Add_ipa_user.yml: Adds logical to concatenate services with role

The ipa_role explicitly sets the privileges to the list of services provided instead of appending. So if a list of every service assigned the role it will remove them. This will break intergrations with other underclouds if more than one is integrated with IPA. Change-Id: I38e10fe0bbd2503a5b2b67a99c47eeb2f8152395 Closes-bug: #1943810
2021-09-16 19:15:37 +10:00 · 2021-09-16 19:15:37 +10:00 · 6d63314d1d
commit 6d63314d1d
parent ebcb5625cc
5 changed files with 125 additions and 8 deletions
--- a/tripleo_ipa/molecule/default/converge.yml
+++ b/tripleo_ipa/molecule/default/converge.yml
@ -15,7 +15,7 @@
 # under the License.

 - name: Setup server
-  hosts: all
+  hosts: centos8
  vars:
    ipa_domain: example.test
    ipa_server_ip: 10.88.0.22
@ -27,6 +27,7 @@
    - name: install python urllib gssapi
      pip:
        name: urllib_gssapi
+
    - name: install ipa client
      package:
        name: ipa-client
@ -38,15 +39,25 @@
        stdin: |
          search {{ ipa_domain }}
          nameserver {{ ipa_server_ip }}
+
    - name: Set fqdn in /etc/hosts
      shell:
        cmd: cat > /etc/hosts
+
    - name: Set fqdn in /etc/hosts
      shell:
        cmd: cat > /etc/hosts
        stdin: |
          127.0.0.1 test-0.example.test test-0 localhost localhost.localdomain

+    - name: check FreeIPA LDAP port is open
+      wait_for:
+        host=ipa.example.test
+        port=389
+        delay=1
+        timeout=300
+      ignore_errors: true
+
    - name: enroll the server as an ipa client using admin creds
      shell: |
        ipa-client-install -U  \
@ -79,8 +90,79 @@
            IPA_HOST: "{{ ipa_server_hostname }}"
            IPA_PASS: "{{ ipa_server_password }}"

+
+- name: Setup dummy server
+  hosts: centos8-dummy
+  vars:
+    ipa_domain: example.test
+    ipa_server_ip: 10.88.0.22
+    ipa_server_user: admin
+    ipa_server_password: password123
+    ipa_server_hostname: ipa.example.test
+    undercloud_fqdn: dummy.example.test
+  tasks:
+    - name: install python urllib gssapi
+      pip:
+        name: urllib_gssapi
+
+    - name: install ipa client
+      package:
+        name: ipa-client
+        state: present
+
+    - name: set resolv.conf to point to the ipa server
+      shell:
+        cmd: cat > /etc/resolv.conf
+        stdin: |
+          search {{ ipa_domain }}
+          nameserver {{ ipa_server_ip }}
+
+    - name: Set fqdn in /etc/hosts
+      shell:
+        cmd: cat > /etc/hosts
+
+    - name: Set fqdn in /etc/hosts
+      shell:
+        cmd: cat > /etc/hosts
+        stdin: |
+          127.0.0.1 dummy.example.test dummy localhost localhost.localdomain
+
+    - name: enroll the server as an ipa client using admin creds
+      shell: |
+        ipa-client-install -U  \
+          --server "{{ ipa_server_hostname }}" \
+          --domain "{{ ipa_domain }}" \
+          --realm "{{ ipa_domain | upper }}" \
+          --principal "{{ ipa_server_user }}" \
+          --password "{{ ipa_server_password }}" \
+          --no-ntp --force-join --no-nisdomain --debug
+      args:
+        creates: /etc/ipa/default.conf
+
+    # we need this keytab for operations that we cannot do yet with ansible
+    - name: kinit to get admin creds
+      command: kinit "{{ ipa_server_user }}"
+      args:
+        stdin: "{{ ipa_server_password }}"
+
+    - name: Ensure "tripleo-admin" group exists
+      group:
+        name: tripleo-admin
+        state: present
+
+
+    - name: create users, perms, get keytab
+      include_role:
+        name: tripleo_ipa_setup
+        apply:
+          environment:
+            IPA_USER: "{{ ipa_server_user }}"
+            IPA_HOST: "{{ ipa_server_hostname }}"
+            IPA_PASS: "{{ ipa_server_password }}"
+
+
 - name: Converge - add host and relevant services
-  hosts: all
+  hosts: centos8
  vars:
    tripleo_ipa_enroll_base_server: true
    tripleo_ipa_base_server_fqdn: test-0.example.test
@ -144,7 +226,7 @@


