PR#776: copr-fe: support for principal alias - fedora-infra/ansible

fedora-infra / ansible

#776 copr-fe: support for principal alias

Merged 2 years ago by kevin. Opened 2 years ago by schlupov.

fedora-infra/ schlupov/ansible copr_krb_alias into main

copr-fe: support for principal alias

Silvie Chlupova • 2 years ago

3f5cb87

inventory/host_vars/copr-fe-dev.aws.fedoraproject.org

file modified

		`@@ -2,6 +2,7 @@`
		`datacenter: aws`
		`inventory_hostname: "copr-fe-dev.aws.fedoraproject.org"`
		`inventory_instance_name: copr-fe-dev`
		`+ principal_alias: "HTTP/copr-fe-dev.cloud.fedoraproject.org@STG.FEDORAPROJECT.ORG"`

		`nm_controlled_resolv: True`
		`ansible_ifcfg_blocklist: True`

roles/copr/frontend-cloud/tasks/httpd.yml

file modified

		`@@ -99,3 +99,4 @@`
		`kt_location: /etc/httpd/conf.d/copr-frontend-http-api.keytab`
		`owner_group: apache`
		`owner_user: apache`
		`+ principal_alias: "{{ principal_alias }}"`

roles/ipa/service/tasks/main.yml

file modified

		`@@ -14,6 +14,9 @@`
		`ipaservice:`
		`ipaadmin_password: "{{ ipa_admin_password }}"`
		`name: "{{ service }}/{{ host }}"`
		`+ {% if principal_alias is defined %}`
		`+ principal: "{{ principal_alias }}"`
		`+ {% endif %}`
		`force: yes`
		`tags:`
		`- config`

schlupov commented 2 years ago

Relates: https://pagure.io/fedora-infrastructure/issue/10065

I'm not sure if this solution is ok, but I would like to solve issue 10065, unfortunately, I don't have access to batcave to try it. I used the variable principal from https://github.com/freeipa/ansible-freeipa/blob/master/readme-service.md.

zuul commented 2 years ago

Build succeeded.

fi-ansible--ansible-review-diff : SUCCESS in 2m 28s

kevin commented 2 years ago

That seems ok, but can you make it optional so as not to break all existing ones? ie, something like

{% if principal_alias is defined %}
principal: "{{ principal_alias }}"
{% endif %}

Also, can this wait until after beta freeze, or would you like it sooner?

rebased onto 58e5ebb5c5f36fea2ad5fc6fcbe2e6bef79b8a25

2 years ago

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

fi-ansible--ansible-review-diff : FAILURE in 2m 21s

schlupov commented 2 years ago

Well, the sooner the better, on the other hand, I don't want to break anything now so it can wait until after beta freeze, it's not like Copr wouldn't work without this change.

rebased onto 95687629e88c3fb694e07034d966d0c4bbd87a74

2 years ago

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci