summaryrefslogtreecommitdiffstats
path: root/puppet/extraconfig/tls/freeipa-enroll.yaml
blob: 7ce150691135a5e24f2d314c2688fddc236c8da3 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

heat_template_version: ocata

description: Enroll nodes to FreeIPA

parameters:
  server:
    description: ID of the controller node to apply this config to
    type: string

  CloudDomain:
    description: >
      The configured cloud domain; this will also be used as the kerberos realm
    type: string

  FreeIPAOTP:
    default: ''
    description: 'OTP that will be used for FreeIPA enrollment'
    type: string
    hidden: true
  FreeIPAServer:
    default: ''
    description: 'FreeIPA server DNS name'
    type: string
  FreeIPAIPAddress:
    default: ''
    description: 'FreeIPA server IP Address'
    type: string

resources:
  FreeIPAEnrollmentConfig:
    type: OS::Heat::SoftwareConfig
    properties:
      group: script
      inputs:
        - name: otp
        - name: ipa_server
        - name: ipa_domain
        - name: ipa_ip
      config: |
        #!/bin/sh
        # If no IPA server was given as a parameter, it will be assumed from
        # DNS.
        if [ -n "${ipa_server}" ]; then
            sed -i "/${ipa_server}/d" /etc/hosts
            # Optionally add the FreeIPA server IP to /etc/hosts
            if [ -n "${ipa_ip}" ]; then
                echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
            fi
        fi
        # Set the node's domain if needed
        if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
            hostnamectl set-hostname "$(hostname).${ipa_domain}"
        fi
        yum install -y ipa-client
        # Enroll. If there is already keytab, we have already done this. If
        # this node hasn't enrolled and the OTP is missing, fail.
        if [ ! -f /etc/krb5.keytab ]; then
            if [ -z "${otp}" ]; then
                echo "OTP is missing"
                exit 1
            fi
            ipa-client-install --server ${ipa_server} -w ${otp} \
                --domain=${ipa_domain} -U
        fi
        # Get a TGT
        kinit -k -t /etc/krb5.keytab

  FreeIPAControllerEnrollmentDeployment:
    type: OS::Heat::SoftwareDeployment
    properties:
      name: FreeIPAEnrollmentDeployment
      config: {get_resource: FreeIPAEnrollmentConfig}
      server: {get_param: server}
      input_values:
        otp: {get_param: FreeIPAOTP}
        ipa_server: {get_param: FreeIPAServer}
        ipa_domain: {get_param: CloudDomain}
        ipa_ip: {get_param: FreeIPAIPAddress}

outputs:
  deploy_stdout:
    description: Output of the FreeIPA enrollment deployment
    value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}