puppet-freeipa merge requestshttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests2023-09-08T19:22:29+02:00https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/139add allow-zone-overlap option during install2023-09-08T19:22:29+02:00Patrick Brideauadd allow-zone-overlap option during installAs describe in the title
when running the `ipa-server-install` or `ipa-replica-install`, allow to force DNS installation when there is duplicate DNS entry with the option `--allow-zone-overlap`
From `ipa-server-install --help`:
```
...As describe in the title
when running the `ipa-server-install` or `ipa-replica-install`, allow to force DNS installation when there is duplicate DNS entry with the option `--allow-zone-overlap`
From `ipa-server-install --help`:
```
DNS options:
--allow-zone-overlap
Create DNS zone even if it already exists
```https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/138Add random-serial-numbers option during install2023-01-17T21:19:47+01:00Patrick BrideauAdd random-serial-numbers option during installThe 4.10 IPA version now support the Certificate Authority to generate serial numbers randomly instead of sequentially.
https://freeipa.readthedocs.io/en/ipa-4-10/designs/random-serial-numbers.html
This MR enable this option during inst...The 4.10 IPA version now support the Certificate Authority to generate serial numbers randomly instead of sequentially.
https://freeipa.readthedocs.io/en/ipa-4-10/designs/random-serial-numbers.html
This MR enable this option during install.https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/137Support for external CA2022-11-09T21:51:21+01:00Patrick BrideauSupport for external CAPartial implement of the #95 issue. The CSR will be generated, and ready to be signed by an external CA.
My change does not support the usage of `$external_cert_files` described in previous issue, only the generation of the CSR.
In my...Partial implement of the #95 issue. The CSR will be generated, and ready to be signed by an external CA.
My change does not support the usage of `$external_cert_files` described in previous issue, only the generation of the CSR.
In my opinion, the workflow is not very good if you have to run puppet, then sign the CSR, then commit your addition of the CRT to puppet, then run puppet again, all during the setup of the IPA server…
In my setup, once puppet run is completed, the CSR will be available in `/root/ipa.csr`. After it has been signed by your external CA, you must complete the installation process manually on the server:
```bash
ipa-server-install \
--external-cert-file /root/ipa.crt \
--external-cert-file /root/ca.crt
```
Note I also added a line about `ca_subject` in the `README.md`, my other merge request that is related to this one: !135
It is also quite hard to make test about this change, as it would have to be in an acceptance test, and would require multiple phases (run, then sign CSR, then run again…). So I simply test if the code compile in unit test.https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/136Resolve "setup release with blacksmith"2022-10-13T18:24:29+02:00Fabien CombernousResolve "setup release with blacksmith"Closes #129Closes #129next-releaseFabien CombernousFabien Combernoushttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/135add ca_subject option2022-11-07T17:17:38+01:00Patrick Brideauadd ca_subject optionAs mentioned in https://gitlab.adullact.net/adullact/puppet-freeipa/-/issues/95, I want to be able to change the default CA Subject
```
openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Certificate Auth...As mentioned in https://gitlab.adullact.net/adullact/puppet-freeipa/-/issues/95, I want to be able to change the default CA Subject
```
openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Certificate Authority
```
with this change:
```puppet
$realm = 'TEST.EXAMPLE.COM'
class { 'freeipa' :
[...]
ca_subject => "CN=Secondary Certificate Authority,O=${realm}"
}
```
```bash
openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Secondary Certificate Authority
```
As mentioned in the `ipa-server-install --help`:
```
--ca-subject=CA_SUBJECT
The CA certificate subject DN (default CN=Certificate
Authority,O=<realm-name>). RDNs are in LDAP order
(most specific RDN first).
```
There is no option `--ca-subject` in `ipa-replica-install --help`, so I guess you can’t set it, but I don’t have a setup to test it, so I do not know what is the exact behavior when creating a replica using with the `--setup-ca` option.
