Merge pull request #707 from DeepikaKrishnaiah/devel

Install FreeIPA server on MS

control_plane/control_plane.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -26,4 +26,5 @@
     - control_plane_sm
     - control_plane_customiso
     - control_plane_repo
+    - control_plane_security
     - deploy_job_templates

control_plane/input_params/base_vars.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -37,6 +37,12 @@ ib_switch_support: true
 # If powervault configuration is needed, set this to "true"
 powervault_support: false
 
+# This variable is used to enable security features on MS
+# Accepted values: "true" or "false"
+# Default value: "true"
+# If security features are not needed, set this to "false"
+enable_security_support: true
+
 # The nic/ethernet card that will be connected to the public internet.
 # Default value: eno2
 public_nic: "eno2"
@@ -165,4 +171,4 @@ ib_network_nic: "ib0"
 # The dhcp range for assigning the IPv4 address
 # Example: 172.17.0.1
 ib_network_dhcp_start_range: "172.25.0.100"
-ib_network_dhcp_end_range: "172.25.0.200"
+ib_network_dhcp_end_range: "172.25.0.200"

control_plane/input_params/login_vars.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -78,4 +78,15 @@ powervault_me4_username: ""
 # The password should have atleast one uppercase character, one lowercase character,
 # one numeric character and one non-alphanumeric character.
 # The password must not contain -,\, ',", . , < , comma(,)
-powervault_me4_password: ""
+powervault_me4_password: ""
+
+# The directory server operations require an administrative user.
+# This user is referred to as the Directory Manager and has full access to the Directory for system management tasks
+# and will be added to the instance of directory server created for IPA.
+# The password must be at least 8 characters long
+# The password must not contain -,\, ',"
+directory_manager_password: ""
+
+# The IPA server requires an administrative user, named 'admin'.
+# This user is a regular system account used for IPA server administration
+ipa_admin_password: ""

control_plane/input_params/security_vars.yml

@@ -0,0 +1,23 @@
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# This variable is used to accept the domain name the user intends to configure
+# Eg: ipa.test
+domain_name: "omnia.test"
+
+# A Kerberos realm is the domain over which a Kerberos authentication server has
+# the authority to authenticate a user, host or service.
+# A realm name is often, but not always the upper case version of the name of the
+# DNS domain over which it presides
+realm_name: "OMNIA.TEST"

control_plane/roles/control_plane_common/tasks/fetch_base_inputs.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -137,6 +137,13 @@
     success_msg: "{{ powervault_support_success_msg }}"
     fail_msg: "{{ powervault_support_fail_msg }}"
 
+- name: Assert enable_security_support
+  assert:
+    that:
+      - enable_security_support == true or enable_security_support == false
+    success_msg: "{{ enable_security_support_success_msg }}"
+    fail_msg: "{{ enable_security_support_fail_msg }}"
+
 - name: Fetch the network interfaces in UP state in the system
   shell: set -o pipefail && ip a | awk '/state UP/{print $2}'
   register: nic_addr_up

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -0,0 +1,41 @@
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Include security variable file security_vars.yml
+  include_vars: "{{ security_vars_filename }}"
+  no_log: true
+
+- name: Validate input parameters of base_vars are not empty
+  fail:
+    msg: "{{ input_security_failure_msg }}"
+  register: input_base_check
+  when:
+    - domain_name | length < 1 or
+      realm_name | length < 1
+
+- name: Validate the domain name
+  assert:
+    that:
+      - domain_name is regex("^(?!-)[A-Za-z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Za-z]{2,}$")
+    success_msg: "{{ dom_name_success_msg }}"
+    fail_msg: "{{ dom_name_fail_msg }}"
+
+- name: Validate the realm name
+  assert:
+    that:
+      - realm_name is regex("^(?!-)[A-Z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Z]{2,}$")
+      - '"." in realm_name'
+    success_msg: "{{ realm_success_msg }}"
+    fail_msg: "{{ realm_fail_msg }}"

control_plane/roles/control_plane_common/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -51,3 +51,7 @@
 
 - name: NFS Server setup for offline repo and awx
   import_tasks: nfs_server_setup.yml
+
+- name: Security Inputs Validation
+  import_tasks: fetch_security_inputs.yml
+  when: enable_security_support

control_plane/roles/control_plane_common/tasks/password_config.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -40,6 +40,14 @@
       idrac_username | length < 1 or
       idrac_password | length < 1
 
+- name: Validate security parameters when enable_security_support is set to true
+  fail:
+    msg: "{{ login_input_config_failure_msg }} for ipa server installation"
+  when:
+    - ( directory_manager_password | length < 1 or
+      ipa_admin_password | length < 1 ) and
+      enable_security_support
+
 - name: Assert provision credentials
   block:
     - name: Assert provision_password
@@ -176,6 +184,32 @@
         msg: "{{ fail_msg_me4_credentials }}"
   when: powervault_support
 
