tripleo-ipa ci next steps

# tripleo-ipa ci next steps ###### tags: `Design` ## #1 priority * is to get centos-8-tripleo-multinode-ipa voting and gating * all ci repos w/ appropriate file def. * tripleo-ipa * tht * tripleo-ansible ## #2 priority pipeline Execution * upstream / downstream component pipeline * tripleo, security ## technical debt ### ipa role https://opendev.org/openstack/tripleo-quickstart-extras/src/branch/master/roles/ipa-multinode/tasks/ipaserver-subnode-install.yml https://opendev.org/openstack/tripleo-quickstart-extras/src/branch/master/roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml Remove Duplication w/ tripleo-ipa, and put required bits directly. **Move as much ipa specific install and setup in the tripleo-ipa role.** account for: * standalone deployment * full multinode deployment e.g. fs001 ovb * common tasks used by both deployments ### call directly from zuul and not invoked from tq/tqe https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml#L93 ### FS039 * should fs039 be refactored to use x/tripleo-ipa * should be able to toggle novajoin * (xek) added [support](https://review.opendev.org/#/c/721634/1/config/general_config/featureset039.yml@206) to toggle between using novajoin and tripleo-ipa * * currently uses novajoin, right? * https://review.opendev.org/#/c/721634/1/config/general_config/featureset039.yml@206 ### Tech Dept * should we try ansible-freeipa again? * https://github.com/freeipa/ansible-freeipa/tree/master/roles/ipaserver ### Security feature requests * nova join / w/o nova join * master / victoria ( perhaps ussuri) * remove novajoin from tls deployment * keep novajoin containers * by default on master / victoria * testing using standalone * testing using fs039 w/o novajoin feature enabled * train fs039 will continue use novajoin * train backport tripleo-ci-centos-8-standalone-on-multinode-ipa * pass otp token to undercloud vs.. user creds * useful for deployments where OpenStack operators don't have access to FreeIPA (Red HAT IT is our internal stakeholder) * New x/tripleo-ipa-server repo / roles * setup server * otp token * Will THT work be compatible upstream and downstream? * Current OSP job is running against OSP 17 * Everything has been backported to stable/train to make it into 16.1 *