Commit 5d0bf8fc authored by Fabien Combernous's avatar Fabien Combernous

Resolve "add fact that gives ipa role"

parent 61224e85
Facter.add(:iparole) do
confine kernel: 'Linux'
setcode do
pkicfg = '/etc/pki/pki-tomcat/ca/CS.cfg'
if File.exist? pkicfg
data = Facter::Core::Execution.execute("cat #{pkicfg}")
role = if data.gsub!(%r{ca.crl.MasterCRL.enableCRLUpdates=true}, '')
'master'
elsif data.gsub!(%r{ca.crl.MasterCRL.enableCRLUpdates=false}, '')
'replica'
else
nil
end
else
role = if (!File.exist? '/usr/sbin/ipactl') && (File.exist? '/usr/sbin/ipa-client-install')
'client'
else
nil
end
end
role
end
end
...@@ -6,64 +6,68 @@ ...@@ -6,64 +6,68 @@
# #
class freeipa::install::client { class freeipa::install::client {
package{$freeipa::ipa_client_package_name: if ! $facts['iparole'] or $facts['iparole'] == 'client' {
ensure => present, package{$freeipa::ipa_client_package_name:
} ensure => present,
}
package{$freeipa::kstart_package_name:
ensure => present,
}
if $freeipa::client_install_ldaputils { package{$freeipa::kstart_package_name:
package { $freeipa::ldaputils_package_name:
ensure => present, ensure => present,
} }
}
if $freeipa::mkhomedir { if $freeipa::client_install_ldaputils {
$client_install_cmd_opts_mkhomedir = '--mkhomedir' package { $freeipa::ldaputils_package_name:
} else { ensure => present,
$client_install_cmd_opts_mkhomedir = '' }
} }
if $freeipa::fixed_primary { if $freeipa::mkhomedir {
$client_install_cmd_opts_fixed_primary = '--fixed-primary' $client_install_cmd_opts_mkhomedir = '--mkhomedir'
} else { } else {
$client_install_cmd_opts_fixed_primary = '' $client_install_cmd_opts_mkhomedir = ''
} }
if $freeipa::configure_ntp { if $freeipa::fixed_primary {
$client_install_cmd_opts_no_ntp = '' $client_install_cmd_opts_fixed_primary = '--fixed-primary'
} else { } else {
$client_install_cmd_opts_no_ntp = '--no-ntp' $client_install_cmd_opts_fixed_primary = ''
} }
$client_install_cmd = "/usr/sbin/ipa-client-install \ if $freeipa::configure_ntp {
--server=${freeipa::ipa_master_fqdn} \ $client_install_cmd_opts_no_ntp = ''
--realm=${freeipa::realm} \ } else {
--domain=${freeipa::domain} \ $client_install_cmd_opts_no_ntp = '--no-ntp'
--principal='${freeipa::principal_usedto_joindomain}' \ }
--password='${freeipa::password_usedto_joindomain}' \
${client_install_cmd_opts_mkhomedir} \
${client_install_cmd_opts_fixed_primary} \
${client_install_cmd_opts_no_ntp} \
--unattended"
exec { "client_install_${::fqdn}": $client_install_cmd = "/usr/sbin/ipa-client-install \
command => $client_install_cmd, --server=${freeipa::ipa_master_fqdn} \
timeout => 0, --realm=${freeipa::realm} \
unless => "cat /etc/ipa/default.conf | grep -i \"${freeipa::domain}\"", --domain=${freeipa::domain} \
creates => '/etc/ipa/default.conf', --principal='${freeipa::principal_usedto_joindomain}' \
logoutput => 'on_failure', --password='${freeipa::password_usedto_joindomain}' \
before => Service['sssd'], ${client_install_cmd_opts_mkhomedir} \
provider => 'shell', ${client_install_cmd_opts_fixed_primary} \
} ${client_install_cmd_opts_no_ntp} \
--unattended"
if $freeipa::install_sssd { exec { "client_install_${::fqdn}":
service { 'sssd': command => $client_install_cmd,
ensure => 'running', timeout => 0,
enable => true, unless => "cat /etc/ipa/default.conf | grep -i \"${freeipa::domain}\"",
require => Package[$freeipa::sssd_package_name], creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
before => Service['sssd'],
provider => 'shell',
} }
if $freeipa::install_sssd {
service { 'sssd':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
}
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'client' is not supported.")
