ansible/roles/keytab/service/tasks/main.yml

---
- name: Determine whether we need to get keytab
  stat: path={{kt_location}}
  register: keytab_status
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - keytab
  - config
  - krb5

- name: Create host entry
  include_role:
    name: ipa/host
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and service == "host"

- name: Create service entry
  include_role:
    name: ipa/service
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and service != "host"

- name: Get admin ticket
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Grant host and admin access to keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa host-allow-retrieve-keytab {{host}} --hosts={{inventory_hostname}} --users=admin
  register: perm_add_result
  check_mode: no
  changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"
  failed_when: "not ('members added' in perm_add_result.stdout)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and service == "host"

- name: Grant host and admin access to keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}} --users=admin
  register: perm_add_result
  check_mode: no
  changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"
  failed_when: "not ('members added' in perm_add_result.stdout)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and service != "host"

- name: Retrieve keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
  register: retrieve_result
  check_mode: no
  changed_when: "1 != 1"
  failed_when: "not ('Keytab successfully retrieved' in retrieve_result.stderr or 'krbPrincipalKey not found' in retrieve_result.stderr)"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Create keytab if it did not exist
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in retrieve_result.stderr

- name: Destroy admin ticket
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: kdestroy -A
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Get keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.command: base64 /tmp/{{service}}_{{host}}.kt
  register: keytab
  check_mode: no
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Destroy stored keytab
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.file: path=/tmp/{{service}}_{{host}}.kt state=absent
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Deploy base64 keytab
  ansible.builtin.copy: dest={{kt_location}}.b64
        content={{keytab.stdout}}
        owner={{owner_user}} group={{owner_group}} mode=0600
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Base64-decode keytab
  ansible.builtin.shell: "umask 077 && base64 -d {{kt_location}}.b64 >{{kt_location}}"
  tags:
  - keytab
  - config
  - krb5
  when: not keytab_status.stat.exists

- name: Destroy encoded keytab
  ansible.builtin.file: path={{kt_location}}.b64 state=absent
  tags:
  - keytab
  - config
  - krb5

- name: Set keytab permissions
  ansible.builtin.file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0640 state=file
  tags:
  - keytab
  - config
  - krb5

- name: Set keytab ACL
  acl: name={{kt_location}} entity={{extra_acl_user}} etype=user permissions=r state=present
  tags:
  - keytab
  - config
  - krb5
  when: extra_acl_user is defined
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`---`
			`- name: Determine whether we need to get keytab`
			`stat: path={{kt_location}}`
			`register: keytab_status`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
adjust ipa playbook a bit more 2016-12-05 17:58:55 +00:00			`changed_when: "1 != 1"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`

Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`- name: Create host entry`
			`include_role:`
			`name: ipa/host`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`when: not keytab_status.stat.exists and service == "host"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`- name: Create service entry`
			`include_role:`
			`name: ipa/service`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`when: not keytab_status.stat.exists and service != "host"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`- name: Get admin ticket`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell Replaces references to shell: with ansible.builtin.shell Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 16:42:30 +10:00			`ansible.builtin.shell: echo "{{ipa_admin_password}}" \| kinit admin`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`changed_when: "1 != 1"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Refactor the keytab/service role to prepare for more ipa roles Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-08-20 15:11:11 +02:00			`when: not keytab_status.stat.exists`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`- name: Grant host and admin access to keytab`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: ipa host-allow-retrieve-keytab {{host}} --hosts={{inventory_hostname}} --users=admin`
Support getting a host keytab from IPA Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:42:56 +02:00			`register: perm_add_result`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"`
Support getting a host keytab from IPA Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:42:56 +02:00			`failed_when: "not ('members added' in perm_add_result.stdout)"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`when: not keytab_status.stat.exists and service == "host"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`- name: Grant host and admin access to keytab`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}} --users=admin`
Support getting a host keytab from IPA Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:42:56 +02:00			`register: perm_add_result`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"`
Support getting a host keytab from IPA Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:42:56 +02:00			`failed_when: "not ('members added' in perm_add_result.stdout)"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Fixup the keytab thingy Signed-off-by: Aurélien Bompard <aurelien@bompard.org> 2020-09-01 22:55:30 +02:00			`when: not keytab_status.stat.exists and service != "host"`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Retrieve keytab`
			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`register: retrieve_result`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
			`changed_when: "1 != 1"`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`failed_when: "not ('Keytab successfully retrieved' in retrieve_result.stderr or 'krbPrincipalKey not found' in retrieve_result.stderr)"`
Get and destroy host ticket Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:47:57 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Create keytab if it did not exist`
			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in retrieve_result.stderr`

			`- name: Destroy admin ticket`
			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: kdestroy -A`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Get keytab`
			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: base64 /tmp/{{service}}_{{host}}.kt`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`register: keytab`
set check_mode: no on all the tasks that register variables to get the ipa playbooks working with check mode 2016-12-05 17:53:13 +00:00			`check_mode: no`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`when: not keytab_status.stat.exists`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Destroy stored keytab`
			`delegate_to: "{{ ipa_server }}"`
ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-17 15:31:55 +10:00			`ansible.builtin.file: path=/tmp/{{service}}_{{host}}.kt state=absent`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`when: not keytab_status.stat.exists`
Handle the case when no key was created yet Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:58:16 +00:00
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`- name: Deploy base64 keytab`
ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy Replaces many references to 'copy' with ansible.builtin.copy Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-18 08:23:28 +10:00			`ansible.builtin.copy: dest={{kt_location}}.b64`
Use ipa-server based method for getting service keytabs Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:16:03 +00:00			`content={{keytab.stdout}}`
			`owner={{owner_user}} group={{owner_group}} mode=0600`
Get and destroy host ticket Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:47:57 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

Decode and destroy the b64-encoded keytab Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:19:45 +00:00			`- name: Base64-decode keytab`
ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell Replaces references to shell: with ansible.builtin.shell Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 16:42:30 +10:00			`ansible.builtin.shell: "umask 077 && base64 -d {{kt_location}}.b64 >{{kt_location}}"`
Decode and destroy the b64-encoded keytab Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:19:45 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: not keytab_status.stat.exists`

			`- name: Destroy encoded keytab`
ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-17 15:31:55 +10:00			`ansible.builtin.file: path={{kt_location}}.b64 state=absent`
Decode and destroy the b64-encoded keytab Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-11-03 13:19:45 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`

Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`- name: Set keytab permissions`
ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-17 15:31:55 +10:00			`ansible.builtin.file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0640 state=file`
Add keytab/service role Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-28 11:26:53 +00:00			`tags:`
			`- keytab`
			`- config`
			`- krb5`
Allow fedmsg-hub to read bodhi keytab 2018-11-08 19:03:03 +00:00
			`- name: Set keytab ACL`
			`acl: name={{kt_location}} entity={{extra_acl_user}} etype=user permissions=r state=present`
			`tags:`
			`- keytab`
			`- config`
			`- krb5`
			`when: extra_acl_user is defined`