puppet/extraconfig/tls/freeipa-enroll.yaml

   1 heat_template_version: 2015-10-15
   2
   3 description: Enroll nodes to FreeIPA
   4
   5 parameters:
   6   server:
   7     description: ID of the controller node to apply this config to
   8     type: string
   9
  10   CloudDomain:
  11     description: >
  12       The configured cloud domain; this will also be used as the kerberos realm
  13     type: string
  14
  15   FreeIPAOTP:
  16     description: 'OTP that will be used for FreeIPA enrollment'
  17     type: string
  18     hidden: true
  19   FreeIPAServer:
  20     description: 'FreeIPA server DNS name'
  21     type: string
  22   FreeIPAIPAddress:
  23     default: ''
  24     description: 'FreeIPA server IP Address'
  25     type: string
  26
  27 resources:
  28   FreeIPAEnrollmentConfig:
  29     type: OS::Heat::SoftwareConfig
  30     properties:
  31       group: script
  32       inputs:
  33         - name: otp
  34         - name: ipa_server
  35         - name: ipa_domain
  36         - name: ipa_ip
  37       config: |
  38         #!/bin/sh
  39         sed -i "/${ipa_server}/d" /etc/hosts
  40         # Optionally add the FreeIPA server IP to /etc/hosts
  41         if [ -n "${ipa_ip}" ]; then
  42             echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
  43         fi
  44         # Set the node's domain if needed
  45         if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
  46             hostnamectl set-hostname "$(hostname).${ipa_domain}"
  47         fi
  48         yum install -y ipa-client
  49         # Enroll. If there is already keytab, we have already done this.
  50         if [ ! -f /etc/krb5.keytab ]; then
  51             ipa-client-install --server ${ipa_server} -w ${otp} \
  52                 --domain=${ipa_domain} -U
  53         fi
  54         # Get a TGT
  55         kinit -k -t /etc/krb5.keytab
  56
  57   FreeIPAControllerEnrollmentDeployment:
  58     type: OS::Heat::SoftwareDeployment
  59     properties:
  60       name: FreeIPAEnrollmentDeployment
  61       config: {get_resource: FreeIPAEnrollmentConfig}
  62       server: {get_param: server}
  63       input_values:
  64         otp: {get_param: FreeIPAOTP}
  65         ipa_server: {get_param: FreeIPAServer}
  66         ipa_domain: {get_param: CloudDomain}
  67         ipa_ip: {get_param: FreeIPAIPAddress}
  68
  69 outputs:
  70   deploy_stdout:
  71     description: Output of the FreeIPA enrollment deployment
  72     value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}