From d2c61c5b79500ee8a4509343d3fc80782002fd78 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 20 Dec 2016 10:02:23 +0200
Subject: FreeIPA: Make OTP and FreeIPA server parameters optional

In the freeipa-enroll.yaml, it can be the case that the node has been
enrolled (via a cloud-init script); in this case, the OTP and the
FreeIPA server are optional. However, we still need to get a kerberos
ticket, which is the last step of this script, since this ticket is what
certmonger will use to request the certificates in subsequent steps.

Change-Id: I7e9d6a747cdcbe81c9a74a17db5e91aa9d459f65
---
 puppet/extraconfig/tls/freeipa-enroll.yaml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'puppet/extraconfig/tls')

diff --git a/puppet/extraconfig/tls/freeipa-enroll.yaml b/puppet/extraconfig/tls/freeipa-enroll.yaml
index 44be7c65..84d431fb 100644
--- a/puppet/extraconfig/tls/freeipa-enroll.yaml
+++ b/puppet/extraconfig/tls/freeipa-enroll.yaml
@@ -13,10 +13,12 @@ parameters:
     type: string
 
   FreeIPAOTP:
+    default: ''
     description: 'OTP that will be used for FreeIPA enrollment'
     type: string
     hidden: true
   FreeIPAServer:
+    default: ''
     description: 'FreeIPA server DNS name'
     type: string
   FreeIPAIPAddress:
@@ -36,18 +38,27 @@ resources:
         - name: ipa_ip
       config: |
         #!/bin/sh
-        sed -i "/${ipa_server}/d" /etc/hosts
-        # Optionally add the FreeIPA server IP to /etc/hosts
-        if [ -n "${ipa_ip}" ]; then
-            echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
+        # If no IPA server was given as a parameter, it will be assumed from
+        # DNS.
+        if [ -n "${ipa_server}" ]; then
+            sed -i "/${ipa_server}/d" /etc/hosts
+            # Optionally add the FreeIPA server IP to /etc/hosts
+            if [ -n "${ipa_ip}" ]; then
+                echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
+            fi
         fi
         # Set the node's domain if needed
         if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
             hostnamectl set-hostname "$(hostname).${ipa_domain}"
         fi
         yum install -y ipa-client
-        # Enroll. If there is already keytab, we have already done this.
+        # Enroll. If there is already keytab, we have already done this. If
+        # this node hasn't enrolled and the OTP is missing, fail.
         if [ ! -f /etc/krb5.keytab ]; then
+            if [ -z "${otp}" ]; then
+                echo "OTP is missing"
+                exit 1
+            fi
             ipa-client-install --server ${ipa_server} -w ${otp} \
                 --domain=${ipa_domain} -U
         fi
-- 
cgit 1.2.3-korg