Create role for host keytab to test before putting in base

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-10-27 08:42:14 +00:00 · 2016-10-27 08:42:14 +00:00 · 1f3883d58d
commit 1f3883d58d
parent e69b14fe07
4 changed files with 110 additions and 1 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -208,3 +208,6 @@ fedora_required_images:
 # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
 #
 wsgi_wants_apache: true
+
+# Main IPA server for this server
+ipa_server: ipa01.stg.phx2.fedoraproject.org
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@ -12,3 +12,5 @@ collectd_graphite: True

 fedmsg_prefix: org.fedoraproject
 fedmsg_env: stg
+
+ipa_server: ipa01.stg.phx2.fedoraproject.org
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -377,4 +377,4 @@
  tags:
  - base
  - config
-  - krb
+  - krb5
--- a/roles/keytab/tasks/main.yml
+++ b/roles/keytab/tasks/main.yml
@ -0,0 +1,104 @@
+---
+# Get host keytab
+- name: Determine whether we need to get host keytab
+  stat: path=/etc/krb5.keytab
+  register: host_keytab_status
+  tags:
+  - base
+  - config
+  - krb5
+
+- name: Get admin keytab
+  delegate_to: {{ipa_server}}
+  shell: echo "{{ipa_admin_password}}" | kinit admin
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Create host entry
+  delegate_to: {{ipa_server}}
+  command: ipa host-add {{inventory_hostname}}
+  register: host_add_result
+  changed_when: "'Added host' in host_add_result.stdout"
+  failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stdout)"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Generate host keytab
+  delegate_to: {{ipa_server}}
+  command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
+  register: getkeytab_result
+  changed_when: false
+  failed_when: "'successfully retrieved' not in getkeytab_result.stdout"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy kerberos ticket
+  delegate_to: {{ipa_server}}
+  command: kdestroy -A
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Get keytab
+  delegate_to: {{ipa_server}}
+  command: base64 /tmp/{{inventory_hostname}}.kt
+  register: keytab
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy stored keytab
+  delegate_to: {{ipa_server}}
+  file: path=/tmp/{{inventory_hostname}}.kt state=absent
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Deploy base64 keytab
+  file: path=/etc/krb5.keytab.b64
+        content={{keytab.stdout}}
+        owner=root group=root mode=0600
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Base64-decode keytab
+  shell: base64-decode -d /etc/krb5.keytab.b64 >/etc/krb5.keytab
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Set keytab permissions
+  file: path=/etc/krb5.keytab owner=root group=root mode=0600
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy encoded keytab
+  file: /etc/krb5.keytab.b64 state=absent
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists