Add freeipa roles for PvC pre_setup RHEL only

roles/freeipa_client/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ipaserver_domain:
+# ipaserver_realm:
+# ipa_hosts:          # List of FQDN of IPA hosts
+# ipa_server_ips:     # List of IP of IPA hosts
+# ipaadmin_principal:
+# ipaadmin_password:
+
+enable_dns: false
+fallback_nameservers: [ "8.8.8.8" ]

roles/freeipa_client/handlers/main.yml

@@ -0,0 +1,18 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: restart host
+  ansible.builtin.reboot:

roles/freeipa_client/meta/main.yml

@@ -0,0 +1,44 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+galaxy_info:
+  role_name: freeipa_client
+  namespace: cloudera
+  author: Webster Mudge Jim Enright Chuck Levesque
+  description: >
+    Deployment of FreeIPA clients for Cloudera Data Platform (CDP) Base and ECS
+  company: Cloudera
+  namespace: cloudera
+  license: Apache-2.0
+
+  min_ansible_version: 2.10
+
+  platforms:
+  - name: Debian
+    versions: all
+  - name: Fedora
+    versions: all
+  - name: GenericLinux
+    versions: all
+  - name: MacOSX
+    versions: all
+  - name: Ubuntu
+    versions: all
+
+  galaxy_tags:
+  - cloudera
+  - cdp
+  - freeipa

roles/freeipa_client/tasks/main.yml

@@ -0,0 +1,104 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Disable SELinux
+  ansible.builtin.selinux:
+    state: disabled
+  notify: restart host
+
+- name: Set up DNS and networking
+  when: enable_dns
+  block:
+    - name: Update RHEL networking
+      when: ansible_facts['os_family'] == 'RedHat'
+      block:
+        - name: Set cloud-init to preserve hostname (RHEL)
+          ansible.builtin.lineinfile:
+            path: /etc/cloud/cloud.cfg
+            regex: "^(#)?preserve_hostname"
+            line: "preserve_hostname: 1"
+            state: present
+          notify: restart host
+
+        - name: Set interface config to preserve resolv.conf changes (RHEL)'
+          ansible.builtin.lineinfile:
+            path: "/etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4.interface }}"
+            regex: "^(#)?PEERDNS"
+            line: "PEERDNS=no"
+            state: present
+          notify: restart host
+
+        - name: Set /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf (RHEL)
+          ansible.builtin.copy:
+            dest: /etc/NetworkManager/conf.d/disable-resolve.conf-managing.conf
+            content: |
+              # Generated by Ansible
+              [main]
+              dns=none
+          notify: restart host
+
+        - name: Set /etc/resolv.conf directly
+          ansible.builtin.copy:
+            dest: /etc/resolv.conf
+            content: |
+              # Generated by Ansible
+              search {{ ipaserver_domain }}
+              {{ ['nameserver '] | product(ipa_server_ips | sort) | map('join') | join('\n') }}
+          notify: restart host
+
+    - name: Set /etc/hostname to the FQDN
+      ansible.builtin.copy:
+        content: "{{ inventory_hostname }}"
+        dest: /etc/hostname
+      notify: restart host
+
+    - name: Set /etc/hosts
+      ansible.builtin.copy:
+        dest: /etc/hosts
+        content: |
+          # Set by Ansible
+          {{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname_short }}
+      notify: restart host
+
+    - name: Set /etc/dhcp/dhclient.conf for domain search and name servers
+      ansible.builtin.lineinfile:
+        path: /etc/dhcp/dhclient.conf
+        regex: "^(#)?{{ dhclient_entry.value }}"
+        line: "{{ dhclient_entry.value }}"
+        state: present
+      loop: "{{ entries | dict2items }}"
+      loop_control:
+        loop_var: dhclient_entry
+        label: "{{ dhclient_entry.key }}"
+      vars:
+        entries:
+          domain_search: supersede domain-search "{{ ipaserver_domain }}";
+          domain_name_servers: supersede domain-name-servers {{ ipa_server_ips | sort | union(fallback_nameservers) | join(', ') }};
+      notify: restart host
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Set up the FreeIPA Client
+  ansible.builtin.include_role:
+    name: freeipa.ansible_freeipa.ipaclient
+  vars:
+    state: present
+    ipaclient_hostname: "{{ inventory_hostname }}"
+    ipaclient_servers: "{{ ipa_hosts }}"
+    ipaserver_setup_dns: "{{ enable_dns }}"
+    ipasssd_enable_dns_updates: "{{ enable_dns }}"
+    ipaclient_mkhomedir: yes

roles/freeipa_server/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#ipaserver_realm: "{{ krb5_realm | upper }}"
+#ipaserver_domain: "{{ krb5_domain | default(krb5_realm | lower) }}"
+#ipaserver_setup_firewalld: "no"
+#ipaserver_setup_dns: "{{ freeipa_autodns | default(omit) }}"
+#ipaserver_auto_forwarders:
+#ipadm_password:
+
+# ipaserver_recursion_acl_cidr:
+ipaserver_resolv_nameservers: [ '8.8.8.8' ]
+ipaserver_server_recursion: true
+enable_dns: false

roles/freeipa_server/handlers/main.yml

@@ -0,0 +1,23 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: restart host
+  ansible.builtin.reboot:
+
+- name: restart dns
+  ansible.builtin.service:
+    name: named-pkcs11
+    state: restarted

roles/freeipa_server/meta/main.yml

@@ -0,0 +1,44 @@
+---
+
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+galaxy_info:
+  role_name: freeipa_server
+  namespace: cloudera
+  author: Webster Mudge Jim Enright Chuck Levesque
+  description: >
+    Deployment of sidecar FreeIPA Server for Cloudera Data Platform (CDP) Base and ECS
+  company: Cloudera
+  namespace: cloudera
+  license: Apache-2.0
+
+  min_ansible_version: 2.10
+
+  platforms:
+  - name: Debian
+    versions: all
+  - name: Fedora
+    versions: all
+  - name: GenericLinux
+    versions: all
+  - name: MacOSX
+    versions: all
+  - name: Ubuntu
+    versions: all
+
+  galaxy_tags:
+  - cloudera
+  - cdp
+  - freeipa