Merge pull request #14963 from rocky-linux/develop

Deployment Prep
2024-06-02 11:50:15 +00:00 · 2021-01-06 20:41:24 -07:00 · 2021-01-06 20:41:24 -07:00 · e823e87708
commit e823e87708
parent 18a9382c18 8686535611
11 changed files with 81 additions and 31 deletions
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@ -6,10 +6,14 @@ tmp/*
 roles/public/*
 !roles/public/Readme.md

-#keep fodler holding ansible collections empty
+#keep folder holding ansible collections empty
 collections/*
 !README.md

 # Ignore all vaults
 playbooks/vars/vaults/*
 !playbooks/vars/vaults/README.md
+
+# Ignore hidden configs
+playbooks/templates/hidden/*
+!playbooks/templates/hidden/README.md
--- a/ansible/playbooks/adhoc-ipadns.yml
+++ b/ansible/playbooks/adhoc-ipadns.yml
@ -14,6 +14,7 @@
    - name: "Checking for user variables"
      assert:
        that:
+          - ipa_admin | mandatory
          - ipaadmin_password | mandatory
          - ipa_zone | mandatory
        success_msg: "Required variables provided"
@ -21,6 +22,7 @@

    - name: "Creating DNS Zone"
      freeipa.ansible_freeipa.ipadnszone:
+        ipaadmin_principal: "{{ ipa_admin }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ ipa_zone }}"
      tags:
--- a/ansible/playbooks/adhoc-ipagroup.yml
+++ b/ansible/playbooks/adhoc-ipagroup.yml
@ -0,0 +1,49 @@
+---
+# This playbook is meant to be used with callable variables, like adhoc or AWX.
+# What: Creates groups in the idm infrastructure based on the variables provided
+# You MUST provide an ipa_admin user to run this.
+# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is
+# set to true.
+
+- name: Create our initial users
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  vars_files:
+  - vars/vaults/encpass.yml
+
+  tasks:
+    - name: "Checking for user variables"
+      assert:
+        that:
+          - ipa_admin | mandatory
+          - ipaadmin_password | mandatory
+          - ipa_group | mandatory
+          - ipa_description | mandatory
+          - ipa_nonposix | mandatory
+        success_msg: "Required variables provided"
+        fail_msg: "We are missing group information or ipa admin password"
+
+    - name: "Creating New Group"
+      freeipa.ansible_freeipa.ipagroup:
+        ipaadmin_principal: "{{ ipa_admin }}"
+        ipaadmin_password: "{{ ipaadmin_password }}"
+        name: "{{ ipa_group }}"
+        description: "{{ ipa_description }}"
+        nonposix: "{{ ipa_nonposix }}"
+        membermanager_user: "{{ ipa_group_manager_user | default(omit) }}"
+        membermanager_group: "{{ ipa_group_manager_group | default(omit) }}"
+      tags:
+        - groups
+
+    - name: "Prepare FAS if required"
+      shell: "set -o pipefail && echo \"{{ ipaadmin_password  }}\" | kinit {{ ipa_admin }}"
+      check_mode: false
+      changed_when: "1 != 1"
+      when: ipa_fas
+
+    - name: "Apply FAS"
+      command: "ipa group-mod --fasgroup {{ ipa_group }}"
+      check_mode: false
+      changed_when: "1 != 1"
+      when: ipa_fas
--- a/ansible/playbooks/adhoc-ipagroups.yml
+++ b/ansible/playbooks/adhoc-ipagroups.yml
@ -1,30 +0,0 @@
---
-# This playbook is meant to be used with callable variables, like adhoc or AWX.
-# What: Creates groups in the idm infrastructure based on the variables provided
-
- name: Create our initial users
-  hosts: ipaserver
-  become: false
-  gather_facts: false
-  vars_files:
-  - vars/vaults/encpass.yml
-
-  tasks:
-    - name: "Checking for user variables"
-      assert:
-        that:
-          - ipaadmin_password | mandatory
-          - ipa_group | mandatory
-          - ipa_description | mandatory
-          - ipa_posix | mandatory
-        success_msg: "Required variables provided"
-        fail_msg: "We are missing group information or ipa admin password"
-
-    - name: "Creating Mandatory Groups"
-      freeipa.ansible_freeipa.ipagroup:
-        ipaadmin_password: "{{ ipaadmin_password }}"
-        name: "{{ ipa_group }}"
-        description: "{{ ipa_description }}"
-        nonposix: "{{ ipa_posix }}"
-      tags:
-        - groups
--- a/ansible/playbooks/adhoc-ipaservice.yml
+++ b/ansible/playbooks/adhoc-ipaservice.yml
@ -13,6 +13,7 @@
    - name: "Checking for user variables"
      assert:
        that:
+          - ipa_admin | mandatory
          - ipaadmin_password | mandatory
          - ipa_service | mandatory
        success_msg: "Required variables provided"
@ -20,6 +21,7 @@

