(*) migrate from puppet-finland/easy_ipa -> lsst/ipa

Puppetfile

@@ -24,6 +24,7 @@ mod 'lsst/daq', '2.2.0'
 mod 'lsst/dellperc', '2.0.0'
 mod 'lsst/foreman_envsync', '2.1.0'
 mod 'lsst/helm_binary', '2.1.0'
+mod 'lsst/ipa', git: 'https://github.com/lsst-it/puppet-ipa', ref: '8ec66d1'
 mod 'lsst/java_artisanal', '3.3.0'
 mod 'lsst/kubectl', '1.1.0'
 mod 'lsst/maven', '3.1.0'
@@ -39,7 +40,6 @@ mod 'puppet/chrony', '3.0.0'
 mod 'puppet/cron', '4.1.0'
 mod 'puppet/epel', '4.1.0'
 mod 'puppet/extlib', '7.0.0'
-mod 'puppetfinland/easy_ipa', '3.1.0'
 mod 'puppet/firewalld', git: 'https://github.com/voxpupuli/puppet-firewalld', ref: '1eb95e1'  # stdlib 9.x
 mod 'puppet/hosts', '0.1.0'
 mod 'puppet/ipset', '4.0.0'

hieradata/common.yaml

@@ -142,22 +142,16 @@ ssh::server::match_block:
     <<: *authorized_keys
   csilva_b:
     <<: *authorized_keys
-# easy_ipa server options
+# ipa server options
 # defines the uid/gid of the admin user
 # needs to be coordinated between master + replicas
-easy_ipa::idstart: 70000
-easy_ipa::idmax: 79999
-easy_ipa::domain: "lsst.cloud"
-easy_ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
-# easy_ipa client options
-easy_ipa::ipa_role: "client"
-easy_ipa::configure_ntp: false
-easy_ipa::configure_sshd: false
-easy_ipa::install_autofs: false
-easy_ipa::install_epel: false
-easy_ipa::install_kstart: false
-easy_ipa::install_sssd: false
-easy_ipa::install_sssdtools: false
+ipa::idstart: 70000
+ipa::idmax: 79999
+ipa::domain: "lsst.cloud"
+ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
+# ipa client options
+ipa::ipa_role: "client"
+ipa::configure_ntp: false
 epel::epel_managed: true
 epel::epel_source_managed: false
 epel::epel_debuginfo_managed: true
@@ -347,10 +341,10 @@ sssd::main_config:
       - "sudo"
   nss:
     homedir_substring: "/home"
-  "domain/%{lookup('easy_ipa::domain')}":
+  "domain/%{lookup('ipa::domain')}":
     cache_credentials: true
     krb5_store_password_if_offline: true
-    ipa_domain: "%{lookup('easy_ipa::domain')}"
+    ipa_domain: "%{lookup('ipa::domain')}"
     id_provider: "ipa"
     auth_provider: "ipa"
     access_provider: "ipa"
@@ -359,8 +353,8 @@ sssd::main_config:
     chpass_provider: "ipa"
     ipa_server:
       - "_srv_"
-      - "%{lookup('easy_ipa::ipa_master_fqdn')}"
-    dns_discovery_domain: "%{::site}._locations.%{lookup('easy_ipa::domain')}"
+      - "%{lookup('ipa::ipa_master_fqdn')}"
+    dns_discovery_domain: "%{::site}._locations.%{lookup('ipa::domain')}"
 sssd::package_name:
   - "sssd"
   - "sssd-tools"  # not installed by default
@@ -385,25 +379,25 @@ mit_krb5::ticket_lifetime: "24h"
 mit_krb5::udp_preference_limit: "0"
 mit_krb5::realms:
   "%{lookup('mit_krb5::default_realm')}":
-    kdc: "%{lookup('easy_ipa::ipa_master_fqdn')}:88"
-    master_kdc: "%{lookup('easy_ipa::ipa_master_fqdn')}:88"
-    admin_server: "%{lookup('easy_ipa::ipa_master_fqdn')}:749"
-    kpasswd_server: "%{lookup('easy_ipa::ipa_master_fqdn')}:464"
-    default_domain: "%{lookup('easy_ipa::domain')}"
+    kdc: "%{lookup('ipa::ipa_master_fqdn')}:88"
+    master_kdc: "%{lookup('ipa::ipa_master_fqdn')}:88"
+    admin_server: "%{lookup('ipa::ipa_master_fqdn')}:749"
+    kpasswd_server: "%{lookup('ipa::ipa_master_fqdn')}:464"
+    default_domain: "%{lookup('ipa::domain')}"
     pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
     pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
 mit_krb5::domain_realms:
   "%{lookup('mit_krb5::default_realm')}":
     domains:
-      - ".%{lookup('easy_ipa::domain')}"
-      - "%{lookup('easy_ipa::domain')}"
+      - ".%{lookup('ipa::domain')}"
+      - "%{lookup('ipa::domain')}"
       - "%{facts.fqdn}"
       - ".%{facts.domain}"
       - "%{facts.domain}"
 
