From 28cc2e8d9380feee3194b1bee72744d4745ba507 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 24 Mar 2021 11:49:22 +0100
Subject: [PATCH] ipa/client: specify ipa server when enrolling VPN hosts

This is needed for clients that cannot access the internal DNS
where IPA servers are announced.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 inventory/group_vars/all        | 4 ++++
 roles/ipa/client/tasks/main.yml | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 7b1a719693..de6c321d25 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -353,6 +353,10 @@ wsgi_wants_apache: true
 # IPA settings
 additional_host_keytabs: []
 ipa_server: ipa01.iad2.fedoraproject.org
+ipa_server_nodes:
+  - ipa01.iad2.fedoraproject.org
+  - ipa02.iad2.fedoraproject.org
+  - ipa03.iad2.fedoraproject.org
 ipa_realm: FEDORAPROJECT.ORG
 ipa_admin_password: "{{ ipa_prod_admin_password }}"
 # Let this become "ipa" at some point
diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 606bcbd4a2..7c37b46fae 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -17,6 +17,9 @@
 - name: Enroll system as IPA client
   command:
     cmd: ipa-client-install
+         {% if (vpn | default(false)) %}{% for node in ipa_server_nodes | default([]) %}
+         --server={{ node }}
+         {% endfor %}{% endif %}
          --hostname={{ inventory_hostname }}
          --domain={{ ipa_realm | lower }}
          --realm={{ ipa_realm }}