diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2016-12-12 09:22:00 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2016-12-12 09:22:00 +0000 |
| commit | 326fb47bfa3b26d191152cd659d76051faf771e3 (patch) | |
| tree | 062b7d457118cb0d9f225955de4569e1476e26e0 /puppet | |
| parent | 0cd7cbdd6f4f24e74aec752a9b29c9c106c54741 (diff) | |
| parent | 7611f45722671bd007a8f4f5774473cadac00f76 (diff) | |
Merge "Add FreeIPA enrollment template"
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/extraconfig/tls/freeipa-enroll.yaml | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml new file mode 100644 index 00000000..44be7c65 --- /dev/null +++ b/puppet/extraconfig/tls/freeipa-enroll.yaml @@ -0,0 +1,72 @@ +heat_template_version: 2015-10-15 + +description: Enroll nodes to FreeIPA + +parameters: + server: + description: ID of the controller node to apply this config to + type: string + + CloudDomain: + description: > + The configured cloud domain; this will also be used as the kerberos realm + type: string + + FreeIPAOTP: + description: 'OTP that will be used for FreeIPA enrollment' + type: string + hidden: true + FreeIPAServer: + description: 'FreeIPA server DNS name' + type: string + FreeIPAIPAddress: + default: '' + description: 'FreeIPA server IP Address' + type: string + +resources: + FreeIPAEnrollmentConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: otp + - name: ipa_server + - name: ipa_domain + - name: ipa_ip + config: | + #!/bin/sh + sed -i "/${ipa_server}/d" /etc/hosts + # Optionally add the FreeIPA server IP to /etc/hosts + if [ -n "${ipa_ip}" ]; then + echo "${ipa_ip} ${ipa_server}" >> /etc/hosts + fi + # Set the node's domain if needed + if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then + hostnamectl set-hostname "$(hostname).${ipa_domain}" + fi + yum install -y ipa-client + # Enroll. If there is already keytab, we have already done this. + if [ ! -f /etc/krb5.keytab ]; then + ipa-client-install --server ${ipa_server} -w ${otp} \ + --domain=${ipa_domain} -U + fi + # Get a TGT + kinit -k -t /etc/krb5.keytab + + FreeIPAControllerEnrollmentDeployment: + type: OS::Heat::SoftwareDeployment + properties: + name: FreeIPAEnrollmentDeployment + config: {get_resource: FreeIPAEnrollmentConfig} + server: {get_param: server} + input_values: + otp: {get_param: FreeIPAOTP} + ipa_server: {get_param: FreeIPAServer} + ipa_domain: {get_param: CloudDomain} + ipa_ip: {get_param: FreeIPAIPAddress} + +outputs: + deploy_stdout: + description: Output of the FreeIPA enrollment deployment + value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]} |