 openldap::client::tls_cacertdir: "/etc/openldap/certs"
 openldap::client::sasl_nocanon: true
-openldap::client::uri: "ldaps://%{lookup('easy_ipa::ipa_master_fqdn')}"
+openldap::client::uri: "ldaps://%{lookup('ipa::ipa_master_fqdn')}"
 openldap::client::base: "dc=lsst,dc=cloud"
 openldap::client::tls_cacert: "/etc/ipa/ca.crt"
 openldap::client::sasl_mech: "GSSAPI"
@@ -412,10 +406,10 @@ profile::core::ipa::default:
   global:
     basedn: "%{lookup('openldap::client::base')}"
     realm: "%{lookup('mit_krb5::default_realm')}"
-    domain: "%{lookup('easy_ipa::domain')}"
-    server: "%{lookup('easy_ipa::ipa_master_fqdn')}"
+    domain: "%{lookup('ipa::domain')}"
+    server: "%{lookup('ipa::ipa_master_fqdn')}"
     host: "%{facts.fqdn}"
-    xmlrpc_uri: "https://%{lookup('easy_ipa::ipa_master_fqdn')}/ipa/xml"
+    xmlrpc_uri: "https://%{lookup('ipa::ipa_master_fqdn')}/ipa/xml"
     enable_ra: "True"
 
 profile::core::monitoring::database: "telegraf"

hieradata/node/ipa1.dev.lsst.org.yaml

@@ -1,3 +1,3 @@
 ---
 # need to use an off site ipa replica to bootstrap the first local ipa instance
-easy_ipa::ipa_master_fqdn: "ipa2.ls.lsst.org"
+ipa::ipa_master_fqdn: "ipa2.ls.lsst.org"

hieradata/node/ipa1.ls.lsst.org.yaml

@@ -1,3 +1,3 @@
 ---
 # need to use an off site ipa replica to bootstrap the first local ipa instance
-easy_ipa::ipa_master_fqdn: "ipa1.tu.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.tu.lsst.org"

hieradata/node/ipa1.tu.lsst.org.yaml

@@ -1,6 +1,6 @@
 ---
 # need to use an off site ipa replica to bootstrap the first local ipa instance
-easy_ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
 network::interfaces_hash:
   eth0:  # fqdn
     ipaddress: "140.252.146.74"

hieradata/role/cmms.yaml

@@ -1,12 +1,10 @@
 ---
 classes:
   - "accounts"
-  - "easy_ipa"
+  - "ipa"
   - "network"
   - "profile::core::cmms"
   - "puppet_agent"
   - "resolv_conf"
   - "ssh"
   - "sudo"
-
-easy_ipa::install_sssd: true

hieradata/role/ipareplica.yaml

@@ -1,30 +1,21 @@
 ---
 classes:
   - "clustershell"
-  - "easy_ipa"
+  - "ipa"
   - "profile::core::common"
   - "profile::core::ipa_pwd_reset"
   - "tailscale"
 
