }}"
     force: true
     state: present
-    validate_certs: false
   become: true
-  register: my_service
 
-- name: add host to managed_hosts if needed
-  when: base_server_fqdn not in my_service['host']['managedby_host']
-  ipa_service:
-    name: "{{ service }}/{{ sub_host }}"
-    force: true
-    state: present
-    hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}"
-    validate_certs: false
+- name: add host to managed_hosts if needed (shell)
+  shell: |
+    ipa service-add-host --hosts "{{ base_server_fqdn }}" "{{ service }}"/"{{ sub_host }}"
+  register: service_add_out
+  failed_when: service_add_out.failed and 'This entry is already a member' not in service_add_out.stdout
   become: true

tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml

@@ -24,33 +24,20 @@
     nova_service: "nova/{{ undercloud_fqdn }}"
 
 - name: add nova service
-  ipa_service:
+  freeipa.ansible_freeipa.ipaservice:
     name: "{{ nova_service }}"
     state: present
     force: true
 
-# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
-# From looking at the ansible-freeipa modules they take into account exsisting
-# services assigned to the role
-# https://review.opendev.org/c/x/tripleo-ipa/+/771065
-- name: get current list of services assigned role Nova Host Manager
-  ipa_role:
-    name: Nova Host Manager
-  register: services_roles
-
-# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
-# From looking at the ansible-freeipa modules they take into account exsisting
-# services assigned to the role
-# https://review.opendev.org/c/x/tripleo-ipa/+/771065
-- name: create list of services for role
-  set_fact:
-    nova_service: "{{ [ nova_service ] + services_roles.role.member_service }}"
-  when: services_roles.role.member_service is defined
-
 - name: add Nova Host Manager role
-  ipa_role:
+  freeipa.ansible_freeipa.iparole:
     name: Nova Host Manager
     description: Nova Host Manager
     privilege:
       - Nova Host Management
+
+- name: add service to the Nova Host Manager role
+  freeipa.ansible_freeipa.iparole:
+    name: Nova Host Manager
     service: "{{ nova_service }}"
+    action: member

tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml

@@ -23,10 +23,10 @@
 - name: set keytab permissions facts
   set_fact:
     novajoin_perms:
-      - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
-      - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
-      - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
-      - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
+      - {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]}
+      - {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]}
+      - {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]}
+      - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]}
     novajoin_privilege_perms:
       - 'System: add hosts'
       - 'System: remove hosts'
@@ -49,36 +49,32 @@
       - 'System: Modify Realm Domains'
       - 'Retrieve Certificates from the CA'
 
-# unfortunately we don't have ansible module yet to create perms
 - name: add nova host management permissions
-  shell: |
-    ipa permission-find "{{ item.name }}"
-    if [ $? -ne 0 ]; then
-      ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
-        --type "{{ item.type }}" --attrs "{{ item.attrs }}"
-    fi
+  freeipa.ansible_freeipa.ipapermission:
+    name: "{{ item.name }}"
+    right: "{{ item.right }}"
+    object_type: "{{ item.type }}"
+    attrs: "{{ item.attrs }}"
   loop: "{{ novajoin_perms|flatten(levels=1) }}"
 
-# unfortunately we don't have ansible module yet to create privileges
 - name: add Nova Host privilege
-  shell: |
-    ipa privilege-find 'Nova Host Management'
-    if [ $? -ne 0 ]; then
-      ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
-    fi
+  freeipa.ansible_freeipa.ipaprivilege:
+    name: Nova Host Management
+    description: Nova Host Management
 
 - name: add permissions to the Nova Host privilege
-  shell: |
-    ipa privilege-add-permission 'Nova Host Management' \
-      --permission "{{ item }}"
+  freeipa.ansible_freeipa.ipaprivilege:
+    name: Nova Host Management
+    action: member
+    permission: "{{ item }}"
   register: add_perm_command
   failed_when:
-    - add_perm_command.rc !=0
-    - '"This entry is already a member" not in add_perm_command.stdout'
-  loop: "{{ novajoin_privilege_perms|flatten(levels=1) }}"
+    - add_perm_command.failed
+    - '"This entry is already a member" not in add_perm_command.msg'
+  loop: "{{ novajoin_privilege_perms }}"
 
 - name: add Nova Host Manager role
-  ipa_role:
+  freeipa.ansible_freeipa.iparole:
     name: Nova Host Manager
     description: Nova Host Manager
     privilege: