(multiple) Enable FreeIPA for OSP 17.1 adoption CI

ciecierski · ciecierski · commit 0e7f73721631 · 2026-01-23T15:00:43.000+01:00
This commit introduces support for deploying a FreeIPA server within the OSP 17.1 adoption CI.

The following has been added:
- Tasks for the initial setup and configuration of a FreeIPA server.
- DNS configuration for the undercloud, followed by the execution of `undercloud-ipa-install.yaml`.
- DNS configuration for the overcloud to use the new FreeIPA instance.

Following code has been modified:
- hci adoption scenario is updated to include the creation of the FreeIPA vm
- do not add the unique ID to osp-underclud name. Predicted hostname is required for
tls-e

Signed-off-by: Mikolaj Ciecierski &lt;mciecier@redhat.com&gt;
diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt
@@ -200,6 +200,7 @@ flbxutz
 fmw
 fqdn
 freefonts
+FreeIPA
 frmo
 fsid
 fultonj
diff --git a/roles/adoption_osp_deploy/README.md b/roles/adoption_osp_deploy/README.md
@@ -31,6 +31,7 @@ configure the OSP17.1 deployment.
 * `cifmw_adoption_osp_deploy_bgp`: (Boolean) Enable BGP support for the OSP
   deployment. When enabled, uses BGP-specific network configurations and
   templates. Defaults to `false`.
+* `cifmw_adoption_osp_deploy_freeipa_admin_password`: (String)  FreeIPA server admin password.
 
 ### Break point
 
diff --git a/roles/adoption_osp_deploy/defaults/main.yml b/roles/adoption_osp_deploy/defaults/main.yml
@@ -32,3 +32,5 @@ cifmw_adoption_osp_deploy_adoption_vars_exclude_nets:
 cifmw_adoption_osp_deploy_overcloud_extra_args: ''
 
 cifmw_adoption_osp_deploy_bgp: false
+
+cifmw_adoption_osp_deploy_freeipa_admin_password: "nomoresecrets"
diff --git a/roles/adoption_osp_deploy/tasks/main.yml b/roles/adoption_osp_deploy/tasks/main.yml
@@ -45,6 +45,12 @@
   loop_control:
     loop_var: overcloud_vars
 
