c22fc8d07d
These playbooks are intended to be run against a pre-existing IPA server and will create the correct roles, permissions and users for use with tripleo. The final playbook will provide an OTP to be used during the configuration of the undercloud. Change-Id: I2f1c39bc023491f19b917c1a6030937fee3eb101
TLS-e IPA Server Configuration Roles
Included Roles
This directory includes 3 playbooks (ipa-server-*.yaml) to be used for the TripleO TLS-e configuration of a FreeIPA server. The playbooks need to be run in the order that follows, however certain playbooks only need to be run once per IPA server:
ipa-sever-create-role.yamlThe purpose of this playbook is to create a role on the IPA server with the appropriate permissions and privileges to add and remove hosts, principals, services and dns entries.
Currently this playbook is required to be executed on an IPA client host with an active Kerberos token.
This playbook only needs to be run once per IPA server.
ipa-register-undercloud.yamlThis playbook registers the undercloud host as an IPA client and provides a one time password(OTP) to the operator for use in the undercloud configuration. An example of the final output of a successful run of this play will look like this:
TASK [provide OTP generated by IPA server] ****************************
ok: [localhost] => {
"msg": [
"The OTP provided by the IPA server is 9Ok~JEz!ul;&Sf:V<FOi-+",
"Please add the following to your undercloud.conf:",
"ipa_otp = 9Ok~JEz!ul;&Sf:V<FOi-+"
]
}
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
ipa-server-create-principal.yamlThis playbook creates the nova user for the undercloud host created withipa-register-undercloud.yamland adds it to the Nova Host Manager IPA role created byipa-server-create-role.yaml.
This playbook does not require an active Kerberos token.
This playbook needs to be run once per openstack deployment.
Environment/Ansible variables
The playbooks currently require the following variables to be set. These can either be environment variables or ansible variables passed either in a file or on the command line with the -e argument to the ansible-playbook command.
ENVIRONMENT/ansible variable
tripleo_ipa_hostthis is the host which ansible will connect to for playbook execution, this is the host that needs to be an IPA client. Defaults tolocalhost.IPA_PRINCIPAL/tripleo_ipa_principalis the IPA username with appropriate permissions and privileges to add roles and privileges. This value is required and has no default.IPA_PASSWORD/tripleo_ipa_passwordis the password for the IPA_PRINCIPAL. This value is required and has no default.UNDERCLOUD_FQDN/tripleo_undercloud_fqdnis the fully qualified domain name of the undercloud host. This value is required and has no default.
Example environment variables
export IPA_PRINCIPAL=admin
export IPA_PASSWORD=password
export UNDERCLOUD_FQDN=undercloud.ooo.test
Example ansible variables file
---
tripleo_ipa_principal: admin
tripleo_ipa_password: password
tripleo_undercloud_fqdn: undercloud.ooo.test