diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-12-20 10:02:23 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-12-20 14:37:08 +0200 |
commit | d2c61c5b79500ee8a4509343d3fc80782002fd78 (patch) | |
tree | 3e52e73757b6429b4eede9b863b63cc7c3f934cb /puppet | |
parent | 58d711e29f39d38660e5eaf6c6a06e1121d73af6 (diff) |
FreeIPA: Make OTP and FreeIPA server parameters optional
In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.
Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/extraconfig/tls/freeipa-enroll.yaml | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml index 44be7c65..84d431fb 100644 --- a/puppet/extraconfig/tls/freeipa-enroll.yaml +++ b/puppet/extraconfig/tls/freeipa-enroll.yaml @@ -13,10 +13,12 @@ parameters: type: string FreeIPAOTP: + default: '' description: 'OTP that will be used for FreeIPA enrollment' type: string hidden: true FreeIPAServer: + default: '' description: 'FreeIPA server DNS name' type: string FreeIPAIPAddress: @@ -36,18 +38,27 @@ resources: - name: ipa_ip config: | #!/bin/sh - sed -i "/${ipa_server}/d" /etc/hosts - # Optionally add the FreeIPA server IP to /etc/hosts - if [ -n "${ipa_ip}" ]; then - echo "${ipa_ip} ${ipa_server}" >> /etc/hosts + # If no IPA server was given as a parameter, it will be assumed from + # DNS. + if [ -n "${ipa_server}" ]; then + sed -i "/${ipa_server}/d" /etc/hosts + # Optionally add the FreeIPA server IP to /etc/hosts + if [ -n "${ipa_ip}" ]; then + echo "${ipa_ip} ${ipa_server}" >> /etc/hosts + fi fi # Set the node's domain if needed if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then hostnamectl set-hostname "$(hostname).${ipa_domain}" fi yum install -y ipa-client - # Enroll. If there is already keytab, we have already done this. + # Enroll. If there is already keytab, we have already done this. If + # this node hasn't enrolled and the OTP is missing, fail. if [ ! -f /etc/krb5.keytab ]; then + if [ -z "${otp}" ]; then + echo "OTP is missing" + exit 1 + fi ipa-client-install --server ${ipa_server} -w ${otp} \ --domain=${ipa_domain} -U fi |