Our jobs have been failing with:
"ERROR! the role 'triple_ipa_setup' was not found"
This commit should hopefully address that.
Change-Id: Icef739a7e57d640ace151b88a660af6b82ac93bc
Currently the molecule job runs extra python and linter checks.
This modifies it to run only molecule and adds the missing
linter job.
Change-Id: I8ae7ca2a134a55e99af995055748ebfcf2444fc5
The community.general ipa modules used in tripleo-ipa don't work
under FIPS deployment. This patch is fixing that by replacing it
with the ansible-freeipa ipa modules.
Co-Author: Ade Lee <alee@redhat.com>
Co-Author: Grzegorz Grasza <xek@redhat.com>
Change-Id: Ibfd1b34fdf3d533579512f531ac8619b356f9ba0
Modified zuul post playbook to collect all the ipa server logs
to enable of debugging when tests fail because errors in IPA
Change-Id: Icf8dba4c70e8903060c58dc77e0e67dd21e97284
The ipa_role explicitly sets the privileges to the list of services
provided instead of appending. So if a list of every service assigned
the role it will remove them. This will break intergrations with other
underclouds if more than one is integrated with IPA.
Change-Id: I38e10fe0bbd2503a5b2b67a99c47eeb2f8152395
Closes-bug: #1943810
With certmonger management moving to ansible, we lose the
"certmonger_user" service, hence the ansible inventory group.
We can therefore use the "allovercloud" group instead - it will clean
the OC nodes while preserving the undercloud node.
This patch also drops the "loop" setting the "hosts_list" fact in favor
of a more efficient |map() filter.
Resolves: rhbz#2017849
Change-Id: Icd662f74fc40bb6c1b5e4e01a236e1994ca3cc83
Resolve ansible-lint issues in the role.
Move all to Ansible 2.11 testing, since new molecule
works with collections and TripleO will use Ansible 2.11/2.12
for deployment from Wallaby.
Use FQCN for Ansible collections.
Co-Author: Brendan Shephard <bshephar@redhat.com>
Change-Id: I35a94d3d6335a5589a1b4ed6f3c5c599ccc59eda
There is a conflict with pluggy:
molecule depends on pluggy<1.0 and >=0.7.1
The user requested (constraint) pluggy===1.0.0
Until molecule is fixed to work with openstack upper-constraints,
lets drop this configuration for molecule.
Change-Id: Ic7500dd7314363dcba4adb1082dc6c210d582df0
The tox option to skip source distribution building is skipsdist,
but this seems to be often misspelled skipdist instead, which gets
silently ignored and so does not take effect. Correct it
everywhere, in hopes that new projects will finally stop copying
this mistake around.
See https://tox.readthedocs.io/en/latest/config.html#conf-skipsdist
and https://github.com/tox-dev/tox/issues/1388 for details.
Change-Id: Ibaf0c26125319f655d0deb34358daf873aefdf6c
ansible_fqdn can give us a bad value in the standalone CI job.
The right value to get the principal is the one ipa knows about -
which is in default.conf. Use that instead.
Also, re-added the standalone to the check jobs.
Change-Id: I1852c8b745f3398154878396778487c901b0cccc
If we attempt the registration with an expired ticket, the attempt to
find existing systems fails. With the current code, this can result in
an attempt to re-create an existing host, resulting in problems on
stack updates.
To ensure we always have a valid ticket, we now do a kdestroy and kinit
before the first ipa invocation. We will also output the result of the
host show command to alllow errors to be diagnosed more easily.
Change-Id: Id5f38d89a3c358288ff8dd21d718c161e03d9e36
Adding a host without a domain or with a different domain
caused failures with tls everywhere enabled. This patch
checks if the domain ends with cloud_domain to determine if
it should be managed by tripleo-ipa.
Change-Id: I15d72e95705cc77e40b4b74fb9320478c3fa5188
Closes-Bug: #1889105
Resolves: rhbz#1869174
Molecule job fails with:
ModuleNotFoundError: No module named 'setuptools_rust'
This error appeared following the release of cryptography 3.4, which
now includes Rust code. It can be installed without Rust using a
Python wheel, but only with more recent pip than version 9.0.3
available as RPM on CentOS 8.
The cryptography bug report [1] recommends pip>=19.1.1
The new pip is not supported on Python 2 / CentOS 7, so this change
also upgrades to CentOS 8 images.
This change also upgrades and fixes the ansible-lint job dependencies
and configuration.