    - name: "Creating Kerberos Service"
      freeipa.ansible_freeipa.ipaservice:
+        ipaadmin_principal: "{{ ipa_admin }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ ipa_service }}"
        skip_host_check: "{{ ipa_skip_host_check | default(false) }}"
--- a/ansible/playbooks/adhoc-ipausers.yml
+++ b/ansible/playbooks/adhoc-ipausers.yml
@ -13,6 +13,7 @@
    - name: "Checking for user variables"
      assert:
        that:
+          - ipa_admin | mandatory
          - ipaadmin_password | mandatory
          - ipa_name | mandatory
          - ipa_first | mandatory
@ -25,6 +26,7 @@

    - name: "Creating User Account"
      freeipa.ansible_freeipa.ipauser:
+        ipaadmin_principal: "{{ ipa_admin }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ ipa_name }}"
        first: "{{ ipa_first }}"
--- a/ansible/playbooks/import-rockygroups.yml
+++ b/ansible/playbooks/import-rockygroups.yml
@ -7,6 +7,8 @@
    description: "{{ item.description }}"
    nonposix: false
    user: "{{ item.user | default(none) }}"
+    membermanager_user: "{{ item.managers_users | default(omit) }}"
+    membermanager_group: "{{ item.managers_groups | default(omit) }}"
  loop: "{{ ipagroups }}"
  tags:
    - groups
--- a/ansible/playbooks/templates/hidden/README.md
+++ b/ansible/playbooks/templates/hidden/README.md
@ -0,0 +1,5 @@
+These contain configs that are considered "secret" and should not be part of any git commits. This directory still follows the basic format of where the file will be located.
+
+```
+hidden/etc/somefile.cfg
+```
--- a/ansible/playbooks/vars/ipa/agreements.yml
+++ b/ansible/playbooks/vars/ipa/agreements.yml
@ -0,0 +1,2 @@
+---
+# Vars for Agreements for the Rocky Linux Project
--- a/ansible/playbooks/vars/ipa/groups.yml
+++ b/ansible/playbooks/vars/ipa/groups.yml
@ -52,6 +52,13 @@ ipagroups:
      - tg
      - hbjy
      - rockyautomation
+    managers_users:
+      - label
+      - neil
+      - rlh
+      - rfelsburg
+      - tg
+      - hbjy
  - group: services
    description: Rocky Linux Service Accounts
    user:
@ -65,9 +72,13 @@ ipagroups:
    description: Rocky Linux Identity Management
    user:
      - label
+    managers_users:
+      - label
  - group: releng
    description: Rocky Linux Release Engineering
    user:
      - label
+    managers_users:
+      - label
  - group: mq_pub_readonly
    description: RabbitMQ ReadOnly
--- a/ansible/playbooks/vars/ipsilon.yml
+++ b/ansible/playbooks/vars/ipsilon.yml
@ -15,6 +15,7 @@ ipsilon_db_name: rockyipsilon
 ipsilon_httpd_hostname: "{{ inventory_hostname }}"

 # apache configuration for ipsilon
+apache_configure: false
 apache_listen_port: 80
 apache_listen_port_ssl: 443
 apache_create_vhosts: true