Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Bump template version for all templates to "ocata"
[apex-tripleo-heat-templates.git] / puppet / extraconfig / tls / freeipa-enroll.yaml
1 heat_template_version: ocata
2
3 description: Enroll nodes to FreeIPA
4
5 parameters:
6   server:
7     description: ID of the controller node to apply this config to
8     type: string
9
10   CloudDomain:
11     description: >
12       The configured cloud domain; this will also be used as the kerberos realm
13     type: string
14
15   FreeIPAOTP:
16     default: ''
17     description: 'OTP that will be used for FreeIPA enrollment'
18     type: string
19     hidden: true
20   FreeIPAServer:
21     default: ''
22     description: 'FreeIPA server DNS name'
23     type: string
24   FreeIPAIPAddress:
25     default: ''
26     description: 'FreeIPA server IP Address'
27     type: string
28
29 resources:
30   FreeIPAEnrollmentConfig:
31     type: OS::Heat::SoftwareConfig
32     properties:
33       group: script
34       inputs:
35         - name: otp
36         - name: ipa_server
37         - name: ipa_domain
38         - name: ipa_ip
39       config: |
40         #!/bin/sh
41         # If no IPA server was given as a parameter, it will be assumed from
42         # DNS.
43         if [ -n "${ipa_server}" ]; then
44             sed -i "/${ipa_server}/d" /etc/hosts
45             # Optionally add the FreeIPA server IP to /etc/hosts
46             if [ -n "${ipa_ip}" ]; then
47                 echo "${ipa_ip}    ${ipa_server}" >> /etc/hosts
48             fi
49         fi
50         # Set the node's domain if needed
51         if [ ! $(hostname -f | grep "${ipa_domain}$") ]; then
52             hostnamectl set-hostname "$(hostname).${ipa_domain}"
53         fi
54         yum install -y ipa-client
55         # Enroll. If there is already keytab, we have already done this. If
56         # this node hasn't enrolled and the OTP is missing, fail.
57         if [ ! -f /etc/krb5.keytab ]; then
58             if [ -z "${otp}" ]; then
59                 echo "OTP is missing"
60                 exit 1
61             fi
62             ipa-client-install --server ${ipa_server} -w ${otp} \
63                 --domain=${ipa_domain} -U
64         fi
65         # Get a TGT
66         kinit -k -t /etc/krb5.keytab
67
68   FreeIPAControllerEnrollmentDeployment:
69     type: OS::Heat::SoftwareDeployment
70     properties:
71       name: FreeIPAEnrollmentDeployment
72       config: {get_resource: FreeIPAEnrollmentConfig}
73       server: {get_param: server}
74       input_values:
75         otp: {get_param: FreeIPAOTP}
76         ipa_server: {get_param: FreeIPAServer}
77         ipa_domain: {get_param: CloudDomain}
78         ipa_ip: {get_param: FreeIPAIPAddress}
79
80 outputs:
81   deploy_stdout:
82     description: Output of the FreeIPA enrollment deployment
83     value: {get_attr: [FreeIPAControllerEnrollmentDeployment, deploy_stdout]}