+- name: Assert directory_manager_password
+  assert:
+    that:
+      - directory_manager_password | length > min_length | int - 1
+      - directory_manager_password | length < max_length | int + 1
+      - '"-" not in directory_manager_password '
+      - '"\\" not in directory_manager_password '
+      - '"\"" not in directory_manager_password '
+      - " \"'\" not in directory_manager_password "
+    success_msg: "{{ success_msg_dir_manager_password }}"
+    fail_msg: "{{ fail_msg_dir_manager_password }}"
+  when: enable_security_support
+
+- name: Assert ipa_admin_password
+  assert:
+    that:
+      - ipa_admin_password | length > min_length | int - 1
+      - ipa_admin_password | length < max_length | int + 1
+      - '"-" not in ipa_admin_password '
+      - '"\\" not in ipa_admin_password '
+      - '"\"" not in ipa_admin_password '
+      - " \"'\" not in ipa_admin_password "
+    success_msg: "{{ success_msg_ipa_admin_pwd }}"
+    fail_msg: "{{ fail_msg_ipa_admin_pwd }}"
+  when: enable_security_support
+
 - name: Create ansible vault key
   set_fact:
     vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"

control_plane/roles/control_plane_common/tasks/verify_omnia_params.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -13,6 +13,10 @@
 #  limitations under the License.
 ---
 
+- name: Include base variable file base_vars.yml
+  include_vars: "{{ base_vars_filename }}"
+  no_log: true
+
 - name: Check if omnia_vault_key exists
   stat:
     path: "{{ role_path }}/../../../{{ config_vaultname }}"
@@ -68,7 +72,8 @@
       directory_manager_password | length < 1 or
       ipa_admin_password | length < 1 ) and
       ( login_node_required and
-      host_mapping_file )
+      host_mapping_file  and
+      not enable_security_support)
 
 - name: Assert mariadb_password
   assert:
@@ -119,6 +124,7 @@
   when:
     - host_mapping_file
     - login_node_required
+    - not enable_security_support
 
 - name: Validate the realm name
   assert:
@@ -130,6 +136,7 @@
   when:
     - host_mapping_file
     - login_node_required
+    - not enable_security_support
 
 - name: Assert directory_manager_password
   assert:
@@ -144,7 +151,8 @@
     fail_msg: "{{ fail_msg_directory_manager_password }}"
   when:
     - host_mapping_file
-     - login_node_required
+    - login_node_required
+    - not enable_security_support
 
 - name: Assert ipa_admin_password
   assert:
@@ -160,6 +168,7 @@
   when:
     - host_mapping_file
     - login_node_required
+    - not enable_security_support
 
 - name: Encrypt input config file
   command: >-

control_plane/roles/control_plane_common/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -89,6 +89,11 @@ fail_msg_idrac_credentials: "Failed. Incorrect idrac_username or idrac_password
 fail_msg_ethernet_credentials: "Failed. Incorrect ethernet_switch_username or ethernet_switch_password format provided in login_vars.yml"
 fail_msg_ib_credentials: "Failed. Incorrect ib_username or ib_password format provided in login_vars.yml"
 fail_msg_me4_credentials: "Failed. Incorrect powervault_me4_username or powervault_me4_password format provided in login_vars.yml"
+login_security_config_failure_msg: "Failed. Please provide the required passwords in login_vars.yml for installing ipa"
+success_msg_dir_manager_password: "directory_manager_password successfully validated"
+fail_msg_dir_manager_password: "Failed. Incorrect format provided for directory_manager_password"
+success_msg_ipa_admin_pwd: "ipa_admin_password successfully validated"
+fail_msg_ipa_admin_pwd: "Failed. Incorrect format provided for ipa_admin_password"
 
 # Usage: verify_omnia_params.yml
 config_filename: "omnia_config.yml"
@@ -160,6 +165,8 @@ provision_os_success_msg: "provision_os validated"
 provision_os_fail_msg: "Failed. Incorrect provision_os selected. Supported OS are {{ os_supported_centos }} or {{ os_supported_rocky }}"
 provision_state_success_msg: "provision_state validated"
 provision_state_fail_msg: "Failed. Incorrect provision_state selected. Supported only stateful"
+enable_security_support_success_msg: "enable_security_support validated"
+enable_security_support_fail_msg: "Failed. enable_security_support only accepts boolean values true or false"
 
