fix hostkeys in IPA not matching host when persisting keys

sjpb · sjpb · commit ccfa2898da6b · 2025-12-09T17:10:13.000Z
diff --git a/ansible/extras.yml b/ansible/extras.yml
@@ -71,6 +71,7 @@
       ansible.builtin.fail:
         msg: Reboot handler for stackhpc.linux.vgpu role fired unexpectedly. This was supposed to be unreachable.
 
+<<<<<<< HEAD
 - name: Persist hostkeys across rebuilds
   # Must be after filesystems.yml (for storage)
   # and before portal.yml (where OOD login node hostkeys are scanned)
@@ -81,6 +82,8 @@
     - ansible.builtin.import_role:
         name: persist_hostkeys
 
+=======
+>>>>>>> 31751b79 (fix hostkeys in IPA not matching host when persisting keys)
 - name: Install k9s
   become: true
   hosts: k9s
diff --git a/ansible/iam.yml b/ansible/iam.yml
@@ -13,6 +13,18 @@
         tasks_from: addhost.yml
       when: groups['freeipa_server'] | length > 0
 
+- name: Persist hostkeys across rebuilds
+  # Must be:
+  # - after filesystems.yml (for storage)
+  # - before ipa (re)enrolment, which updates IPA record to match actual hostkey
+  # - before portal.yml (where OOD login node hostkeys are scanned)
+  hosts: persist_hostkeys:!builder
+  become: true
+  gather_facts: false
+  tasks:
+    - ansible.builtin.import_role:
+        name: persist_hostkeys
+
 - hosts: freeipa_client
   tags:
     - freeipa
diff --git a/ansible/roles/freeipa/README.md b/ansible/roles/freeipa/README.md
@@ -33,8 +33,16 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
   - This is implemented when using the site OpenTofu; on the control node `appliances_state_dir` defaults to `/var/lib/state` which is mounted from a volume.
   - Nodes are not re-enroled by a [Slurm-driven reimage](../../collections/ansible_collections/stackhpc/slurm_openstack_tools/roles/rebuild/README.md) (as that does not run this role).
   - If both a backed-up keytab and `freeipa_host_password` exist, the former is used.
+<<<<<<< HEAD
 
 ### Role Variables for Clients
+=======
+  - When re-enroling, the host record in FreeIPA host record is updated with the
+    current hostkey. The `persist_hostkeys` role may be used if rebuilds/reimages
+    should not change keys.
+
+## Role Variables for Clients
+>>>>>>> 31751b79 (fix hostkeys in IPA not matching host when persisting keys)
 
 - `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
 - `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
