Make IPA API available from external

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

playbooks/groups/ipa.yml

@@ -76,6 +76,15 @@
     tags:
     - krb5
     - ipa/server
+    - config
+  - name: Make IPA HTTP use the id.fp.o client keytab
+    lineinfile: dest=/etc/httpd/conf.d/ipa.conf
+                regexp='GssapiCredStore client_keytab:'
+                line='  GssapiCredStore client_keytab:/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab'
+    tags:
+    - krb5
+    - ipa/server
+    - config
 
 - name: do base role once more to revert any resolvconf changes
   hosts: ipa:ipa-stg

roles/ipa/server/tasks/main.yml

@@ -230,3 +230,21 @@
   register: grant_repl_status_output
   changed_when: "'Type or value exists' not in grant_repl_status_output.stderr"
   failed_when: "'Type or value exists' not in grant_repl_status_output.stderr and 'modifying entry' not in grant_repl_status_output.stdout"
+
+# Make some httpd changes
+- name: Configure referer override
+  template: src=referer-override.conf
+            dest=/etc/httpd/conf.d/referer-override.conf
+  notify:
+  - reload apache
+  tags:
+  - ipa/server
+  - config
+
+- name: Update xmlrpc_uri
+    lineinfile: dest=/etc/ipa/default.conf
+                regexp='xmlrpc_uri ='
+                line='xmlrpc_uri = https://id{{env_suffix}}.fedoraproject.org/ipa/xml'
+    tags:
+    - ipa/server
+    - config

roles/ipa/server/templates/referer-override.conf

@@ -0,0 +1,2 @@
+SetEnvIf Referer "https://id{{env_suffix}}.fedoraproject.org/ipa" HAVE_CORRECT_REFERER
+RequestHeader set Referer "https://{{inventory_hostname}}/ipa" env=HAVE_CORRECT_REFERER