opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/kerberos-kdc/tasks/primary.yaml
Ian Wienand c1aff2ed38 kerberos-kdc: role to manage Kerberos KDC servers 
This adds a role and related testing to manage our Kerberos KDC
servers, intended to replace the puppet modules currently performing
this task.

This role automates realm creation, initial setup, key material
distribution and replica host configuration.  None of this is intended
to run on the production servers which are already setup with an
active database, and the role should be effectively idempotent in
production.

Note that this does not yet switch the production servers into the new
groups; this can be done in a separate step under controlled
conditions and with related upgrades of the host OS to Focal.

Change-Id: I60b40897486b29beafc76025790c501b5055313d
2021-03-17 08:30:52 +11:00

95 lines
2.9 KiB
YAML
Raw Blame History

- name: Install packages
package:
name:
- krb5-admin-server
state: present
# Note the following is not really for production, where we already
# have a database setup. It is exercsied by testing however.
- name: Look for primary database
stat:
path: /var/lib/krb5kdc/principal
register: _db_created
- name: Setup clean primary
when: not _db_created.stat.exists
block:
- name: Setup primary db
shell: |
yes {{ kerberos_kdc_master_key }} | kdb5_util create -r {{ kerberos_kdc_realm }} -s
- name: Generate and save admin principal password
copy:
dest: '/etc/krb5kdc/admin.passwd'
content: '{{ lookup("password", "/dev/null chars=ascii_letters,digits length=12") }}'
owner: root
group: root
mode: '0600'
- name: Setup initial admin principal
shell: |
echo "addprinc -pw $(cat /etc/krb5kdc/admin.passwd) admin/admin@{{ kerberos_kdc_realm }}" | kadmin.local
# https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html
# It is not strictly necessary to have the primary KDC server in
# the Kerberos database, but it can be handy if you want to be
# able to swap the primary KDC with one of the replicas.
- name: Create primary host principal and keytab
shell:
cmd: |
echo "addprinc -randkey host/{{ inventory_hostname }}" | kadmin.local
echo "ktadd host/{{ inventory_hostname }}" | kadmin.local
- name: Create replica host principals
shell:
cmd: 'echo "addprinc -randkey host/{{ item }}" | kadmin.local'
with_inventory_hostnames: kerberos-kdc-replica
# The stash file is used to decrypt the on-disk database. Without
# this you are prompted for the master password on daemon start. This
# needs to be distributed to the replicas so they can also open the
# database.
- name: Read and save stash file
slurp:
src: '/etc/krb5kdc/stash'
register: kerberos_kdc_stash_file_contents
# Export this so replica servers can use this variable to authenicate
# and create keytabs for their host principals, if they need to.
- name: Read in admin/admin password
slurp:
src: "/etc/krb5kdc/admin.passwd"
register: _admin_password
- name: Export admin password
set_fact:
kerberos_kdc_admin_password: '{{ _admin_password.content | b64decode }}'
# kprop is what pushes the db to replicas. Set it up to run via cron
# periodically.
- name: Install kprop script
template:
src: 'run-kprop.sh.j2'
dest: '/usr/local/bin/run-kprop.sh'
mode: 0755
owner: root
group: root
- name: kprop cron to push db to replicas
cron:
name: kprop
minute: 15
job: '/usr/local/bin/run-kprop.sh >/dev/null 2>&1'
- name: start krb5-admin-server
systemd:
state: started
enabled: yes
name: krb5-admin-server
- name: start krb5-kdc
systemd:
state: started
enabled: yes
name: krb5-kdc
View Git Blame Copy Permalink