owned this note changed 5 years ago
Published Linked with GitHub

tripleo-ipa ci next steps

tags: Design

#1 priority

  • is to get centos-8-tripleo-multinode-ipa voting and gating
    • all ci repos w/ appropriate file def.
    • tripleo-ipa
    • tht
    • tripleo-ansible

#2 priority pipeline Execution

  • upstream / downstream component pipeline
    • tripleo, security

technical debt

ipa role

https://opendev.org/openstack/tripleo-quickstart-extras/src/branch/master/roles/ipa-multinode/tasks/ipaserver-subnode-install.yml

https://opendev.org/openstack/tripleo-quickstart-extras/src/branch/master/roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml

Remove Duplication w/ tripleo-ipa, and put required bits directly. Move as much ipa specific install and setup in the tripleo-ipa role.

account for:

  • standalone deployment
  • full multinode deployment e.g. fs001 ovb
  • common tasks used by both deployments

call directly from zuul and not invoked from tq/tqe

https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/ipa-multinode/tasks/ipaserver-undercloud-setup.yml#L93

FS039

Tech Dept

Security feature requests

  • nova join / w/o nova join

  • master / victoria ( perhaps ussuri)

    • remove novajoin from tls deployment
    • keep novajoin containers
    • by default on master / victoria
      • testing using standalone
      • testing using fs039 w/o novajoin feature enabled

  • train fs039 will continue use novajoin

  • train backport tripleo-ci-centos-8-standalone-on-multinode-ipa

  • pass otp token to undercloud vs.. user creds

    • useful for deployments where OpenStack operators don't have access to FreeIPA (Red HAT IT is our internal stakeholder)

  • New x/tripleo-ipa-server repo / roles

    • setup server
    • otp token

  • Will THT work be compatible upstream and downstream?

    • Current OSP job is running against OSP 17
    • Everything has been backported to stable/train to make it into 16.1
Select a repo