 profile::core::common::disable_ipv6: true
-profile::core::common::manage_ipa: false
 profile::core::common::manage_krb5: false
 profile::core::common::manage_sssd: false
 profile::core::sysctl::disable_ipv6::disable: false  # ipa-server-install wants ipv6
-easy_ipa::ipa_role: "replica"
-easy_ipa::configure_replica_ca: true
-easy_ipa::install_ipa_server: true
-easy_ipa::enable_ip_address: true
-easy_ipa::webui_disable_kerberos: true
-easy_ipa::webui_enable_proxy: true
-easy_ipa::webui_force_https: true
-easy_ipa::configure_dns_server: false
-easy_ipa::ipa_server_fqdn: "%{facts.fqdn}"
-easy_ipa::ip_address: "%{facts.networking.ip}"
-
-# enable easy_ipa management of sssd packages on servers
-easy_ipa::install_sssd: true
-easy_ipa::install_sssdtools: true
+ipa::ipa_role: "replica"
+ipa::configure_replica_ca: true
+ipa::enable_ip_address: true
+ipa::configure_dns_server: false
+ipa::ipa_server_fqdn: "%{facts.fqdn}"
+ipa::ip_address: "%{facts.networking.ip}"
 
 clustershell::groupmembers:
   ipa:

hieradata/role/ubuntu.yaml

@@ -1,9 +1,7 @@
 ---
 classes:
   - "accounts"
-  - "easy_ipa"
+  - "ipa"
   - "puppet_agent"
   - "ssh"
   - "sudo"
-
-easy_ipa::install_sssd: true

hieradata/site/cp.yaml

@@ -1,7 +1,7 @@
 ---
 docker::log_driver: ~
 docker::log_opt: ~
-easy_ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
 rsyslog::config::actions:
 # Send copy to logs to GKE Graylog instance
   graylogCloud:

hieradata/site/dev.yaml

@@ -1,5 +1,5 @@
 ---
-easy_ipa::ipa_master_fqdn: "ipa1.ls.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.ls.lsst.org"
 rsyslog::config::actions:
 # Send copy to logs to Ruka Cluster
   graylogCloud:

hieradata/site/dmz.yaml

@@ -1,5 +1,5 @@
 ---
-easy_ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
 rsyslog::config::actions:
 # Send copy to logs to GKE Graylog instance
   graylogCloud:

hieradata/site/ls.yaml

@@ -1,5 +1,5 @@
 ---
-easy_ipa::ipa_master_fqdn: "ipa1.ls.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.ls.lsst.org"
 rsyslog::config::actions:
 # Send copy to logs to GKE Graylog instance
   graylogCloud:

hieradata/site/tu.yaml

@@ -1,5 +1,5 @@
 ---
-easy_ipa::ipa_master_fqdn: "ipa1.tu.lsst.org"
+ipa::ipa_master_fqdn: "ipa1.tu.lsst.org"
 profile::core::common::disable_ipv6: true
 rsyslog::config::actions:
 # Send copy to logs to GKE Graylog instance

site/profile/manifests/core/common.pp

@@ -15,11 +15,8 @@
 # @param manage_krb5
 #   Enable or disable management of `/etc/krb5.conf`
 #
-# @param manage_ldap
-#   Enable or disable management of openldap ipa client config
-#
 # @param manage_ipa
-#   Enable or disable management of `/etc/ipa/default.conf`
+#   Enable or disable management of free ipa.
 #
 # @param disable_ipv6
 #   If `true`, disable ipv6 networking support. This parameter is intended to eventually
@@ -48,7 +45,6 @@
   Boolean $manage_chrony = true,
   Boolean $manage_sssd = true,
   Boolean $manage_krb5 = true,
-  Boolean $manage_ldap = true,
   Boolean $manage_ipa = true,
   Boolean $disable_ipv6 = false,
   Boolean $manage_firewall = true,
@@ -61,7 +57,6 @@
   include auditd
   include accounts
   include augeas
-  include easy_ipa
   include hosts
   include lldpd
   include profile::core::bash_completion
@@ -85,8 +80,6 @@
   include timezone
   include tuned
 
