From b10095c64e694276b89f40186c21ac1171581ec9 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 28 Apr 2020 02:31:48 +0000 Subject: [PATCH] Safely recreate hosts if they're not enrolled When we create hosts in IPA, we check to see if the keytab attribute of the host is present. If it isn't, we assume the host isn't enrolled. We should also check to make sure the host doesn't exist in FreeIPA. This gives us the opportunity to clean up the existing host before attempting to recreate it (and failing, or ignoring errors). We need to recreate the host if it hasn't already been enrolled because we need to know the OTP (given to us when we create the host) to enroll the host as an IPA client later in the installation process. This helps make tripleo-ipa more robust against host that are in a bad state, where something went wrong on a previous deployment after the host was created and before it was enrolled. Change-Id: Ie31b2e49296563962d0c5985a13faf18a34f93da --- tripleo_ipa/molecule/deregister/converge.yml | 21 +++++++++++++++++++ .../tripleo_ipa_registration/tasks/main.yml | 9 ++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/tripleo_ipa/molecule/deregister/converge.yml b/tripleo_ipa/molecule/deregister/converge.yml index a098355..d0b3fe3 100644 --- a/tripleo_ipa/molecule/deregister/converge.yml +++ b/tripleo_ipa/molecule/deregister/converge.yml @@ -212,6 +212,27 @@ IPA_HOST: ipa.example.test IPA_PASS: password123 +- name: Simulate bad enrollment for test-3 host + hosts: all + vars: + ipa_server_user: admin + ipa_server_password: password123 + ipa_server_hostname: ipa.example.test + tasks: + # We do this to simulate a bad enrollment. If the host has already been + # added, but isn't enrolled we need to recreate the host during + # tripleo_ipa_registration. Add this host shouldn't cause the + # tripleo_ipa_registration role to fail. It should handle it gracefully. + # This host isn't enrolled and doesn't have a keytab associated to it + # because it's disabled. + - name: create a pre-existing host test-3 + ipa_host: + fqdn: 'test-3.example.test' + force: true + ipa_user: "{{ ipa_server_user }}" + ipa_pass: "{{ ipa_server_password }}" + ipa_host: "{{ ipa_server_hostname }}" + - name: Converge - add host and relevant services for test-3 host hosts: all vars: diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml index 112fedb..69d1d02 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml @@ -43,17 +43,22 @@ - name: confirm that host is not already registered with current keytab when: '"has_keytab: TRUE" not in host_raw_data.stdout' block: + - name: remove stale host if present + when: host_raw_data.rc == 0 + ipa_host: + fqdn: "{{ base_server_fqdn }}" + state: absent + - name: add new host with random otp ipa_host: fqdn: "{{ base_server_fqdn }}" random_password: true force: true register: ipa_host - ignore_errors: true - name: set otp as a host fact set_fact: - ipa_host_otp: "{{ ipa_host.host.randompassword | default(omit) }}" + ipa_host_otp: "{{ ipa_host.host.randompassword }}" no_log: true delegate_facts: true delegate_to: "{{ tripleo_ipa_delegate_server }}"