ipa/client: specify ipa server when enrolling VPN hosts

This is needed for clients that cannot access the internal DNS where IPA servers are announced. Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-03-24 11:49:22 +01:00 · 2021-03-24 11:49:22 +01:00 · 28cc2e8d93
commit 28cc2e8d93
parent 2c04966b51
2 changed files with 7 additions and 0 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -353,6 +353,10 @@ wsgi_wants_apache: true
 # IPA settings
 additional_host_keytabs: []
 ipa_server: ipa01.iad2.fedoraproject.org
+ipa_server_nodes:
+  - ipa01.iad2.fedoraproject.org
+  - ipa02.iad2.fedoraproject.org
+  - ipa03.iad2.fedoraproject.org
 ipa_realm: FEDORAPROJECT.ORG
 ipa_admin_password: "{{ ipa_prod_admin_password }}"
 # Let this become "ipa" at some point
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@ -17,6 +17,9 @@
 - name: Enroll system as IPA client
  command:
    cmd: ipa-client-install
+         {% if (vpn | default(false)) %}{% for node in ipa_server_nodes | default([]) %}
+         --server={{ node }}
+         {% endfor %}{% endif %}
         --hostname={{ inventory_hostname }}
         --domain={{ ipa_realm | lower }}
         --realm={{ ipa_realm }}