} }
} }
...@@ -5,103 +5,106 @@ ...@@ -5,103 +5,106 @@
# include freeipa::install::server # include freeipa::install::server
class freeipa::install::server { class freeipa::install::server {
Exec { if $facts['iparole'] != 'client' {
path => '/usr/local/bin/:/bin/:/sbin', Exec {
} path => '/usr/local/bin/:/bin/:/sbin',
}
package{$freeipa::ipa_server_package_name:
ensure => present,
}
package{$freeipa::kstart_package_name: package{$freeipa::ipa_server_package_name:
ensure => present, ensure => present,
} }
if $freeipa::server_install_ldaputils { package{$freeipa::kstart_package_name:
package { $freeipa::ldaputils_package_name:
ensure => present, ensure => present,
} }
}
$server_install_cmd_opts_idstart = "--idstart=${freeipa::idstart}" if $freeipa::server_install_ldaputils {
package { $freeipa::ldaputils_package_name:
ensure => present,
}
}
if $freeipa::enable_hostname { $server_install_cmd_opts_idstart = "--idstart=${freeipa::idstart}"
$server_install_cmd_opts_hostname = "--hostname=${freeipa::ipa_server_fqdn}"
end
} else {
$server_install_cmd_opts_hostname = ''
}
if $freeipa::enable_ip_address { if $freeipa::enable_hostname {
$server_install_cmd_opts_ip_address = "--ip-address ${freeipa::ip_address}" $server_install_cmd_opts_hostname = "--hostname=${freeipa::ipa_server_fqdn}"
} else { end
$server_install_cmd_opts_ip_address = '' } else {
} $server_install_cmd_opts_hostname = ''
}
if $freeipa::final_configure_dns_server { if $freeipa::enable_ip_address {
$server_install_cmd_opts_setup_dns = '--setup-dns' $server_install_cmd_opts_ip_address = "--ip-address ${freeipa::ip_address}"
} else { } else {
$server_install_cmd_opts_setup_dns = '' $server_install_cmd_opts_ip_address = ''
} }
if $freeipa::configure_ntp { if $freeipa::final_configure_dns_server {
$server_install_cmd_opts_no_ntp = '' $server_install_cmd_opts_setup_dns = '--setup-dns'
} else { } else {
$server_install_cmd_opts_no_ntp = '--no-ntp' $server_install_cmd_opts_setup_dns = ''
} }
if $freeipa::final_configure_dns_server { if $freeipa::configure_ntp {
if size($freeipa::custom_dns_forwarders) > 0 { $server_install_cmd_opts_no_ntp = ''
$server_install_cmd_opts_forwarders = join( } else {
prefix( $server_install_cmd_opts_no_ntp = '--no-ntp'
$freeipa::custom_dns_forwarders, }
'--forwarder '),
' ' if $freeipa::final_configure_dns_server {
) if size($freeipa::custom_dns_forwarders) > 0 {
$server_install_cmd_opts_forwarders = join(
prefix(
$freeipa::custom_dns_forwarders,
'--forwarder '),
' '
)
}
else {
$server_install_cmd_opts_forwarders = '--no-forwarders'
}
} }
else { else {
$server_install_cmd_opts_forwarders = '--no-forwarders' $server_install_cmd_opts_forwarders = ''
} }
}
else {
$server_install_cmd_opts_forwarders = ''
}
if $freeipa::no_ui_redirect {
$server_install_cmd_opts_no_ui_redirect = ''
} else {
$server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect'
}
if $freeipa::ipa_role == 'master' { if $freeipa::no_ui_redirect {
contain 'freeipa::install::server::master' $server_install_cmd_opts_no_ui_redirect = ''
} elsif $freeipa::ipa_role == 'replica' { } else {
contain 'freeipa::install::server::replica' $server_install_cmd_opts_no_ui_redirect = '--no-ui-redirect'
} }
ensure_resource ( if $freeipa::ipa_role == 'master' {
'service', contain 'freeipa::install::server::master'
'httpd', } elsif $freeipa::ipa_role == 'replica' {
{ensure => 'running'}, contain 'freeipa::install::server::replica'
) }
contain 'freeipa::config::webui' ensure_resource (
'service',
'httpd',
{ensure => 'running'},
)
service { 'ipa': contain 'freeipa::config::webui'
ensure => 'running',
enable => true,
require => Exec["server_install_${freeipa::ipa_server_fqdn}"],
}
if $freeipa::install_sssd { service { 'ipa':
service { 'sssd':
ensure => 'running', ensure => 'running',
enable => true, enable => true,
require => Package[$freeipa::sssd_package_name], require => Exec["server_install_${freeipa::ipa_server_fqdn}"],
} }
}
freeipa::helpers::flushcache { "server_${freeipa::ipa_server_fqdn}": } if $freeipa::install_sssd {
class {'freeipa::config::admin_user': } service { 'sssd':
ensure => 'running',
enable => true,
require => Package[$freeipa::sssd_package_name],
}
}
freeipa::helpers::flushcache { "server_${freeipa::ipa_server_fqdn}": }
class {'freeipa::config::admin_user': }
} else {
fail ("to change ipa_role from '${facts['iparole']}' to '${freeipa::ipa_role}' is not supported.")
}
} }
...@@ -20,24 +20,27 @@ class freeipa::install::server::master { ...@@ -20,24 +20,27 @@ class freeipa::install::server::master {
--auto-reverse \ --auto-reverse \
--unattended" --unattended"
file { '/etc/ipa/primary': if ! $facts['iparole'] or $facts['iparole'] == 'master' {
ensure => 'file', file { '/etc/ipa/primary':
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $server_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root': #allows scp to replicas as root
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'master' is not supported.")
} }
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $server_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root': #allows scp to replicas as root
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} }
...@@ -18,25 +18,28 @@ class freeipa::install::server::replica { ...@@ -18,25 +18,28 @@ class freeipa::install::server::replica {
${freeipa::install::server::server_install_cmd_opts_no_ui_redirect} \ ${freeipa::install::server::server_install_cmd_opts_no_ui_redirect} \
--unattended" --unattended"
# TODO: config-show and grep for IPA\ masters if ! $facts['iparole'] or $facts['iparole'] == 'replica' {
file { '/etc/ipa/primary': # TODO: config-show and grep for IPA\ masters
ensure => 'file', file { '/etc/ipa/primary':
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.', ensure => 'file',
content => 'Added by IPA Puppet module. Designates primary master. Do not remove.',
}
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $replica_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root':
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} else {
fail ("to change ipa_role from '${facts['iparole']}' to 'replica' is not supported.")
} }
-> exec { "server_install_${freeipa::ipa_server_fqdn}":
command => $replica_install_cmd,
timeout => 0,
unless => '/usr/sbin/ipactl status >/dev/null 2>&1',
creates => '/etc/ipa/default.conf',
logoutput => 'on_failure',
notify => Freeipa::Helpers::Flushcache["server_${freeipa::ipa_server_fqdn}"],
before => Service['sssd'],
}
-> cron { 'k5start_root':
command => '/usr/bin/k5start -f /etc/krb5.keytab -U -o root -k /tmp/krb5cc_0 > /dev/null 2>&1',
user => 'root',
minute => '*/1',
require => Package[$freeipa::kstart_package_name],
}
} }
...@@ -88,6 +88,55 @@ describe 'freeipa class' do ...@@ -88,6 +88,55 @@ describe 'freeipa class' do
end end
end end
context 'with ipa_role replica on master' do
hosts_as('master').each do |master|
it 'fails' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'replica',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end
end
end
context 'with ipa_role client on master' do
hosts_as('master').each do |master|
it 'fails' do
pp = <<-EOS
class { 'freeipa':
ipa_role => 'client',
domain => 'example.lan',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
password_usedto_joindomain => 'vagrant123',
ip_address => '10.10.10.35',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan'
}
EOS
apply_manifest_on(master, pp, expect_failures: true)
end
end
end
context 'Test ssh connnections for toto user with pre-defined ssh-key' do context 'Test ssh connnections for toto user with pre-defined ssh-key' do
# Install ssh key on root on master # Install ssh key on root on master
hosts_as('master').each do |master| hosts_as('master').each do |master|
......
require 'spec_helper' require 'spec_helper'
describe 'freeipa::install::client' do describe 'freeipa::install::client' do
on_supported_os.each do |os, os_facts| context 'with node not yet configured' do
context "on #{os}" do on_supported_os.each do |os, os_facts|
let(:facts) { os_facts } context "on #{os}" do
let(:pre_condition) do let(:facts) { os_facts }
manifest = <<-EOS let(:pre_condition) do
class{ 'freeipa' : manifest = <<-EOS
ipa_role => 'client', class{ 'freeipa' :
ipa_master_fqdn => 'master.example.lan', ipa_role => 'client',
ipa_server_fqdn => 'foo.example.lan', ipa_master_fqdn => 'master.example.lan',
domain => 'example.lan', ipa_server_fqdn => 'foo.example.lan',
password_usedto_joindomain => 'foobartest', domain => 'example.lan',
admin_password => 'foobartest', password_usedto_joindomain => 'foobartest',
directory_services_password => 'foobartest', admin_password => 'foobartest',
ip_address => '10.10.10.35', directory_services_password => 'foobartest',
} ip_address => '10.10.10.35',
EOS }
manifest EOS
manifest
end
it { is_expected.to compile }
end
end
end
context 'with node configured as client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'client') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
end end
end
end
context 'with node configured as master' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'master') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'client',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile } it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'master' to 'client' is not supported}) }
end
end end
end end
end end
require 'spec_helper' require 'spec_helper'
describe 'freeipa::install::server::master' do describe 'freeipa::install::server::master' do
on_supported_os.each do |os, os_facts| context 'with node not yet configured' do
context "on #{os}" do on_supported_os.each do |os, os_facts|
let(:pre_condition) do context "on #{os}" do
manifest = <<-EOS let(:pre_condition) do
class{ 'freeipa' : manifest = <<-EOS
ipa_role => 'master', class{ 'freeipa' :
ipa_master_fqdn => 'master.example.lan', ipa_role => 'master',
ipa_server_fqdn => 'foo.example.lan', ipa_master_fqdn => 'master.example.lan',
domain => 'example.lan', ipa_server_fqdn => 'foo.example.lan',
password_usedto_joindomain => 'foobartest', domain => 'example.lan',
admin_password => 'foobartest', password_usedto_joindomain => 'foobartest',
directory_services_password => 'foobartest', admin_password => 'foobartest',
ip_address => '10.10.10.35', directory_services_password => 'foobartest',
} ip_address => '10.10.10.35',
EOS }
manifest EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end end
let(:facts) { os_facts } end
end
it { is_expected.to compile } context 'with node configured as master' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'master') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile }
end
end
end
context 'with node configured as replica' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'replica') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'replica' to 'master' is not supported}) }
end
end
end
context 'with node configured as client' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts.merge(iparole: 'client') }
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
it { is_expected.to compile.and_raise_error(%r{to change ipa_role from 'client' to 'master' is not supported}) }
end
end end
end end
end end
require 'spec_helper' require 'spec_helper'
describe 'freeipa::install::server::replica' do