 - name: Converge - add dns entries
-  hosts: all
+  hosts: centos8
  vars:
    cloud_domain: ooo.test
    hosts_entry:
--- a/tripleo_ipa/molecule/default/molecule.yml
+++ b/tripleo_ipa/molecule/default/molecule.yml
@ -22,6 +22,22 @@ platforms:
      http_proxy: "{{ lookup('env', 'http_proxy') }}"
      https_proxy: "{{ lookup('env', 'https_proxy') }}"

+  - name: centos8-dummy
+    hostname: dummy.example.test
+    image: centos/centos:stream8
+    registry:
+      url: quay.io
+    command: /sbin/init
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
+    dockerfile: Dockerfile
+    network_mode: host
+    environment: *env
+
 provisioner:
  name: ansible
  log: true
@ -36,6 +52,8 @@ provisioner:
        hosts:
          centos8:
            ansible_python_interpreter: /usr/bin/python3
+          centos8-dummy:
+            ansible_python_interpreter: /usr/bin/python3

 scenario:
  test_sequence:
--- a/tripleo_ipa/molecule/default/tests/test_default.py
+++ b/tripleo_ipa/molecule/default/tests/test_default.py
@ -7,7 +7,7 @@ import testinfra.utils.ansible_runner

 inventory = os.environ['MOLECULE_INVENTORY_FILE']
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    inventory).get_hosts('all')
+    inventory).get_hosts('centos8')


 def setup_module(module):
@ -121,7 +121,7 @@ def test_role(host):
    assert 'Role name: {}'.format(role) in result
    assert 'Description: {}'.format(role) in result
    assert 'Privileges: {}'.format(pri) in result
-    assert 'Member services: nova/test-0.example.test@EXAMPLE.TEST' in result
+    assert 'Member services: nova/test-0.example.test@EXAMPLE.TEST, nova/dummy.example.test@EXAMPLE.TEST' in result


@pytest.mark.parametrize('name', [
--- a/tripleo_ipa/molecule/default/verify.yml
+++ b/tripleo_ipa/molecule/default/verify.yml
@ -2,7 +2,7 @@
 # This is an example playbook to execute Ansible tests.

 - name: Verify
-  hosts: all
+  hosts: centos8
  tasks:
  - name: Example assertion
    assert:
--- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml
@ -29,11 +29,28 @@
    state: present
    force: true

+# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
+# From looking at the ansible-freeipa modules they take into account exsisting
+# services assigned to the role
+# https://review.opendev.org/c/x/tripleo-ipa/+/771065
+- name: get current list of services assigned role Nova Host Manager
+  ipa_role:
+    name: Nova Host Manager
+  register: services_roles
+
+# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa
+# From looking at the ansible-freeipa modules they take into account exsisting
+# services assigned to the role
+# https://review.opendev.org/c/x/tripleo-ipa/+/771065
+- name: create list of services for role
+  set_fact:
+    nova_service: "{{ [ nova_service ] + services_roles.role.member_service }}"
+  when: services_roles.role.member_service is defined
+
 - name: add Nova Host Manager role
  ipa_role:
    name: Nova Host Manager
    description: Nova Host Manager
    privilege:
      - Nova Host Management
-    service:
-      - "{{ nova_service }}"
+    service: "{{ nova_service }}"