+- name: Prepare FreeIPA environment
+  tags:
+    - tlse
+  ansible.builtin.import_tasks: prepare_freeipa.yml
+  when: cifmw_adoption_osp_deploy_scenario.tlse | default(false)
+
 - name: Prepare undercloud enviornment
   tags:
     - undercloud
diff --git a/roles/adoption_osp_deploy/tasks/prepare_freeipa.yml b/roles/adoption_osp_deploy/tasks/prepare_freeipa.yml
@@ -0,0 +1,165 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Ensure freeipa vm is started and reachable
+  vars:
+    _cifmw_libvirt_manager_layout:
+      vms:
+        free-ipas:
+          start: true
+          disk_file_name: "dummy"
+    cifmw_libvirt_manager_all_vms: >-
+      {%- set vms = {} -%}
+      {%- for vm in _vm_groups['free-ipas'] -%}
+        {%- set _ = vms.update({vm: 'free-ipas'}) -%}
+      {%- endfor -%}
+      {{ vms }}
+    ansible_libvirt_pools: {}
+  ansible.builtin.include_role:
+    name: "libvirt_manager"
+    tasks_from: "start_vms.yml"
+    apply:
+      delegate_to: "{{ cifmw_target_host | default('localhost') }}"
+
+- name: Run prepration tasks on freeipa
+  delegate_to: "free-ipa-0"
+  vars:
+    _freeipa_name: "{{ _vm_groups['free-ipas'] | first }}"
+    _freeipa_net: "{{ cifmw_networking_env_definition.instances[_freeipa_name] }}"
+    freeipa_ip: "{{ _freeipa_net.networks.ocpbm[ip_version|default('ip_v4')] }}"
+    _undercloud_name: "{{ _vm_groups['osp-underclouds'] | first }}"
+    _undercloud_net: "{{ cifmw_networking_env_definition.instances[_undercloud_name] }}"
+    undercloud_ip: "{{ _undercloud_net.networks.ocpbm[ip_version|default('ip_v4')] }}"
+    cloud_domain: "{{ cifmw_adoption_osp_deploy_scenario.cloud_domain }}"
+  block:
+    - name: Ensure needed logins
+      ansible.builtin.include_tasks: login_registries.yml
+      args:
+        apply:
+          delegate_to: "free-ipa-0"
+
+    - name: Set hostname to freeipa-0.{{ cloud_domain }}
+      become: true
+      ansible.builtin.hostname:
+        name: "freeipa-0.{{ cloud_domain }}"
+        use: "systemd"
+
+    - name: Ensure /etc/hosts file correctly maps the FQDN to freeipa IP address
+      become: true
+      ansible.builtin.lineinfile:
+        path: /etc/hosts
+        line: "{{ freeipa_ip }} {{ ansible_hostname }}.{{ cloud_domain }} {{ ansible_hostname }}"
+        create: true
+        state: present
+        mode: "0644"
+
+    - name: Install FreeIPA server packages
+      become: true
+      ansible.builtin.package:
+        name:
+          - ipa-server
+          - ipa-server-dns
+          - curl
+          - iptables
+        state: present
+
+    - name: Update NSS (required for CA server to launch during deploy)
+      become: true
+      ansible.builtin.package:
+        name: nss
+        state: latest # noqa: package-latest
+
+    - name: Deploy FreeIPA server
+      become: true
+      ansible.builtin.command:
+        cmd: >-
+          ipa-server-install -U
+          --hostname freeipa-0.{{ cloud_domain }}
+          --realm {{ cloud_domain.upper() }}
+          --admin-password {{ cifmw_adoption_osp_deploy_freeipa_admin_password }}
+          --ds-password {{ cifmw_adoption_osp_deploy_freeipa_admin_password }}
+          --ip-address={{ freeipa_ip }}
+          --setup-dns
+          --auto-reverse
+          --no-dnssec-validation
+          --allow-zone-overlap
+          --forwarder=192.168.111.1
+
+    - name: Create systemd resolv.conf
+      become: true
+      ansible.builtin.copy:
+        dest: "/usr/lib/systemd/resolv.conf"
+        content: |
+            search {{ cloud_domain }}
+            nameserver 127.0.0.1
+        mode: '0644'
+
+    - name: Create a symbolic link of systemd resolv.conf
+      become: true
+      ansible.builtin.file:
+        src: "/usr/lib/systemd/resolv.conf"
+        dest: "/etc/resolv.conf"
+        owner: root
+        group: root
+        state: link
+        force: true
+
+    - name: Does the DNS ACL exist
+      become: true
+      ansible.builtin.shell: >-
+        ldapsearch -LLL -x -D "cn=Directory Manager" -w {{ cifmw_adoption_osp_deploy_freeipa_admin_password }} -s base
+        -b cn=dns,dc={{ cloud_domain.split(".")[0] }},dc={{ cloud_domain.split(".")[1] }}
+        aci='*Allow hosts to read DNS A/AAA/CNAME/PTR records*' numSubordinates |
+        sed -n 's/^[ \t]*numSubordinates:[ \t]*\(.*\)/\1/p'
+      register: dns_aci_count
+      ignore_errors: true
+
+    - name: Add ACL to allow hosts access to DNS
+      become: true
+      ansible.builtin.shell:
+        cmd: |
+          set -o pipefail
