heat_template_version: ocata description: Enroll nodes to FreeIPA parameters: server: description: ID of the controller node to apply this config to type: string CloudDomain: description: > The configured cloud domain; this will also be used as the kerberos realm type: string FreeIPAOTP: default: '' description: 'OTP that will be used for FreeIPA enrollment' type: string hidden: true FreeIPAServer: default: '' description: 'FreeIPA server DNS name' type: string FreeIPAIPAddress: default: '' description: 'FreeIPA server IP Address' type: string resources: FreeIPAEnrollmentConfig: type: OS::Heat::SoftwareConfig properties: group: script inputs: - name: otp - name: ipa_server - name: ipa_domain - name: ipa_ip config: | #!/bin/sh # If no IPA server was given as a parameter, it will be assumed from # DNS. if [ -n "${ipa_server}" ]; then sed -i "/${ipa_server}/d" /etc/hosts # Optionally add the FreeIPA server IP to /etc/hosts if [ -n "${ipa_ip}" ]; then echo "${ipa_ip} ${ipa_server}" >> /etc/hosts fi fi # Set the node's domain if needed if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then hostnamectl set-hostname "$(hostname).${ipa_domain}" fi yum install -y ipa-client # Enroll. If there is already keytab, we have already done this. If # this node hasn't enrolled and the OTP is missing, fail. if [ ! -f /etc/krb5.keytab ]; then if [ -z "${otp}" ]; then echo "OTP is missing" exit 1 fi ipa-client-install --server ${ipa_server} -w ${otp} \ --domain=${ipa_domain} -U fi # Get a TGT kinit -k -t /etc/krb5.keytab FreeIPAControllerEnrollmentDeployment: type: OS::Heat::SoftwareDeployment properties: name: FreeIPAEnrollmentDeployment config: {get_resource: FreeIPAEnrollmentConfig} server: {get_param: server} input_values: otp: {get_param: FreeIPAOTP} ipa_server: {get_param: FreeIPAServer} ipa_domain: {get_param: CloudDomain} ipa_ip: {get_param: FreeIPAIPAddress} outputs: deploy_stdout: description: Output of the FreeIPA enrollment deployment value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}