[1] https://github.com/pyca/cryptography/issues/5753
Change-Id: I923020e7ec1f2ecbd7089096f22dd92fb36254a5
The move to collection based community modules is currently not
compatable with the call to ipa_role. This pins the ansible version
to a working version.
Change-Id: Ie495f8110245d723180bd57a572687c0b22166b0
Closes-Bug: 1901547
Fix gpg error when installing container.io
This change fixes the following error while manually installing
container.io:
"Failed to validate GPG signature for containerd.io"
Change-Id: I7ea0e55044d63d08206adb29905403982c7b13f8
By namespacing the variable with the project name, we clarify what
exactly we're providing if people want to invoke the
ipa-server-register-undercloud.yaml tasks from another ansible playbook
and fish the OTP out using a variable name.
Change-Id: If053250937ce76705cdd5084d76869edca8404ce
While otp is common language for folks who work regularly with identity
systems, we could be more clear for a wider audience. Update the
registration task name to spell out password.
Change-Id: I6c9e7fc93832c3ea0a02cf19a8c4d210b7b3d0b6
A recent bug [0] and fix upstream no longer ensures that we use the
tripleo-admin user as the ansible_ssh_user when invoking ansible
playbooks against the undercloud. This means we need to update the
keytab group to something else. Using root makes sense because the user
invoking the overcloud installation should already have root access.
In addition to changing the group, this patch updates the appropriate
tasks so there run with `become: true`, allowing them to access the
keytab.
[0] https://bugs.launchpad.net/tripleo/+bug/1884123
Partial-Bug: 1886870
Change-Id: I523d17f48b8e49e28a1b3becfd5e0cdf044ff742
Add the parameter tripleo_ipa_client_install_packages, which defaults
to true, to control whether ipa_client packages are installed as part
of the ansible-freeipa call for ipa-client-install.
Change-Id: I01965fdb3908f128f2a36e6f5c3562d555ad9a9e
centos-8: Setup test-python task fails with:
Failed to find required executable virtualenv.
This was dropped recently in the base image, so we need
to handle this ourselves. We also need to make sure
tox is available in test-python so that we can invoke
molecule.
Change-Id: I200d64103bee540076551fd026cc8f4c21b40411
These playbooks are intended to be run against a pre-existing IPA
server and will create the correct roles, permissions and users for
use with tripleo. The final playbook will provide an OTP to be used
during the configuration of the undercloud.
Change-Id: I2f1c39bc023491f19b917c1a6030937fee3eb101
this job is currently non-voting.
Before proceeding with further integration
work it will need to moved to voting / gating
Change-Id: I6b263ea67947dd86cec763abcc6708169b4c616f
Between train and master there are some naming conventions in module
names that have changed, this will pick which ever exists on the
system.
Change-Id: I618fb2dab301641e19d1a849a5711106dedbb2d2
When we create hosts in IPA, we check to see if the keytab attribute of
the host is present. If it isn't, we assume the host isn't enrolled. We
should also check to make sure the host doesn't exist in FreeIPA. This
gives us the opportunity to clean up the existing host before attempting
to recreate it (and failing, or ignoring errors).
We need to recreate the host if it hasn't already been enrolled because
we need to know the OTP (given to us when we create the host) to enroll
the host as an IPA client later in the installation process.
This helps make tripleo-ipa more robust against host that are in a bad
state, where something went wrong on a previous deployment after the
host was created and before it was enrolled.
Change-Id: Ie31b2e49296563962d0c5985a13faf18a34f93da
TripleO was using python2 up to stable/train. This means we can
.decode() strings, which we did with hosts for hostnames. With python3,
we no longer need to do this and tripleo master is using python3.
Instead, we need to detect this case and handle it appropriately.
Change-Id: Icc211f5b685ec9df06cd25d6af3b28a5db4df590
This adds extra hosts in the deregister scenario and verifies
that those extra hosts and services are not deleted from IPA.
Change-Id: I90d73d3995d478e58bcf79e56a0987cf1a119a51
We already assume that the principal is of the form nova/<host>.domain.
No need therefore to pass that in as we can read host and domain from
default.conf.
This makes what we need to pass into the templates simpler.
Change-Id: Ibcb087dcd11c71429cd050f2784aedff31c3661b
We don't want to use the cloud_name because we do not know what
the cloud name is when we do a stack delete. The new code
calculates the zone name the same way that the code that
deletes dns entries does.
Change-Id: I4c84c006a4ea9a5c51230fdeff9af000b4f703e4
