From 6d63314d1db74fb1a14ab0fff019f6dd85082061 Mon Sep 17 00:00:00 2001 From: David Sedgmen Date: Thu, 16 Sep 2021 19:15:37 +1000 Subject: [PATCH] Add_ipa_user.yml: Adds logical to concatenate services with role The ipa_role explicitly sets the privileges to the list of services provided instead of appending. So if a list of every service assigned the role it will remove them. This will break intergrations with other underclouds if more than one is integrated with IPA. Change-Id: I38e10fe0bbd2503a5b2b67a99c47eeb2f8152395 Closes-bug: #1943810 --- tripleo_ipa/molecule/default/converge.yml | 88 ++++++++++++++++++- tripleo_ipa/molecule/default/molecule.yml | 18 ++++ .../molecule/default/tests/test_default.py | 4 +- tripleo_ipa/molecule/default/verify.yml | 2 +- .../tripleo_ipa_setup/tasks/add_ipa_user.yml | 21 ++++- 5 files changed, 125 insertions(+), 8 deletions(-) diff --git a/tripleo_ipa/molecule/default/converge.yml b/tripleo_ipa/molecule/default/converge.yml index c868cc8..4eae040 100644 --- a/tripleo_ipa/molecule/default/converge.yml +++ b/tripleo_ipa/molecule/default/converge.yml @@ -15,7 +15,7 @@ # under the License. - name: Setup server - hosts: all + hosts: centos8 vars: ipa_domain: example.test ipa_server_ip: 10.88.0.22 @@ -27,6 +27,7 @@ - name: install python urllib gssapi pip: name: urllib_gssapi + - name: install ipa client package: name: ipa-client @@ -38,15 +39,25 @@ stdin: | search {{ ipa_domain }} nameserver {{ ipa_server_ip }} + - name: Set fqdn in /etc/hosts shell: cmd: cat > /etc/hosts + - name: Set fqdn in /etc/hosts shell: cmd: cat > /etc/hosts stdin: | 127.0.0.1 test-0.example.test test-0 localhost localhost.localdomain + - name: check FreeIPA LDAP port is open + wait_for: + host=ipa.example.test + port=389 + delay=1 + timeout=300 + ignore_errors: true + - name: enroll the server as an ipa client using admin creds shell: | ipa-client-install -U \ @@ -79,8 +90,79 @@ IPA_HOST: "{{ ipa_server_hostname }}" IPA_PASS: "{{ ipa_server_password }}" + +- name: Setup dummy server + hosts: centos8-dummy + vars: + ipa_domain: example.test + ipa_server_ip: 10.88.0.22 + ipa_server_user: admin + ipa_server_password: password123 + ipa_server_hostname: ipa.example.test + undercloud_fqdn: dummy.example.test + tasks: + - name: install python urllib gssapi + pip: + name: urllib_gssapi + + - name: install ipa client + package: + name: ipa-client + state: present + + - name: set resolv.conf to point to the ipa server + shell: + cmd: cat > /etc/resolv.conf + stdin: | + search {{ ipa_domain }} + nameserver {{ ipa_server_ip }} + + - name: Set fqdn in /etc/hosts + shell: + cmd: cat > /etc/hosts + + - name: Set fqdn in /etc/hosts + shell: + cmd: cat > /etc/hosts + stdin: | + 127.0.0.1 dummy.example.test dummy localhost localhost.localdomain + + - name: enroll the server as an ipa client using admin creds + shell: | + ipa-client-install -U \ + --server "{{ ipa_server_hostname }}" \ + --domain "{{ ipa_domain }}" \ + --realm "{{ ipa_domain | upper }}" \ + --principal "{{ ipa_server_user }}" \ + --password "{{ ipa_server_password }}" \ + --no-ntp --force-join --no-nisdomain --debug + args: + creates: /etc/ipa/default.conf + + # we need this keytab for operations that we cannot do yet with ansible + - name: kinit to get admin creds + command: kinit "{{ ipa_server_user }}" + args: + stdin: "{{ ipa_server_password }}" + + - name: Ensure "tripleo-admin" group exists + group: + name: tripleo-admin + state: present + + + - name: create users, perms, get keytab + include_role: + name: tripleo_ipa_setup + apply: + environment: + IPA_USER: "{{ ipa_server_user }}" + IPA_HOST: "{{ ipa_server_hostname }}" + IPA_PASS: "{{ ipa_server_password }}" + + - name: Converge - add host and relevant services - hosts: all + hosts: centos8 vars: tripleo_ipa_enroll_base_server: true tripleo_ipa_base_server_fqdn: test-0.example.test @@ -144,7 +226,7 @@ - name: Converge - add dns entries - hosts: all + hosts: centos8 vars: cloud_domain: ooo.test hosts_entry: diff --git a/tripleo_ipa/molecule/default/molecule.yml b/tripleo_ipa/molecule/default/molecule.yml index 601d369..6ab515d 100644 --- a/tripleo_ipa/molecule/default/molecule.yml +++ b/tripleo_ipa/molecule/default/molecule.yml @@ -22,6 +22,22 @@ platforms: http_proxy: "{{ lookup('env', 'http_proxy') }}" https_proxy: "{{ lookup('env', 'https_proxy') }}" + - name: centos8-dummy + hostname: dummy.example.test + image: centos/centos:stream8 + registry: + url: quay.io + command: /sbin/init + tmpfs: + - /run + - /tmp + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg + dockerfile: Dockerfile + network_mode: host + environment: *env + provisioner: name: ansible log: true @@ -36,6 +52,8 @@ provisioner: hosts: centos8: ansible_python_interpreter: /usr/bin/python3 + centos8-dummy: + ansible_python_interpreter: /usr/bin/python3 scenario: test_sequence: diff --git a/tripleo_ipa/molecule/default/tests/test_default.py b/tripleo_ipa/molecule/default/tests/test_default.py index 79b0676..f8f7dd5 100644 --- a/tripleo_ipa/molecule/default/tests/test_default.py +++ b/tripleo_ipa/molecule/default/tests/test_default.py @@ -7,7 +7,7 @@ import testinfra.utils.ansible_runner inventory = os.environ['MOLECULE_INVENTORY_FILE'] testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - inventory).get_hosts('all') + inventory).get_hosts('centos8') def setup_module(module): @@ -121,7 +121,7 @@ def test_role(host): assert 'Role name: {}'.format(role) in result assert 'Description: {}'.format(role) in result assert 'Privileges: {}'.format(pri) in result - assert 'Member services: nova/test-0.example.test@EXAMPLE.TEST' in result + assert 'Member services: nova/test-0.example.test@EXAMPLE.TEST, nova/dummy.example.test@EXAMPLE.TEST' in result @pytest.mark.parametrize('name', [ diff --git a/tripleo_ipa/molecule/default/verify.yml b/tripleo_ipa/molecule/default/verify.yml index a82dd6f..32e8b93 100644 --- a/tripleo_ipa/molecule/default/verify.yml +++ b/tripleo_ipa/molecule/default/verify.yml @@ -2,7 +2,7 @@ # This is an example playbook to execute Ansible tests. - name: Verify - hosts: all + hosts: centos8 tasks: - name: Example assertion assert: diff --git a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml index ff0300a..7db8159 100644 --- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml +++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml @@ -29,11 +29,28 @@ state: present force: true +# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa +# From looking at the ansible-freeipa modules they take into account exsisting +# services assigned to the role +# https://review.opendev.org/c/x/tripleo-ipa/+/771065 +- name: get current list of services assigned role Nova Host Manager + ipa_role: + name: Nova Host Manager + register: services_roles + +# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa +# From looking at the ansible-freeipa modules they take into account exsisting +# services assigned to the role +# https://review.opendev.org/c/x/tripleo-ipa/+/771065 +- name: create list of services for role + set_fact: + nova_service: "{{ [ nova_service ] + services_roles.role.member_service }}" + when: services_roles.role.member_service is defined + - name: add Nova Host Manager role ipa_role: name: Nova Host Manager description: Nova Host Manager privilege: - Nova Host Management - service: - - "{{ nova_service }}" + service: "{{ nova_service }}"