Safely recreate hosts if they're not enrolled

When we create hosts in IPA, we check to see if the keytab attribute of the host is present. If it isn't, we assume the host isn't enrolled. We should also check to make sure the host doesn't exist in FreeIPA. This gives us the opportunity to clean up the existing host before attempting to recreate it (and failing, or ignoring errors). We need to recreate the host if it hasn't already been enrolled because we need to know the OTP (given to us when we create the host) to enroll the host as an IPA client later in the installation process. This helps make tripleo-ipa more robust against host that are in a bad state, where something went wrong on a previous deployment after the host was created and before it was enrolled. Change-Id: Ie31b2e49296563962d0c5985a13faf18a34f93da
2020-04-28 02:31:48 +00:00 · 2020-04-28 02:31:48 +00:00 · b10095c64e
commit b10095c64e
parent f23f48031b
2 changed files with 28 additions and 2 deletions
--- a/tripleo_ipa/molecule/deregister/converge.yml
+++ b/tripleo_ipa/molecule/deregister/converge.yml
@ -212,6 +212,27 @@
    IPA_HOST: ipa.example.test
    IPA_PASS: password123

+- name: Simulate bad enrollment for test-3 host
+  hosts: all
+  vars:
+    ipa_server_user: admin
+    ipa_server_password: password123
+    ipa_server_hostname: ipa.example.test
+  tasks:
+    # We do this to simulate a bad enrollment. If the host has already been
+    # added, but isn't enrolled we need to recreate the host during
+    # tripleo_ipa_registration. Add this host shouldn't cause the
+    # tripleo_ipa_registration role to fail. It should handle it gracefully.
+    # This host isn't enrolled and doesn't have a keytab associated to it
+    # because it's disabled.
+    - name: create a pre-existing host test-3
+      ipa_host:
+        fqdn: 'test-3.example.test'
+        force: true
+        ipa_user: "{{ ipa_server_user }}"
+        ipa_pass: "{{ ipa_server_password }}"
+        ipa_host: "{{ ipa_server_hostname }}"
+
 - name: Converge - add host and relevant services for test-3 host
  hosts: all
  vars:
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
@ -43,17 +43,22 @@
    - name: confirm that host is not already registered with current keytab
      when: '"has_keytab: TRUE" not in host_raw_data.stdout'
      block:
+        - name: remove stale host if present
+          when: host_raw_data.rc == 0
+          ipa_host:
+            fqdn: "{{ base_server_fqdn }}"
+            state: absent
+
        - name: add new host with random otp
          ipa_host:
            fqdn: "{{ base_server_fqdn }}"
            random_password: true
            force: true
          register: ipa_host
-          ignore_errors: true

        - name: set otp as a host fact
          set_fact:
-            ipa_host_otp: "{{ ipa_host.host.randompassword | default(omit) }}"
+            ipa_host_otp: "{{ ipa_host.host.randompassword }}"
          no_log: true
          delegate_facts: true
          delegate_to: "{{ tripleo_ipa_delegate_server }}"