Nelson LAMEIRAS via FreeIPA-users wrote: > Hi all, > > I'm looking for a way to automatize certificate creation for services hosted > on servers inside a highly available cluster. > > exemple: we have the following setup : > - http/serverha (an IPA service that will be highly available) > - server01 (not kickstarted yet) > - server02 (not kickstarted yet) > > Both server01 and server02 must be able to get http/serverha certificate when > kickstarted, but I find this impossible because they are not part of "managed > by" hosts configured in service http/serverha > I'm forced to add manually each host to "managed by" section of the service, > but only after it is kickstarted, which ruins my automatation goal > > I hope this explanation is clear. > > 1 - Is there an elegant (ie. official) way to automaticaly manage this > situation ? > 2 - My intuitive solution would be to use automember to put server01 and > server02 inside the same hostgroup and to able to add hostsgroups to the > "managed by" section on a service, but this is not possible on my current > setup (IPA v4.6.8) - only adding hosts (not hostgroups!) are allowed. Could > this be a legitimate RFE I should write? > > Please note that I'm not suppose to know beforehand the precise name of > serverXY ? it could be server24... ;)
To use automember for this you'd need a new configuration as the current configuration only adds member not other attributes. See cn=automember,cn=etc,dc=example,dc=test. I suspect this would do very unexpected things though and add managedby to entries you don't want. For it to work you need to be able to control the regex of hostnames otherwise there's no chance for it to work. There is no way to use hostgroups for managedby that I can think of. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