Also, the test for `--ca-subject` is quite hard to do for this, as it imply running `openssl x509` as shown, so would only be possible to run in acceptance, and even so quite hard to run I think. Therefore I did not add any. If you think it should be done at all cost, I’m not sure how I would proceed…https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/134Resolve "prepare release 6.0.0"2022-09-23T19:22:21+02:00Fabien CombernousResolve "prepare release 6.0.0"Closes #125Closes #1256.0.0Fabien CombernousFabien Combernoushttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/133Resolve "make some documentation clean up"2022-09-22T14:48:59+02:00Fabien CombernousResolve "make some documentation clean up"Closes #128Closes #1286.0.0Fabien CombernousFabien Combernoushttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/132Resolve "allow puppetlabs-stdlib < 9, puppet-epel < 5"2022-09-21T13:20:09+02:00Fabien CombernousResolve "allow puppetlabs-stdlib < 9, puppet-epel < 5"Closes #127Closes #1276.0.0Fabien CombernousFabien Combernoushttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/131Resolve "drop Puppet 5, add Puppet 7"2022-09-21T12:10:38+02:00Fabien CombernousResolve "drop Puppet 5, add Puppet 7"Closes #126Closes #1266.0.0Fabien CombernousFabien Combernoushttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/130Use Sensitive data type for passwords2022-09-23T18:25:00+02:00Patrick BrideauUse Sensitive data type for passwordsCurrently, the master password of the whole infrastructure is displayed in the logs when the install `exec` fail:
```
Error: '/usr/sbin/ipa-client-install [...] --password='myverysecurepassword' [...]
```
Obviously, it is not a very se...Currently, the master password of the whole infrastructure is displayed in the logs when the install `exec` fail:
```
Error: '/usr/sbin/ipa-client-install [...] --password='myverysecurepassword' [...]
```
Obviously, it is not a very secure way to display sensitive informations.
This patch store the password into an environment variable, at least the password is not displayed in the logs when the exec fail:
```
Error: '/usr/sbin/ipa-client-install [...] --password="$PASSWORD_USEDTO_JOINDOMAIN" [...]
```
I’ve also added support to provide the password as `Sensitive` type, which exists in puppet 6 and puppet 7. Not supported on Puppet 5 (which is claimed to be supported in `metadata.json`) but is EOL. I’ve adjusted the `metadata.json`. Also added tests about this feature.
Any feedback is welcome!6.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/129fix missing ' in README.md2022-09-21T09:30:35+02:00Matteo Afix missing ' in README.md6.0.0Matteo AMatteo Ahttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/128fix ordering of operations2022-09-21T09:30:35+02:00Patrick Brideaufix ordering of operationsI had problems with
- `Freeipa::Install::Client/Exec[client_install_XXXX]`
- `Freeipa::Install::Server::master/Exec[servec_install_XXXX]`
`/bin/sh: /usr/sbin/ipa-client-install: No such file or directory`
Also, I had an error about `Se...I had problems with
- `Freeipa::Install::Client/Exec[client_install_XXXX]`
- `Freeipa::Install::Server::master/Exec[servec_install_XXXX]`
`/bin/sh: /usr/sbin/ipa-client-install: No such file or directory`
Also, I had an error about `Service['httpd']` not able to start, but wasn’t yet installed
The problem appeared to me after some other modules installed, not sure if it is `puppet-yum` or `pcfens-ca_cert`, but the manifest was no longer compiling in the right order. Being explicit in ordering of operations fixes the problem for me.6.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/127fix 'ipa_fluch_cache_cmd' typo2021-06-15T09:38:51+02:00Vinicius Zavamfix 'ipa_fluch_cache_cmd' typoby merging this request we fix the word `flush` with was misspelled as `fluch`; nothing much special here.
the used way was a simple call of:
* %s/ipa_fluch_cache_cmd/ipa_flush_cache_cmd/gby merging this request we fix the word `flush` with was misspelled as `fluch`; nothing much special here.
