Greetings Stackers, Recently, I brought up a discussion around deploying FreeIPA via TripleO-Quickstart vs TripleO. This is part of a larger discussion around expanding security related CI coverage for OpenStack.
A few months back, I added the ability to deploy FreeIPA via TripleO-Quickstart through three reviews: 1) Adding a role to deploy FreeIPA via OOOQ_E[1] 2) Providing OOOQ with the ability to deploy a supplemental node (alongside the undercloud)[2] 3) Update the quickstart-extras playbook to deploy FreeIPA[3] The reasoning behind this is as follows (copied from a conversation with jaosorior): > So the deal is that both the undercloud and the overcloud need to be > registered as a FreeIPA client. > This is because they need to authenticate to it in order to execute actions. > > * The undercloud needs to have FreeIPA credentials because it's running > novajoin, which in turn > executes requests to FreeIPA in order to create service principals > - The service principals are ultimately the service name and the node name > entries for which we'll > requests the certificates. > * The overcloud nodes need to be registered and authenticated to FreeIPA > (which right now happens > through a cloud-init script provisioned by > nova/nova-metadata) because that's how it requests > certificates. > > So the flow is as follows: > > * FreeIPA node is provisioned. > - We'll appropriate credentials at this point. > - We register the undercloud as a FreeIPA client and get an OTP (one time > password) for it > - We add the OTP to the undercloud.conf and enable novajoin. > * We trigger the undercloud install. > - after the install, we have novajoin running, which is the service that > registers automatically the > overcloud nodes to FreeIPA. > * We trigger the overcloud deploy > - We need to set up a flag that tells the deploy to pass appropriate nova > metadata (which tells > novajoin that the nodes should be registered). > - profit!! we can now get certificates from the CA (and do other stuff that > FreeIPA allows you to do, > such as use kerberos auth, control sudo rights of the nodes' users, etc.) > > Since the nodes need to be registered to FreeIPA, we can't rely on FreeIPA > being installed by > TripleO, even if that's possible by doing it through a composable service. > If we would use a composable service to install FreeIPA, the flow would be > like this: > > * Install undercloud > * Install overcloud with one node (running FreeIPA) > * register undercloud node to FreeIPA and modify undercloud.conf > * Update undercloud > * scale overcloud and register the rest of the nodes to FreeIPA through > novajoin. > > So, while we could install FreeIPA with TripleO. This really complicates the > deployment to an > unnecessary point. > > So I suggest keeping the current behavior, which treats FreeIPA as a separate > node to be > provisioned before the undercloud). And if folks would like to have a > separate FreeIPA node for their > overcloud deployment (which could provision > certs for the tenants) then we could do that as a > composable service, if people request it. I am now re-raising this to the group at large for discussion about the merits of this approach vs deploying via TripleO itself. [1] - https://review.openstack.org/#/c/436198/ [2] - https://review.openstack.org/#/c/451523/ [3] - https://review.openstack.org/#/c/453223/ /R Harry Rybacki __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
