Plan:_FreeIPA_and_OpenShift_Enterprise_integration_with_Puppet

Plan:_FreeIPA_and_OpenShift_Enterprise_integration_with_Puppet#

NOTICE#

This is a draft - the project is not yet complete - not even sure if it will work.

Problem Definition#

Currently, there is no easy way to implement an internal cloud with OpenShift Enterprise on RHEL/Fedora systems that can seemlessly integrate with IPA.

Hope to Achieve#

  • Provide a way for current or potential enterprise RHEL/Fedora + IPA users to easily implement an internal cloud using OpenShift technology.

  • To make a Puppet module to configure and manage the state of an OpenShift cloud implentation that integrates with an IPA instance.

Deliverables#

  • Puppet Module

  • Proof of Concept with mini-internal cloud

    • 5 Fedora 18 Machines

      • IPA Server

      • Puppet Master

      • OpenShift Broker/Puppet Agent

      • OpenShift Node/Puppet Agent

      • User/Developer workstation

    • Windows AD Trust with IPA Server

    • Demo application running on internal cloud

Proposed Implementation#

Assumptions#

  • IPA Server already configured (with or without Windows AD trust)

  • Puppet Master & Agents are IPA Clients

  • OpenShift Brokers & Nodes are both IPA Clients and Puppet Agents

  • IPA manages Puppet Master as host/service

  • IPA manages Host SSH keys for both Broker + Node as host_keys

  • IPA manages SSH keys for User/Developer as authorized_keys

  • Puppet manages IPA Clients (Brokers/Nodes) through IPA delegated host management

  • Puppet Agents are configured to query Master every ${x} minutes for catalog

Initial Setup of IPA and Puppet#

  • Enroll Puppet Master as a host + service in IPA

    • puppetmaster/puppet.${DOMAIN}

    • puppet/puppet.${DOMAIN}

  • Enroll Puppet Agent as a service in IPA

  • Generate service certificate for puppetmaster

  • Generate service certificates for the puppet agents

  • Setup the puppetmaster to use Apache with Passenger and mod_nss (see blogpost)

  • Generate keytabs for both Puppet Master and Agent

Puppet IPA/OpenShift Module in Detail#

  1. Puppet’s init script selects IPA setup = True

  2. NTP is configured from Agent -> IPA Server

  3. If operating system is Fedora, then packages = `freeipa-`, otherwise, `ipa-`

  4. Puppet ensures that both ipa-client and ipa-admintools are present on the system

  5. Ensure that the appropriate ports are open for IPA

  6. If /etc/ipa/default.conf does not exist, then execute ipa-client-install --ssh-trust-dns command with appropriate parameters as sudo/root.

    1. Configures Broker as a host in IPA

    2. Configures host SSH keys for IPA + SSSD

  7. If /etc/krb5.keytab (and /etc/httpd/conf/krb5.keytab for a Broker machine) is not present, then Puppet Master, as a delegated host, runs:

    $ kinit -kt /etc/krb5.keytab host/`hostname`

    $ ipa-service-add HTTP/${broker/node}.example.com

    $ ipa-getkeytab -s `hostname` -k /etc/httpd/conf/krb5.keytab -p HTTP/${broker/node}.example.com

  8. If the Puppet Agent is a Broker:

    1. Now that keytab definitely exists, ensure that apache is the owner of /etc/httpd/conf/krb5.keytab.

    2. Ensure that the auth plugin for Apache configuration is present using a Puppet template, including mod_auth_kerb.

    3. Ensure REMOTE_USER is used for the Apache instance on the Console (note: two HTTP instances, one ‘Broker’ one ‘Console’.

    4. Have Broker’s DHCP + BIND plays nice with IPA’s DNS server using a Puppet template. An overview of how-to.

Open Questions#

  • Will the delegated host bit work? re: # 7 of the Module in Detail

  • Is the /etc/ipa/default.conf file enough to determine if ipa-client is not installed? Should I catch the error of ‘ipa-client is already installed’?

    • if error of already installed, then `ipa-client-install –uninstall`

    • remove all keytabs left behind

    • run ipa-client-install --ssh-trust-dns

  • Can databases, such as Mongo, MySQL, Postgres, be enrolled as a host and/or service w/ IPA?

Reference Documentation & Research#