Installing Foreman together with other infrastructure (FreeIPA)

Jan_Pazdziora · July 4, 2014, 11:35am

Hello,

hopefully close to being ready for merge is

https://github.com/theforeman/puppet-foreman/pull/199

adding the possibility to enable external authentication of Foreman
WebUI against FreeIPA per

http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication

with just one or a few new options to the installer. The prerequisite
is that the machine is IPA-enrolled, which obviously means that there
has to be a FreeIPA server running somewhere to IPA-enroll the
Foreman box to.

If we wanted to make even the prerequisite steps (IPA-enrollment,
possibly also installation of the FreeIPA server or a replica) more
integrated with the Foreman installation process and less manual for
the admin, do you see a place for that in the Foreman installer code
bases (be it puppet code, ruby, or some other place)?

Or should we look at completely independent project, possibly
a wrapper around foreman-install which would run multiple
installations, one of them being foreman-install with
–foreman-enable-ipa=true?

Any guidance would be appreciated,

···

-- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat

stbenjam · July 5, 2014, 11:10pm

Hi,

>
> Hello,
>
> hopefully close to being ready for merge is
>
> https://github.com/theforeman/puppet-foreman/pull/199
>
> adding the possibility to enable external authentication of Foreman
> WebUI against FreeIPA per
>
> Foreman :: Manual
>
> with just one or a few new options to the installer. The prerequisite
> is that the machine is IPA-enrolled, which obviously means that there
> has to be a FreeIPA server running somewhere to IPA-enroll the
> Foreman box to.
>
> If we wanted to make even the prerequisite steps (IPA-enrollment,
> possibly also installation of the FreeIPA server or a replica) more
> integrated with the Foreman installation process and less manual for
> the admin, do you see a place for that in the Foreman installer code
> bases (be it puppet code, ruby, or some other place)?

What about HTTP service principal creation? You'll need to do
that manually for external auth, right?

Realm proxy has a bunch of IPA requirements as well, that the user needs
to do in advance (manually or with a script). Might be nice to be better
automated, perhaps as part of the installer.

Foreman :: Manual

>
> Or should we look at completely independent project, possibly
> a wrapper around foreman-install which would run multiple
> installations, one of them being foreman-install with
> --foreman-enable-ipa=true?

I don't see enrollment, building ipa servers, replicas, etc being part
of the Foreman installer… it introduces a lot of complexity, and it's
not the core purpose of the installer – it's just too far outside the
box. Just my opinion.

However, just like Foreman can deploy OpenStack, maybe some day oVirt,
then it could also deploy IPA servers or replicas. That would
very valueable as part of datacenter automation. We'd need good puppet
modules to do that.

···

On Fri, Jul 04, 2014 at 01:35:21PM +0200, Jan Pazdziora wrote:

–
Stephen Benjamin

Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters

ohadlevy · July 6, 2014, 6:40pm

link

> Hi,
>
> >
> > Hello,
> >
> > hopefully close to being ready for merge is
> >
> > https://github.com/theforeman/puppet-foreman/pull/199
> >
> > adding the possibility to enable external authentication of Foreman
> > WebUI against FreeIPA per
> >
> >
> Foreman :: Manual
> >
> > with just one or a few new options to the installer. The prerequisite
> > is that the machine is IPA-enrolled, which obviously means that there
> > has to be a FreeIPA server running somewhere to IPA-enroll the
> > Foreman box to.
> >
> > If we wanted to make even the prerequisite steps (IPA-enrollment,
> > possibly also installation of the FreeIPA server or a replica) more
> > integrated with the Foreman installation process and less manual for
> > the admin, do you see a place for that in the Foreman installer code
> > bases (be it puppet code, ruby, or some other place)?
>
> What about HTTP service principal creation? You'll need to do
> that manually for external auth, right?
>
> Realm proxy has a bunch of IPA requirements as well, that the user needs
> to do in advance (manually or with a script). Might be nice to be better
> automated, perhaps as part of the installer.
>
> Foreman :: Manual
>
> >
> > Or should we look at completely independent project, possibly
> > a wrapper around foreman-install which would run multiple
> > installations, one of them being foreman-install with
> > --foreman-enable-ipa=true?
>
> I don't see enrollment, building ipa servers, replicas, etc being part
> of the Foreman installer… it introduces a lot of complexity, and it's
> not the core purpose of the installer – it's just too far outside the
> box. Just my opinion.
>

Would a foreman plugin to configure IPA (assuming a way to configure it
exists) would work?

I could see a one time GUI for driving actions that are more complex than
the avg intaller done in pure ruby / api calls/ puppet runs etc?

Ohad

···

On Sun, Jul 6, 2014 at 2:10 AM, Stephen Benjamin wrote: > On Fri, Jul 04, 2014 at 01:35:21PM +0200, Jan Pazdziora wrote:

However, just like Foreman can deploy OpenStack, maybe some day oVirt,
then it could also deploy IPA servers or replicas. That would
very valueable as part of datacenter automation. We’d need good puppet
modules to do that.

–
Stephen Benjamin

Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters