aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-12-20 10:02:23 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-12-20 14:37:08 +0200
commitd2c61c5b79500ee8a4509343d3fc80782002fd78 (patch)
tree3e52e73757b6429b4eede9b863b63cc7c3f934cb /puppet
parent58d711e29f39d38660e5eaf6c6a06e1121d73af6 (diff)
FreeIPA: Make OTP and FreeIPA server parameters optional
In the freeipa-enroll.yaml, it can be the case that the node has been enrolled (via a cloud-init script); in this case, the OTP and the FreeIPA server are optional. However, we still need to get a kerberos ticket, which is the last step of this script, since this ticket is what certmonger will use to request the certificates in subsequent steps. Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
Diffstat (limited to 'puppet')
-rw-r--r--puppet/extraconfig/tls/freeipa-enroll.yaml21
1 files changed, 16 insertions, 5 deletions
diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml
index 44be7c65..84d431fb 100644
--- a/puppet/extraconfig/tls/freeipa-enroll.yaml
+++ b/puppet/extraconfig/tls/freeipa-enroll.yaml
@@ -13,10 +13,12 @@ parameters:
type: string
FreeIPAOTP:
+ default: ''
description: 'OTP that will be used for FreeIPA enrollment'
type: string
hidden: true
FreeIPAServer:
+ default: ''
description: 'FreeIPA server DNS name'
type: string
FreeIPAIPAddress:
@@ -36,18 +38,27 @@ resources:
- name: ipa_ip
config: |
#!/bin/sh
- sed -i "/${ipa_server}/d" /etc/hosts
- # Optionally add the FreeIPA server IP to /etc/hosts
- if [ -n "${ipa_ip}" ]; then
- echo "${ipa_ip} ${ipa_server}" >> /etc/hosts
+ # If no IPA server was given as a parameter, it will be assumed from
+ # DNS.
+ if [ -n "${ipa_server}" ]; then
+ sed -i "/${ipa_server}/d" /etc/hosts
+ # Optionally add the FreeIPA server IP to /etc/hosts
+ if [ -n "${ipa_ip}" ]; then
+ echo "${ipa_ip} ${ipa_server}" >> /etc/hosts
+ fi
fi
# Set the node's domain if needed
if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
hostnamectl set-hostname "$(hostname).${ipa_domain}"
fi
yum install -y ipa-client
- # Enroll. If there is already keytab, we have already done this.
+ # Enroll. If there is already keytab, we have already done this. If
+ # this node hasn't enrolled and the OTP is missing, fail.
if [ ! -f /etc/krb5.keytab ]; then
+ if [ -z "${otp}" ]; then
+ echo "OTP is missing"
+ exit 1
+ fi
ipa-client-install --server ${ipa_server} -w ${otp} \
--domain=${ipa_domain} -U
fi