3ea3550d8c
By namespacing the variable with the project name, we clarify what exactly we're providing if people want to invoke the ipa-server-register-undercloud.yaml tasks from another ansible playbook and fish the OTP out using a variable name. Change-Id: If053250937ce76705cdd5084d76869edca8404ce
60 lines
3.1 KiB
Markdown
60 lines
3.1 KiB
Markdown
# TLS-e IPA Server Configuration Roles
|
|
|
|
## Included Roles
|
|
|
|
This directory includes 3 playbooks (`ipa-server-*.yaml`) to be used for the TripleO TLS-e configuration of a FreeIPA server. The playbooks need to be run in the order that follows, however certain playbooks only need to be run once per IPA server:
|
|
|
|
---
|
|
1. `ipa-sever-create-role.yaml` The purpose of this playbook is to create a role on the IPA server with the appropriate permissions and privileges to add and remove hosts, principals, services and dns entries.
|
|
> Currently this playbook is required to be executed on an IPA client host with an active Kerberos token.
|
|
|
|
> This playbook only needs to be run once per IPA server.
|
|
---
|
|
2. `ipa-server-register-undercloud.yaml` This playbook registers the undercloud host as an IPA client and provides a one time password(OTP) to the operator for use in the undercloud configuration. An example of the final output of a successful run of this play will look like this:
|
|
```
|
|
TASK [provide OTP generated by IPA server] ****************************
|
|
ok: [localhost] => {
|
|
"msg": [
|
|
"The OTP provided by the IPA server is 9Ok~JEz!ul;&Sf:V<FOi-+",
|
|
"Please add the following to your undercloud.conf:",
|
|
"ipa_otp = 9Ok~JEz!ul;&Sf:V<FOi-+"
|
|
]
|
|
}
|
|
```
|
|
|
|
If you're including this playbook via another ansible execution, you can fetch
|
|
the one-time password via the ``tripleo_ipa_host_otp`` variable.
|
|
|
|
> This playbook does not require an active Kerberos token.
|
|
|
|
> This playbook needs to be run once per openstack deployment.
|
|
---
|
|
3. `ipa-server-create-principal.yaml` This playbook creates the nova user for the undercloud host created with `ipa-register-undercloud.yaml` and adds it to the Nova Host Manager IPA role created by `ipa-server-create-role.yaml`.
|
|
> This playbook does not require an active Kerberos token.
|
|
|
|
> This playbook needs to be run once per openstack deployment.
|
|
---
|
|
## Environment/Ansible variables
|
|
The playbooks currently require the following variables to be set. These can either be environment variables or ansible variables passed either in a file or on the command line with the `-e` argument to the `ansible-playbook` command.
|
|
|
|
### `ENVIRONMENT/ansible` variable
|
|
* `tripleo_ipa_host` this is the host which ansible will connect to for playbook execution, this is the host that needs to be an IPA client. Defaults to `localhost`.
|
|
* `IPA_PRINCIPAL/tripleo_ipa_principal` is the IPA username with appropriate permissions and privileges to add roles and privileges. This value is required and has no default.
|
|
* `IPA_PASSWORD/tripleo_ipa_password` is the password for the IPA_PRINCIPAL. This value is required and has no default.
|
|
* `UNDERCLOUD_FQDN/tripleo_undercloud_fqdn` is the fully qualified domain name of the undercloud host. This value is required and has no default.
|
|
|
|
#### Example environment variables
|
|
```bash
|
|
export IPA_PRINCIPAL=admin
|
|
export IPA_PASSWORD=password
|
|
export UNDERCLOUD_FQDN=undercloud.ooo.test
|
|
```
|
|
|
|
#### Example ansible variables file
|
|
```yaml
|
|
---
|
|
tripleo_ipa_principal: admin
|
|
tripleo_ipa_password: password
|
|
tripleo_undercloud_fqdn: undercloud.ooo.test
|
|
```
|