This Ansible Playbook configures an existing virtual machine running within the European Weather Cloud (EWC) to operate as a FreeIPA server.

IPA (acronym for identity, policy and audit), provides integrated identity management and DNS services, enabling centralized user authentication, authorization, and resource discovery.

Ideal for tenant administrators, this template simplifies the setup of a secure, open-source identity and DNS solution in the EWC environment. Follow the instructions below to configure your server.

Functionality

The template is designed to:

• Validate that network/subnet configuration in the EWC tenancy
• Configure a pre-existing virtual machine running RockyLinux version 8 or 9, and with a minimum recommended 4GB of RAM, such that it:
  • Provides DNS resolutions for discovery of resources (i.e. other virtual machines)
  • Enables centralized user and credentials creation/edition/deletion/authentication
  • Allows centralized authorization between users and resources
• Automatically update the underlying subnet DNS nameserver to point to the newly configured IPA server

⚠️ Successful execution leads to changes of the DNS nameserver(s) in your OpenStack subnet (includes now only the IP address of the new IPA server). This can negatively affect existing VMs within your subnet. To prevent issues, programmatically update each VM via the IPA Client Enroll Flavour CommunityHub Item. Alternatively, you can manually add the new nameserver to their DNS configuration.

Prerequisites

• Install git (version 2.0 or higher )
• Install python (version 3.9 or higher)
• Install ansible (version 2.15 or higher)
• Get OpenStack API credentials (see How to request OpenStack Application Credentials section of the EWC documentation)
• If you plan to configure an existing VM, jump to the Usage section below
• If you have not yet provisioned a VM, it is required to do so. You may choose one of the following approaches:

  • A) Provision a new VM via UI:

    • Create an SSH keypair (see Creating the keys section of the EWC documentation)
    • Import the SSH public key into Morpheus (see Adding the keys in Morpheus section of the EWC documentation)
    • Provision a new VM through the web portal (see Provision a new Instance - Web section of the EWC) documentation

    OR

  • B) Provision a new VM via CLI:

    • Create an SSH keypair (see Creating the keys section of the EWC documentation)
    • Add you SSH public key to OpenStack (see Import SSH Key section of the EWC documentation).
    • Provision a new VM via the OpenStack CLI (see How to create a VM using the OpenStack CLI section of the EWC documentation)

    OR

  • C) Deploy this template, together with a new VM, as part of the IPA Server Provisioning Community Hub Item

    OR

  • D) Deploy this template, together with a new VM, via the EWCCLI

Usage

1. Clone the repository

git clone https://github.com/ewcloud/ewc-ansible-playbook-flavours-and-provisioning.git

1.1. Change to the specific Item's subdirectory

cd ewc-ansible-playbook-flavours-and-provisioning/playbooks/ipa-server-flavour

1.2. (Optional) Checkout an specific Item's version

⚠️ Make sure to replace x.y.z in the command below, with your version of preference.

git checkout x.y.z

2. Download Ansible dependencies

💡 By default, Ansible Roles are installed under the ~/.ansible/roles directory within your working environment.

Download the correct version of the Ansible dependencies, if you haven't done so already:

ansible-galaxy role install -r requirements.yml

3. Specify the target host and SSH credentials

Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:

# inventory.yml
---
ewcloud:
  hosts:
    ipa_server:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: <add the IPV4 address of the target host>
      ansible_ssh_private_key_file: <add the path to local SSH private key file>
      ansible_user: cloud-user
      ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new

4. Configure and apply the template

4.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook -i inventory.yml ipa-server-flavour.yml

4.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -i inventory.yml \
  -e '{
      "ipa_domain": "eumetsat.sandbox.ewc",
      "ipa_server_hostname": "ipa-server-1",
      "ipa_admin_username": "ipaadmin",
      "ipa_admin_password": "my-secret-password",
      "ipa_admin_givenname": "EWC",
      "ipa_admin_surname": "IPAADMIN",
      "os_network_name": "private",
      "os_security_group_name": "ipa"
    }' \
  ipa-server-flavour.yml

Inputs

Dependencies

⚠️ Only RockyLinux 9.5 and RockyLinux 8.10 VM images are currently supported. This is due to constrains imposed by the required ewc-ansible-role-ipa-server Ansible Role.

💡 A VM plan with at least 4GB of RAM is recommended for successful setup and stable operation.