diff --git a/ansible-collections-requirements.yml b/ansible-collections-requirements.yml index ec295b9..11d3438 100644 --- a/ansible-collections-requirements.yml +++ b/ansible-collections-requirements.yml @@ -5,6 +5,7 @@ collections: - name: https://github.com/ansible-collections/community.general type: git version: main + - freeipa.ansible_freeipa - ansible.posix - ansible.netcommon - openstack.cloud diff --git a/tox.ini b/tox.ini index 952785b..a303af0 100644 --- a/tox.ini +++ b/tox.ini @@ -23,9 +23,9 @@ whitelist_externals = [testenv:molecule] install_command = pip install {opts} {packages} setenv = - ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter - ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules - ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles + ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter + ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules + ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles deps = -r {toxinidir}/requirements.txt -r {toxinidir}/molecule-requirements.txt @@ -47,9 +47,9 @@ commands = [testenv:linters] setenv = - ANSIBLE_FILTER_PLUGINS={toxinidir}/tripleo_ipa/ansible_plugins/filter - ANSIBLE_LIBRARY={toxinidir}/tripleo_ipa/roles.galaxy/config_template/library:{toxinidir}/tripleo_ipa/ansible_plugins/modules - ANSIBLE_ROLES_PATH={toxinidir}/tripleo_ipa/roles.galaxy:{toxinidir}/tripleo_ipa/roles + ANSIBLE_FILTER_PLUGINS=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:{toxinidir}/tripleo_ipa/ansible_plugins/filter + ANSIBLE_LIBRARY=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:{toxinidir}/tripleo_ipa/ansible_plugins/modules + ANSIBLE_ROLES_PATH=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:{toxinidir}/tripleo_ipa/roles deps = -r {toxinidir}/ansible-requirements.txt -r {toxinidir}/test-requirements.txt diff --git a/tripleo_ipa/playbooks/ipa-server-create-role.yaml b/tripleo_ipa/playbooks/ipa-server-create-role.yaml index a5650c3..770cf9c 100644 --- a/tripleo_ipa/playbooks/ipa-server-create-role.yaml +++ b/tripleo_ipa/playbooks/ipa-server-create-role.yaml @@ -42,70 +42,11 @@ ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}" ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}" - - name: set keytab permissions facts - set_fact: - tripleo_ipa_perms: - - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"} - - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"} - - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"} - - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"} - tripleo_ipa_privilege_perms: - - 'System: add hosts' - - 'System: remove hosts' - - 'Modify host password' - - 'Modify host userclass' - - 'System: Modify hosts' - - 'Modify service managedBy attribute' - - 'System: Add krbPrincipalName to a Host' - - 'System: Add Services' - - 'System: Remove Services' - - 'Revoke certificate' - - 'System: manage host keytab' - - 'System: Manage host certificates' - - 'System: modify services' - - 'System: manage service keytab' - - 'System: read dns entries' - - 'System: remove dns entries' - - 'System: add dns entries' - - 'System: update dns entries' - - 'System: Modify Realm Domains' - - 'Retrieve Certificates from the CA' - - # unfortunately we don't have ansible module yet to create perms - # TODO(d34dh0r53): we should be able to obtain a token via curl - # which will allow us to perform these operations without a kinit first. - - name: add nova host management permissions - shell: | - ipa permission-find "{{ item.name }}" - if [ $? -ne 0 ]; then - ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \ - --type "{{ item.type }}" --attrs "{{ item.attrs }}" - fi - loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}" - - # unfortunately we don't have ansible module yet to create privileges - - name: add nova host privilege - shell: | - ipa privilege-find 'Nova Host Management' - if [ $? -ne 0 ]; then - ipa privilege-add --desc='Nova Host Management' 'Nova Host Management' - fi - - - name: add permissions to the nova host privilege - shell: | - ipa privilege-add-permission 'Nova Host Management' \ - --permission "{{ item }}" - register: add_perm_command - failed_when: - - add_perm_command.rc !=0 - - '"This entry is already a member" not in add_perm_command.stdout' - loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}" - - - name: add nova host manager role - ipa_role: - name: Nova Host Manager - description: Nova Host Manager - ipa_user: "{{ ipa_principal }}" - ipa_pass: "{{ ipa_password }}" - privilege: - - Nova Host Management + - name: set perms, privs, roles + include_role: + name: triple_ipa_setup + tasks_from: setup + apply: + environment: + IPA_USER: "{ ipa_principal }" + IPA_PASS: "{ ipa_password }" diff --git a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml index 6cdab89..85704a4 100644 --- a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml +++ b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml @@ -43,17 +43,39 @@ record_type: "{{ 'A' if record_value| ansible.netcommon.ipv4 else 'AAAA' }}" - name: add dns zone - ipa_dnszone: - zone_name: "{{ zone_name }}" + freeipa.ansible_freeipa.ipadnszone: + name: "{{ zone_name }}" become: true - - name: add forward dns record - ipa_dnsrecord: - zone_name: "{{ zone_name }}" - record_name: "{{ record_name }}" - record_type: "{{ record_type }}" - record_value: "{{ record_value }}" - become: true + - name: Modify or add forward dns + block: + - name: try modifying forward dns record + freeipa.ansible_freeipa.ipadnsrecord: + zone_name: "{{ zone_name }}" + record_name: "{{ record_name }}" + record_type: "{{ record_type }}" + a_rec: "{{ record_value }}" + a_ip_address: "" + when: record_type == 'A' + become: true + + - name: try modifying forward dns record + freeipa.ansible_freeipa.ipadnsrecord: + zone_name: "{{ zone_name }}" + record_name: "{{ record_name }}" + record_type: "{{ record_type }}" + aaaa_rec: "{{ record_value }}" + aaaa_ip_address: "" + when: record_type == 'AAAA' + become: true + rescue: + - name: add forward dns record + freeipa.ansible_freeipa.ipadnsrecord: + zone_name: "{{ zone_name }}" + record_name: "{{ record_name }}" + record_type: "{{ record_type }}" + record_value: "{{ record_value }}" + become: true - name: get reverse record data set_fact: @@ -72,23 +94,30 @@ when: record_type == 'AAAA' - name: add reverse record dns zone - ipa_dnszone: - zone_name: "{{ reverse_record_zone }}" + freeipa.ansible_freeipa.ipadnszone: + name: "{{ reverse_record_zone }}" register: reverse_zone_result - failed_when: - - "'zone' not in reverse_zone_result" - - "'already exists in DNS' not in reverse_zone_result.msg" + failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg become: true - - name: add reverse dns record - ipa_dnsrecord: - zone_name: "{{ reverse_record_zone }}" - record_name: "{{ reverse_record_name }}" - record_value: "{{ record_name }}.{{ zone_name }}." - record_type: "PTR" - register: reverse_record_result - failed_when: - - "'record' not in reverse_record_result" - - "'DNS zone not found' not in reverse_record_result.msg" - become: true + - name: Modify or add reverse dns record + block: + - name: try modifying reverse dns record + freeipa.ansible_freeipa.ipadnsrecord: + zone_name: "{{ reverse_record_zone }}" + record_name: "{{ reverse_record_name }}" + record_type: "PTR" + ptr_rec: "{{ record_name }}.{{ zone_name }}." + ptr_hostname: "" + become: true + rescue: + - name: add reverse dns record + freeipa.ansible_freeipa.ipadnsrecord: + zone_name: "{{ reverse_record_zone }}" + record_name: "{{ reverse_record_name }}" + record_type: "PTR" + record_value: "{{ record_name }}.{{ zone_name }}." + register: reverse_record_result + failed_when: reverse_zone_result.failed and 'already exists in DNS' not in reverse_zone_result.msg + become: true when: zone_name is match("^(|.+\.)" + cloud_domain + "$") diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml index b17d294..e8f0545 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml @@ -44,43 +44,22 @@ when: enroll_base_server|bool become: true block: - - name: destroy the old keytab - command: "kdestroy -A" + - name: add new host with one-time password + freeipa.ansible_freeipa.ipahost: + name: "{{ base_server_fqdn }}" + random: true + force: true + state: present + register: ipa_host + failed_when: ipa_host.failed and "Password cannot be set on enrolled host" not in ipa_host.msg - - name: get a new keytab - command: "kinit -kt /etc/novajoin/krb5.keytab {{ principal }}" - - - name: get host raw data and keytab info - command: "ipa host-show --raw --all {{ base_server_fqdn }}" - register: host_raw_data - changed_when: false - failed_when: false - - - name: Print debug data - debug: var=host_raw_data - - - name: confirm that host is not already registered with current keytab - when: '"has_keytab: TRUE" not in host_raw_data.stdout' - block: - - name: remove stale host if present - when: host_raw_data.rc == 0 - ipa_host: - fqdn: "{{ base_server_fqdn }}" - state: absent - - - name: add new host with random one-time password - ipa_host: - fqdn: "{{ base_server_fqdn }}" - random_password: true - force: true - register: ipa_host - - - name: set otp as a host fact - set_fact: - ipa_host_otp: "{{ ipa_host.host.randompassword }}" - no_log: true - delegate_facts: true - delegate_to: "{{ tripleo_ipa_delegate_server }}" + - name: set otp as a host fact + set_fact: + ipa_host_otp: "{{ ipa_host.host.randompassword }}" + no_log: true + delegate_facts: true + delegate_to: "{{ tripleo_ipa_delegate_server }}" + when: "'host' in ipa_host" - name: add required services include: services.yml diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml index ff1946e..e8602db 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml @@ -31,28 +31,22 @@ service: "{{ item.1 }}" - name: add sub_host - ipa_host: + freeipa.ansible_freeipa.ipahost: fqdn: "{{ sub_host }}" force: true state: present - validate_certs: false become: true - name: add service - ipa_service: + freeipa.ansible_freeipa.ipaservice: name: "{{ service }}/{{ sub_host }}" force: true state: present - validate_certs: false become: true - register: my_service -- name: add host to managed_hosts if needed - when: base_server_fqdn not in my_service['host']['managedby_host'] - ipa_service: - name: "{{ service }}/{{ sub_host }}" - force: true - state: present - hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}" - validate_certs: false +- name: add host to managed_hosts if needed (shell) + shell: | + ipa service-add-host --hosts "{{ base_server_fqdn }}" "{{ service }}"/"{{ sub_host }}" + register: service_add_out + failed_when: service_add_out.failed and 'This entry is already a member' not in service_add_out.stdout become: true diff --git a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml index 7db8159..2da89c7 100644 --- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml +++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml @@ -24,33 +24,20 @@ nova_service: "nova/{{ undercloud_fqdn }}" - name: add nova service - ipa_service: + freeipa.ansible_freeipa.ipaservice: name: "{{ nova_service }}" state: present force: true -# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa -# From looking at the ansible-freeipa modules they take into account exsisting -# services assigned to the role -# https://review.opendev.org/c/x/tripleo-ipa/+/771065 -- name: get current list of services assigned role Nova Host Manager - ipa_role: - name: Nova Host Manager - register: services_roles - -# TODO(dsedgmen): remove when community ipa modules are replaced with ansible-freeipa -# From looking at the ansible-freeipa modules they take into account exsisting -# services assigned to the role -# https://review.opendev.org/c/x/tripleo-ipa/+/771065 -- name: create list of services for role - set_fact: - nova_service: "{{ [ nova_service ] + services_roles.role.member_service }}" - when: services_roles.role.member_service is defined - - name: add Nova Host Manager role - ipa_role: + freeipa.ansible_freeipa.iparole: name: Nova Host Manager description: Nova Host Manager privilege: - Nova Host Management + +- name: add service to the Nova Host Manager role + freeipa.ansible_freeipa.iparole: + name: Nova Host Manager service: "{{ nova_service }}" + action: member diff --git a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml index 345c654..a6932af 100644 --- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml +++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml @@ -23,10 +23,10 @@ - name: set keytab permissions facts set_fact: novajoin_perms: - - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"} - - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"} - - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"} - - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"} + - {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]} + - {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]} + - {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]} + - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]} novajoin_privilege_perms: - 'System: add hosts' - 'System: remove hosts' @@ -49,36 +49,32 @@ - 'System: Modify Realm Domains' - 'Retrieve Certificates from the CA' -# unfortunately we don't have ansible module yet to create perms - name: add nova host management permissions - shell: | - ipa permission-find "{{ item.name }}" - if [ $? -ne 0 ]; then - ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \ - --type "{{ item.type }}" --attrs "{{ item.attrs }}" - fi + freeipa.ansible_freeipa.ipapermission: + name: "{{ item.name }}" + right: "{{ item.right }}" + object_type: "{{ item.type }}" + attrs: "{{ item.attrs }}" loop: "{{ novajoin_perms|flatten(levels=1) }}" -# unfortunately we don't have ansible module yet to create privileges - name: add Nova Host privilege - shell: | - ipa privilege-find 'Nova Host Management' - if [ $? -ne 0 ]; then - ipa privilege-add --desc='Nova Host Management' 'Nova Host Management' - fi + freeipa.ansible_freeipa.ipaprivilege: + name: Nova Host Management + description: Nova Host Management - name: add permissions to the Nova Host privilege - shell: | - ipa privilege-add-permission 'Nova Host Management' \ - --permission "{{ item }}" + freeipa.ansible_freeipa.ipaprivilege: + name: Nova Host Management + action: member + permission: "{{ item }}" register: add_perm_command failed_when: - - add_perm_command.rc !=0 - - '"This entry is already a member" not in add_perm_command.stdout' - loop: "{{ novajoin_privilege_perms|flatten(levels=1) }}" + - add_perm_command.failed + - '"This entry is already a member" not in add_perm_command.msg' + loop: "{{ novajoin_privilege_perms }}" - name: add Nova Host Manager role - ipa_role: + freeipa.ansible_freeipa.iparole: name: Nova Host Manager description: Nova Host Manager privilege: