ipa/client: Ignore hosts still hooked up with FAS

This is necessary because: - The ipa/client role is pulled in if only one host is in the play which uses it. - The prepare-ipa-info tasks operate on all hosts in the play in order to gather together operations on the IPA server which would otherwise be (potentially, unnecessarily) repeated for many hosts in the play and which have to be serialized to avoid race conditions when changing data in IPA. For now, we set `primary_auth_source` to `fas` for `all`, and to `ipa` for the `staging` group. We can set this to `ipa` for individual host groups in prod to enable this piece meal while we roll out the change. Fixes: https://pagure.io/fedora-infrastructure/issue/9674 Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-02-19 12:13:20 +01:00 · 2021-02-19 12:13:20 +01:00 · c2530541f1
commit c2530541f1
parent ee519289a2
3 changed files with 15 additions and 1 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -355,6 +355,8 @@ additional_host_keytabs: []
 ipa_server: ipa01.iad2.fedoraproject.org
 ipa_realm: FEDORAPROJECT.ORG
 ipa_admin_password: "{{ ipa_prod_admin_password }}"
+# Let this become "ipa" at some point
+primary_auth_source: fas

 # Normal default sshd port is 22
 sshd_port: 22
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@ -26,3 +26,5 @@ deployment_type: stg
 ipa_server: ipa01.stg.iad2.fedoraproject.org
 ipa_realm: STG.FEDORAPROJECT.ORG
 ipa_admin_password: "{{ ipa_stg_admin_password }}"
+# RIP, FAS
+primary_auth_source: ipa
--- a/roles/ipa/client/tasks/prepare-ipa-info.yml
+++ b/roles/ipa/client/tasks/prepare-ipa-info.yml
@ -1,5 +1,10 @@
 ---
 # NOTE: configuration is based on host groups, i.e. set the ipa_* vars only in group_vars
+#
+# NOTE^2: This will be "active" if only one host with the role is in the play, so we need to filter
+#         on something, this something is the `primary_auth_source` variable which can be either
+#         `fas` or `ipa`. Only hosts that have it set to `ipa` should be listed in the following
+#         variables.

 # Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA
 # server for individual hosts.
@ -82,7 +87,12 @@
      }}
    ipa_servers: "{{ ipa_servers | default([]) | union([hostvars[item]['ipa_server']]) }}"
  loop: "{{ ansible_play_hosts }}"
-  when: hostvars[item]['ipa_server'] is defined and hostvars[item]['ipa_host_group'] is defined
+  when: >-
+    (hostvars[item]['primary_auth_source'] | default("fas")) == "ipa"
+    and
+    hostvars[item]['ipa_server'] is defined
+    and
+    hostvars[item]['ipa_host_group'] is defined

 # ipa_server_host_groups ->
 #   [