-  Class['easy_ipa'] -> Class['ssh']
-
   if fact('os.family') == 'RedHat' {
     include epel
     include profile::core::yum
@@ -126,7 +119,6 @@
 
   if $manage_firewall {
     include firewall
-    Class[easy_ipa] -> Class[firewall]
   }
 
   if $manage_puppet_agent {
@@ -145,14 +137,17 @@
     include profile::core::krb5
   }
 
-  if $manage_ldap {
-    include openldap::client
-    # run ipa-install-* script before trying to managing openldap
-    Class[easy_ipa] -> Class[openldap::client]
-  }
-
   if $manage_ipa {
+    include ipa
+    include openldap::client
     include profile::core::ipa
+
+    # prevent ipa packages from being installed before versionlocks are set
+    Yum::Versionlock<| |> -> Class[ipa]
+
+    # run ipa-install-* script before X
+    Class[ipa] -> Class[ssh]
+    Class[ipa] -> Class[openldap::client]
   }
 
   if $disable_ipv6 {
@@ -178,7 +173,4 @@
   file { '/etc/sysconfig/network-scripts/ifcfg-':
     ensure => absent,
   }
-
-  # prevent ipa packages from being installed before versionlocks are set
-  Yum::Versionlock<| |> -> Class[easy_ipa]
 }

site/profile/manifests/core/ipa.pp

@@ -1,18 +1,18 @@
 # @summary
-#   Manages ipa client configuration -- functionality not provided by easy_ipa.
-#   XXX should be added to easy_ipa and upstream?
+#   Manages ipa client configuration -- functionality not provided by ipa mod.
+#   XXX should be added to ipa mod?
 #
 # @param default
 #   Set values in `/etc/ipa/default.conf`.
 #
 class profile::core::ipa (
   Optional[Hash] $default = undef,
 ) {
-  require easy_ipa
+  require ipa
 
   $param_defaults = {
     'path'  => '/etc/ipa/default.conf',
-    require => Class[easy_ipa],
+    require => Class[ipa],
   }
 
   if $default {

site/profile/manifests/core/ipa_pwd_reset.pp

@@ -148,6 +148,5 @@
     ensure  => file,
     mode    => '0644',
     content => $ipa_reset_http,
-    notify  => Service['httpd'],
   }
 }

site/profile/manifests/core/krb5.pp

@@ -2,10 +2,11 @@
 #   Manage host kerberos configuration
 #
 class profile::core::krb5 {
+  require ipa
   include mit_krb5
 
   # run ipa-install-* script before trying to managing krb5.conf
-  Class[easy_ipa] -> Class[mit_krb5]
+  Class[ipa] -> Class[mit_krb5]
 
   # create /etc/krb5.conf.d files only on EL8+
   unless fact('os.family') == 'RedHat' and fact('os.release.major') == '7' {

site/profile/manifests/core/rke.pp

@@ -16,6 +16,7 @@
   String                         $version       = '1.3.12',
 ) {
   include kmod
+  require ipa
 
   $user = 'rke'
   $uid  = 75500
@@ -29,7 +30,7 @@
     profile::util::keytab { $user:
       uid           => $uid,
       keytab_base64 => $keytab_base64,
-      require       => Class[easy_ipa], # ipa must be setup to use the rke user
+      require       => Class[ipa], # ipa must be setup to use the rke user
     }
   }
 
@@ -41,7 +42,7 @@
     user               => $user,
     owner              => $user,
     group              => $user,
-    require            => Class[easy_ipa], # ipa must be setup to use the rke user
+    require            => Class[ipa], # ipa must be setup to use the rke user
   }
 
   $rke_checksum = $version ? {