ipa/client: enable for builders in prod

Also, revise special treatment for bkernel*, the `ipa/client` role grants shell, sudo access for sysadmin-main by default, just ensure the lists for additional groups are empty. Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-03-19 17:25:38 +01:00 · 2021-03-19 17:25:38 +01:00 · b5462742b1
commit b5462742b1
parent 540f0fc967
10 changed files with 9 additions and 21 deletions
--- a/inventory/group_vars/bkernel
+++ b/inventory/group_vars/bkernel
@ -5,3 +5,9 @@ koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
 koji_weburl: "https://koji.fedoraproject.org/koji"
 koji_topurl: "https://kojipkgs.fedoraproject.org/"
+
+ipa_host_group: kojibuilder-kernel
+ipa_host_group_desc: Koji Build hosts for kernel builds
+# Both of these default to sysadmin-main in the ipa/client role
+ipa_client_shell_groups: []
+ipa_client_sudo_groups: []
--- a/inventory/group_vars/builders
+++ b/inventory/group_vars/builders
@ -7,6 +7,7 @@ nagios_Check_Services:
  swap: false
  mail: false

+primary_auth_source: ipa
 ipa_host_group: kojibuilder
 ipa_host_group_desc: Koji Build hosts
 ipa_client_shell_groups:
--- a/inventory/group_vars/buildhw
+++ b/inventory/group_vars/buildhw
@ -1,7 +1,5 @@
 ---
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 freezes: true

 koji_hub_nfs: "fedora_koji"
--- a/inventory/group_vars/buildvm
+++ b/inventory/group_vars/buildvm
@ -15,8 +15,6 @@ virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
--- a/inventory/group_vars/buildvm_aarch64
+++ b/inventory/group_vars/buildvm_aarch64
@ -17,8 +17,6 @@ virt_install_command: "{{ virt_install_command_aarch64_one_nic_unsafe }}"
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
--- a/inventory/group_vars/buildvm_armv7
+++ b/inventory/group_vars/buildvm_armv7
@ -20,8 +20,6 @@ virt_install_command: "{{ virt_install_command_armv7_one_nic_unsafe }}"
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
--- a/inventory/group_vars/buildvm_ppc64le
+++ b/inventory/group_vars/buildvm_ppc64le
@ -25,8 +25,6 @@ virt_install_command: "{{ virt_install_command_one_nic_unsafe }}"
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
--- a/inventory/group_vars/buildvm_s390x
+++ b/inventory/group_vars/buildvm_s390x
@ -17,8 +17,6 @@ virt_install_command: "{{ virt_install_command_s390x_one_nic_unsafe }}"
 ansible_ifcfg_blocklist: True
 createrepo: False
 host_group: kojibuilder
-fas_client_groups: sysadmin-releng
-sudoers: "{{ private }}/files/sudo/00releng-sudoers"

 koji_hub_nfs: "fedora_koji"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@ -62,8 +62,7 @@
  - { role: clevis, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
  - { role: serial-console, when: inventory_hostname.startswith('bkernel') }
  - hosts
-  - { role: ipa/client, when: not inventory_hostname.startswith('bkernel') and env == "staging" }
-  - { role: fas_client, when: not inventory_hostname.startswith('bkernel') and env != "staging" }
+  - ipa/client
  - { role: sudo, when: not inventory_hostname.startswith('bkernel') }
  - role: keytab/service
    kt_location: /etc/kojid/kojid.keytab
@ -77,8 +76,6 @@
    when: env == "staging"

  tasks:
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-    when: not inventory_hostname.startswith('bkernel')
  - import_tasks: "{{ tasks_path }}/motd.yml"
    when: not inventory_hostname.startswith('bkernel')

--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@ -22,15 +22,13 @@
  roles:
    - base
    - hosts
-    - { role: ipa/client, when: env == "staging" }
    - {
        role: nfs/client,
        mnt_dir: "/mnt/fedora_koji",
        nfs_src_dir: "{{ koji_hub_nfs }}",
        when: "env == 'staging' or createrepo or 'runroot' in group_names and not inventory_hostname.startswith('buildvm-s390x')",
      }
-    - { role: ipa/client, when: not inventory_hostname.startswith('bkernel') and env == "staging" }
-    - { role: fas_client, when: not inventory_hostname.startswith('bkernel') and env == 'production' }
+    - ipa/client
    - { role: sudo, when: not inventory_hostname.startswith('bkernel') and env == 'production' }
    - koji_builder
    - role: nfs/client
@ -87,8 +85,6 @@
      when: env == "staging"

  tasks:
-    - import_tasks: "{{ tasks_path }}/2fa_client.yml"
-      when: not inventory_hostname.startswith('bkernel') and env == 'production'
    - import_tasks: "{{ tasks_path }}/motd.yml"
      when: not inventory_hostname.startswith('bkernel') and env == 'production'