the used way was a simple call of:
* %s/ipa_fluch_cache_cmd/ipa_flush_cache_cmd/ghttps://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/126Deprecate `stahnma-epel` to VoxPupulis2020-11-17T17:19:48+01:00Petter OstergrenDeprecate `stahnma-epel` to VoxPupulisDeprecation update regarding epel package, just as !121, however, green light through the pipeline and ready for shipping.Deprecation update regarding epel package, just as !121, however, green light through the pipeline and ready for shipping.6.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/125Deprecation update of epel package2020-11-16T22:54:12+01:00Petter OstergrenDeprecation update of epel packageDeprecation upgrade of Epel package just as MR !121, however, greenlighted through CI and ready for shipping.Deprecation upgrade of Epel package just as MR !121, however, greenlighted through CI and ready for shipping.https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/124Resolve "Document Update : missing ipa_master_fqdn mandatory parameter"2020-11-17T17:11:47+01:00Fabien CombernousResolve "Document Update : missing ipa_master_fqdn mandatory parameter"Closes #118Closes #1186.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/123Resolve "missing enable_hostname management for client"2020-11-17T17:11:47+01:00Fabien CombernousResolve "missing enable_hostname management for client"Closes #122Closes #1226.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/122Resolve "disable acceptance testing about tasks"2020-11-17T17:11:46+01:00Fabien CombernousResolve "disable acceptance testing about tasks"Closes #121Closes #1216.0.0https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/121Deprecate `stahnma-epel` and use VoxPupuli's `puppet-epel`2020-11-17T18:17:08+01:00Vinicius ZavamDeprecate `stahnma-epel` and use VoxPupuli's `puppet-epel`By accepting and applying this merge request we will be able to:
- no longer use a **[deprecated](https://forge.puppet.com/stahnma/epel)** module to deal with EPEL;
- track a currently supported module maintained by [Vox Pupuli](htt...By accepting and applying this merge request we will be able to:
- no longer use a **[deprecated](https://forge.puppet.com/stahnma/epel)** module to deal with EPEL;
- track a currently supported module maintained by [Vox Pupuli](https://forge.puppet.com/puppet/epel).
_The version of `puppet-freeipa` was intentionally not updated, so upstream's developers decide on bumping it once the patches are applied._https://gitlab.adullact.net/adullact/puppet-freeipa/-/merge_requests/120Allow `--force-join` option to be configured via class parameter2022-09-21T09:25:26+02:00Vinicius ZavamAllow `--force-join` option to be configured via class parameterBy merging this request we will be able to:
- set the `@force_join` parameter in our class' settings;
- pass `--force-join` option to the `ipa-client-install`
- allow to override host entry on the server and force client enrollmen...By merging this request we will be able to:
- set the `@force_join` parameter in our class' settings;
- pass `--force-join` option to the `ipa-client-install`
- allow to override host entry on the server and force client enrollment;
- make use of this Role in STAGE or DEV environments (or Pipelines).
The use case behind this merge request is:
> As a sysadmin using **puppet-freeipa**, I want to be able to fully enroll a STAGING environment with client machines without the need of setting an IPA server up or resetting its clients' entries.
Latest PIPELINE before the creating of this MR: https://gitlab.adullact.net/egypcio/puppet-freeipa/-/pipelines/11357
- Syntax OK
- Unit OK
- Acceptance (Puppet5) FAILED - Output [here](https://gitlab.adullact.net/egypcio/puppet-freeipa/-/jobs/42272), not related to new added code.
Tested deployed code into test env:
- Related `Puppetfile` entry
```
mod 'adullact-freeipa',
:git => 'https://gitlab.adullact.net/egypcio/puppet-freeipa',
:commit => '5067aa928ef706e8aaf39e863d4ecff94d7e7444'
```
- Agent's output
```sh
# puppet agent -t
...
Info: Caching catalog for ns3.localdomain
Info: Applying configuration version '1603192735'
Notice: /Stage[main]/Profile::Basepackages/Package[vim]/ensure: created
Notice: /Stage[main]/Profile::Basepackages/Package[ruby]/ensure: created
Notice: /Stage[main]/Freeipa::Install::Client/Exec[client_install_ns3.localdomain]/returns: executed successfully
...
# date
Tue Oct 20 11:22:09 UTC 2020
```
- Class used for the test and setup
```
class { 'freeipa':
ipa_role => 'client',
principal_usedto_joindomain => 'foo',
ipa_master_fqdn => 'ipa.localdomain',
domain => 'localdomain',
password_usedto_joindomain => '123FreeCookiesForAll!',
directory_services_password => '123FreeCookiesForAll!',
puppet_admin_password => '123FreeCookiesForAll!',
install_epel => false,
ip_address => $ipaddress,
configure_ntp => false,
force_join => true
}
```