IPA Server Flavour

This Ansible Playbook configures an existing virtual machine running within the European Weather Cloud (EWC) to operate as a FreeIPA server.

IPA (acronym for identity, policy and audit), provides integrated identity management and DNS services, enabling centralized user authentication, authorization, and resource discovery.

Ideal for tenant administrators, this template simplifies the setup of a secure, open-source identity and DNS solution in the EWC environment. Follow the instructions below to configure your server.

Functionality

The template is designed to:

• Validate that network/subnet configuration in the EWC tenancy
• Configure a pre-existing virtual machine running RockyLinux version 8 or 9, and with a minimum recommended 4GB of RAM, such that it:
  • Provides DNS resolutions for discovery of resources (i.e. other virtual machines)
  • Enables centralized user and credentials creation/edition/deletion/authentication
  • Allows centralized authorization between users and resources

Prerequisites

⚠️ Only RockyLinux version 8 is supported due to constrains imposed by dependencies.

💡 A VM plan with at least 4GB of RAM is recommended for successful setup and stable operation.

• Install git (version 2.0 or higher )
• Install python (version 3.9 or higher)
• Install ansible (version 2.15 or higher)
• Get OpenStack API credentials (see How to request OpenStack Application Credentials section of the EWC documentation)
• If you plan to configure an existing VM, jump to the Usage section below
• If you have not yet provisioned a VM, it is required to do so. You may choose one of the following approaches:

  • A) Provision a new VM via UI:

    • Create an SSH keypair (see Creating the keys section of the EWC documentation)
    • Import the SSH public key into Morpheus (see Adding the keys in Morpheus section of the EWC documentation)
    • Provision a new VM through the web portal (see Provision a new Instance - Web section of the EWC) documentation

    OR

  • B) Provision a new VM via CLI:

    • Create an SSH keypair (see Creating the keys section of the EWC documentation)
    • Add you SSH public key to OpenStack (see Import SSH Key section of the EWC documentation).
    • Provision a new VM via the OpenStack CLI (see How to create a VM using the OpenStack CLI section of the EWC documentation)

    OR

  • C) Deploy this template, together with a new VM, as part of the IPA Server Provisioning Community Hub Item

    OR

  • D) Deploy this template, together with a new VM, via the EWCCLI

Usage

1. Clone the repository

git clone https://github.com/ewcloud/ewc-ansible-playbook-flavours-and-provisioning.git

1.1. Change to the specific Item's subdirectory

cd ewc-ansible-playbook-flavours-and-provisioning/playbooks/ipa-server-flavour

1.2. (Optional) Checkout an specific Item's version

⚠️ Make sure to replace x.y.z in the command below, with your version of preference.

git checkout x.y.z

2. Download Ansible dependencies

💡 By default, Ansible Roles are installed under the ~/.ansible/roles directory within your working environment.

Download the correct version of the Ansible dependencies, if you haven't done so already:

ansible-galaxy role install -r requirements.yml

3. Specify the target host and SSH credentials

Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:

# inventory.yml
---
ewcloud:
  hosts:
    ipa_server:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: <add the IPV4 address of the target host>
      ansible_ssh_private_key_file: <add the path to local SSH private key file>
      ansible_user: cloud-user
      ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new

4. Configure and apply the template

4.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook -i inventory.yml ipa-server-flavour.yml

4.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -i inventory.yml \
  -e '{
      "ipa_domain": "eumetsat.sandbox.ewc",
      "ipa_server_hostname": "ipa-server-1",
      "ipa_admin_username": "ipaadmin",
      "ipa_admin_password": "my-secret-password",
      "ipa_admin_givenname": "EWC",
      "ipa_admin_surname": "IPAADMIN",
      "os_network_name": "private",
      "os_security_group_name": "ipa"
    }' \
  ipa-server-flavour.yml

5. Manullay update DNS nameserver(s)

⛔ Changes described in this section can potentially affect DNS resolution on existing VMs within your subnet. To prevent issues, enroll them to the new IPA server via the IPA Client Enroll Flavour CommunityHub Item, OR manually edit nameservers in their DNS configuration.

After successful execution of the template, additional changes to the OpenStack subnet are required. You can edit your specific OpenStack subnet, as well as any other OpenStack resource, with the native OpenStack CLI.

First, take note of the IP address of your newly configured IPA server and the subnet attached to it, replace these information in the command below, and execute:

openstack subnet set \
  --dns-nameserver <IPV4 address of the IPA server> \
  <ID or name of the OpenStack Subnet attached to the IPA server>

Then remove any default DNS nameservers which where added to the subnet prior to the IPA server configuration:

openstack subnet unset \
  --dns-nameserver <IPV4 address of any prior default DNS nameserver> \
  <ID or name of the OpenStack Subnet attached to the IPA server>

Inputs