+          cat << EOF | ldapmodify -x -D "cn=Directory Manager" -w {{ cifmw_adoption_osp_deploy_freeipa_admin_password }}
+          dn: cn=dns,dc={{ cloud_domain.split(".")[0] }},dc={{ cloud_domain.split(".")[1] }}
+          changetype: modify
+          add: aci
+          aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,dc={{ freeipa_domain.split('.')[0] }},dc={{ freeipa_domain.split('.')[1] }}";)
+          EOF
+      when: dns_aci_count.stdout|default(0)|int == 0
+
+    - name: Update /etc/hosts with undercloud's details
+      become: true
+      ansible.builtin.lineinfile:
+        dest: "/etc/hosts"
+        line: "{{ undercloud_ip }} {{ _undercloud_name }}.{{ cloud_domain }} {{ _undercloud_name }}"
+        state: present
+
+    - name: Ensure DNS query is not blocked by iptables
+      become: true
+      ansible.builtin.iptables:
+        action: insert
+        comment: "Allow DNS query"
+        table: filter
+        chain: INPUT
+        jump: ACCEPT
+        protocol: "udp"
+        destination_port: 53
+
+    - name: Restart FreeIPA server
+      become: true
+      ansible.builtin.service:
+        name: ipa
+        state: restarted
diff --git a/roles/adoption_osp_deploy/tasks/prepare_overcloud.yml b/roles/adoption_osp_deploy/tasks/prepare_overcloud.yml
@@ -371,3 +371,61 @@
               dest_file: /usr/share/openstack-tripleo-heat-templates/deployment/cinder/cinder-api-container-puppet.yaml
             - patch_file: files/bgp-tht-frr-patch
               dest_file: /usr/share/openstack-tripleo-heat-templates/deployment/frr/frr-container-ansible.yaml
+
+- name: Run FreeIPA preparation tasks for overcloud nodes
+  when: cifmw_adoption_osp_deploy_scenario.tlse | default(false)
+  vars:
+    cloud_domain: "{{ cifmw_adoption_osp_deploy_scenario.cloud_domain }}"
+    _freeipa_name: "{{ _vm_groups['free-ipas'] | first }}"
+    _freeipa_net: "{{ cifmw_networking_env_definition.instances[_freeipa_name] }}"
+  block:
+    - name: Set 'dns=none' in /etc/NetworkManager/NetworkManager.conf
+      become: true
+      delegate_to: "{{ overcloud_vm }}"
+      community.general.ini_file:
+        path: /etc/NetworkManager/NetworkManager.conf
+        state: present
+        no_extra_spaces: true
+        section: main
+        option: dns
+        value: none
+        backup: true
+        mode: '0644'
+      loop: "{{ _tripleo_nodes_stack[_overcloud_name] }}"
+      loop_control:
+        loop_var: overcloud_vm
+
+    - name: Set PEERDNS to 'no' for eth0
+      become: true
+      delegate_to: "{{ overcloud_vm }}"
+      ansible.builtin.lineinfile:
+        path: "/etc/sysconfig/network-scripts/ifcfg-eth0"
+        regexp: '^PEERDNS=.*'
+        line: 'PEERDNS=no'
+      loop: "{{ _tripleo_nodes_stack[_overcloud_name] }}"
+      loop_control:
+        loop_var: overcloud_vm
+
+    - name: Set dns nameservers for etho0
+      become: true
+      delegate_to: "{{ overcloud_vm }}"
+      ansible.builtin.lineinfile:
+        path: "/etc/sysconfig/network-scripts/ifcfg-eth0"
+        regexp: '^DNS1=.*'
+        line: "DNS1={{ _freeipa_net.networks.ocpbm[ip_version|default('ip_v4')] }}"
+      loop: "{{ _tripleo_nodes_stack[_overcloud_name] }}"
+      loop_control:
+        loop_var: overcloud_vm
+
+    - name: Set resolv.conf content
+      become: true
+      delegate_to: "{{ overcloud_vm }}"
+      ansible.builtin.copy:
+        dest: "/etc/resolv.conf"
+        content: |
+          search {{ cloud_domain }}
+          nameserver {{ _freeipa_net.networks.ocpbm[ip_version|default('ip_v4')] }}
+        mode: "0644"
+      loop: "{{ _tripleo_nodes_stack[_overcloud_name] }}"
+      loop_control:
+        loop_var: overcloud_vm
diff --git a/roles/adoption_osp_deploy/tasks/prepare_undercloud.yml b/roles/adoption_osp_deploy/tasks/prepare_undercloud.yml
@@ -272,3 +272,95 @@
     state: "present"
     mode: "0644"
   loop: "{{ _undercloud_conf.config }}"
+
+- name: Run undercloud FreeIPA enablement tasks
+  when: cifmw_adoption_osp_deploy_scenario.tlse | default(false)
+  vars:
+    cloud_domain: "{{ cifmw_adoption_osp_deploy_scenario.cloud_domain }}"
+    _freeipa_name: "{{ _vm_groups['free-ipas'] | first }}"
+    _freeipa_net: "{{ cifmw_networking_env_definition.instances[_freeipa_name] }}"
+    freeipa_ip: "{{ _freeipa_net.networks.ocpbm[ip_version|default('ip_v4')] }}"
+  delegate_to: "osp-undercloud-0"
+  block:
+    - name: Set resolv.conf content
+      become: true
+      ansible.builtin.copy:
+        dest: "/etc/resolv.conf"
+        content: |
+            search {{ cloud_domain }}
+            nameserver {{ freeipa_ip }}
+        mode: "0644"
+
+    - name: Set hostname on undercloud
+      become: true
+      ansible.builtin.shell: |
+          sudo hostnamectl set-hostname osp-undercloud-0.{{ cloud_domain }}
+          sudo hostnamectl set-hostname --transient osp-undercloud-0.{{ cloud_domain }}
+
+    - name: Create ssh key pair
+      ansible.builtin.user:
+        name: zuul
+        generate_ssh_key: true
+        ssh_key_bits: 2048
+        ssh_key_file: "{{ ansible_user_dir }}/.ssh/id_rsa"
+
+    - name: Slurp pub key
+      ansible.builtin.slurp:
+        src: "{{ ansible_user_dir ~ '/.ssh/id_rsa.pub' }}"
+      register: pub_key
+
+    - name: Ensure zuul can ssh to localhost
+      ansible.posix.authorized_key:
+        user: zuul
+        key: "{{ pub_key['content'] | b64decode }}"
+
+    - name: Run undercloud ipa installer
+      become: true
+      become_user: zuul
+      ansible.builtin.command:
+        cmd: |-
+          ansible-playbook
+          --ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+          /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
+      environment:
+        IPA_DOMAIN: "{{ cloud_domain }}"
+        IPA_REALM: "{{ cloud_domain|upper }}"
+        IPA_ADMIN_USER: admin
+        IPA_ADMIN_PASSWORD: "{{ cifmw_adoption_osp_deploy_freeipa_admin_password }}"
+        IPA_SERVER_HOSTNAME: "freeipa-0.{{ cloud_domain }}"
+        UNDERCLOUD_FQDN: "osp-undercloud-0.{{ cloud_domain }}"
+        USER: zuul
+        CLOUD_DOMAIN: "{{ cloud_domain }}"
+
+    - name: Run undercloud ipa installer
+      delegate_to: "osp-undercloud-0"
+      become: true
+      become_user: zuul
+      vars:
+        _undercloud_ipa_install_cmd: >-
+          export IPA_DOMAIN="{{ cloud_domain }}"
+          export IPA_REALM="{{ cloud_domain|upper }}"
+          export IPA_ADMIN_USER=admin
+          export IPA_ADMIN_PASSWORD="{{ cifmw_adoption_osp_deploy_freeipa_admin_password }}"
+          export IPA_SERVER_HOSTNAME="freeipa-0.{{ cloud_domain }}"
+          export UNDERCLOUD_FQDN="osp-undercloud-0.{{ cloud_domain }}"
+          export USER=zuul
+          export CLOUD_DOMAIN="{{ cloud_domain }}"
+          ansible-playbook
+          --ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+          /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml
+      cifmw.general.ci_script:
+        output_dir: "{{ cifmw_basedir }}/artifacts"
+        script: "{{ _undercloud_ipa_install_cmd }}"
+
+    - name: Edit undercloud.conf for ipa
+      community.general.ini_file:
+        path: ~/undercloud.conf
+        backup: true
+        mode: "0644"
+        section: "{{ item.section }}"
+        option: "{{ item.option }}"
+        value: "{{ item.value }}"
+      with_items:
+        - { section: "DEFAULT", option: "undercloud_nameservers", value: "{{ freeipa_ip }} " }
+        - { section: "DEFAULT", option: "overcloud_domain_name", value: "{{ cloud_domain }}" }
diff --git a/roles/libvirt_manager/tasks/generate_networking_data.yml b/roles/libvirt_manager/tasks/generate_networking_data.yml
@@ -53,7 +53,7 @@
           {%   set _amount = _cifmw_libvirt_manager_layout.vms[_type].amount |
                              default(1) | int                       -%}
           {%   set _range = range(0, _amount)                       -%}
-          {%     if _type is not match('^(controller|ocp|crc).*')   -%}
+          {%     if _type is not match('^(controller|ocp|crc|osp-undercloud).*')   -%}
           {%       set _name = _type ~ _run_id                      -%}
           {%     else                                               -%}
           {%       if _type == 'ocp'                                -%}
diff --git a/scenarios/adoption/hci.yml b/scenarios/adoption/hci.yml
@@ -26,6 +26,15 @@ libvirt_manager_patch_layout:
     # OSP ones
     compute:
       amount: 0
+    free-ipa:
+      <<: *osp_base_conf
+      amount: 1
+      memory: 4
+      cpus: 2
+      disksize: 40
+      nets:
+        - ocpbm
+        - osp_trunk
     osp-undercloud:
       <<: *osp_base_conf
       amount: 1
@@ -100,3 +109,9 @@ networking_mapper_definition_patch:
           start: 100
           length: 1
       networks: *osp_nets
+    free-ipas:
+      network-template:
+        range:
+          start: 190
+          length: 1
+      networks: *osp_nets

-Original file line number
+Diff line change
 fmw
 fqdn
 freefonts
 +FreeIPA
 frmo
 fsid
 fultonj