 # Usage: fetch_sm_inputs.yml
 ib_config_file: "{{ role_path }}/../../input_params/ib_vars.yml"
@@ -214,3 +221,12 @@ group_name_nfs: "nfs_node"
 # Usage: validate_device_mapping_file.yml
 fail_device_mapping_file_header: "Failed: Header (MAC,IP) should be present in the mapping file."
 device_mapping_header_format: "MAC,IP"
+
+# Usage: fetch_security_inputs.yml
+security_vars_filename: "input_params/security_vars.yml"
+input_security_failure_msg: "Please provide all the required parameters in security_vars.yml"
+dom_name_length: '63'
+dom_name_success_msg: "domain name successfully validated"
+dom_name_fail_msg: "Failed. Incorrect format provided for domain name in security_vars.yml"
+realm_success_msg: "realm_name successfully validated"
+realm_fail_msg: "Failed. Incorrect realm_name format in security_vars.yml"

control_plane/roles/control_plane_security/tasks/enable_dnf_module.yml

@@ -0,0 +1,21 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Enable module idm in Rocky or Centos >= 8.0
+  command: dnf module enable idm:DL1 -y
+  when:
+    - ( ansible_distribution | lower == os_centos ) or
+      ( ansible_distribution | lower == os_rocky )
+    - ( ansible_distribution_version >= os_version )

control_plane/roles/control_plane_security/tasks/firewall_settings.yml

@@ -0,0 +1,60 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install firewalld
+  package:
+    name: firewalld
+    state: present
+  tags: firewalld
+
+- name: Start and enable firewalld
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  tags: firewalld
+
+- name: Firewall ports addition - tcp/udp ports
+  firewalld:
+    zone: public
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+  with_items:
+    - "{{ https_port1 }}"
+    - "{{ https_port2 }}"
+    - "{{ ldap_port1 }}"
+    - "{{ ldap_port2 }}"
+    - "{{ kerberos_port1 }}"
+    - "{{ kerberos_port2 }}"
+    - "{{ kerberos_port3 }}"
+    - "{{ kerberos_port4 }}"
+    - "{{ dns_port1 }}"
+    - "{{ dns_port2 }}"
+    - "{{ ntp_port1 }}"
+    - "{{ dt_port1 }}"
+  tags: firewalld
+
+- name: Reload firewalld
+  command: firewall-cmd --reload
+  changed_when: true
+  tags: firewalld
+
+- name: Stop and disable firewalld
+  service:
+    name: firewalld
+    state: stopped
+    enabled: no
+  tags: firewalld

control_plane/roles/control_plane_security/tasks/install_ipa_server.yml

@@ -0,0 +1,61 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Fetch hostname
+  command: hostname
+  register: new_serv_hostname
+  changed_when: false
+
+- name: Set fact for server hostname
+  set_fact:
+    server_hostname_ms: "{{ new_serv_hostname.stdout }}"
+
+- name: Save the hostname
+  copy:
+    dest: "{{ server_file }}"
+    content: |
+      ipaddress: "{{ hostvars['localhost']['ansible_default_ipv4']['address'] }}"
+      server_hostname: "{{ server_hostname_ms }}"
+      server_domain: "{{ domain_name }}"
+    owner: root
+    mode: "{{ file_mode }}"
+
+- name: Uninstall server if it is already installed
+  command: ipa-server-install --uninstall -U
+  changed_when: false
+  failed_when: false
+
+- name: Install ipa server in CentOS > 8 or Rocky 8.4
+  command: >-
+    ipa-server-install -n '{{ domain_name }}' --hostname='{{ server_hostname_ms }}' -a '{{ ipa_admin_password }}'
+    -p '{{ directory_manager_password }}' -r '{{ realm_name }}' --setup-dns --no-forwarders --no-reverse --no-ntp -U
+  changed_when: true
+  no_log: true
+  when:
+    - ( ansible_distribution | lower == os_centos ) or
+      ( ansible_distribution | lower == os_rocky )
+    - ( ansible_distribution_version >= os_version )
+
+- name: Authenticate as admin
+  shell: set -o pipefail && echo $'{{ ipa_admin_password }}' | kinit admin
+  no_log: true
+  changed_when: false
+
+- name: Replace the /etc/resolv.conf file
+  copy:
+    src: "{{ temp_resolv_conf_path }}"
+    dest: "{{ resolv_conf_path }}"
+    mode: "{{ file_mode }}"
+    remote_src: yes

control_plane/roles/control_plane_security/tasks/install_packages.yml

@@ -0,0 +1,41 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install packages
+  package:
+    name: "{{ ipa_server_packages }}"
+    state: present
+  tags: install
+
+- name: Take a backup of /etc/resolv.conf
+  copy:
+    src: "{{ resolv_conf_path }}"
+    dest: "{{ temp_resolv_conf_path }}"
+    mode: "{{ resolv_file_mode }}"
+    remote_src: yes
+
+- name: Add the domain name in /etc/resolv.conf
+  replace:
+    path: "{{ temp_resolv_conf_path }}"
+    regexp: "search"
+    replace: "search {{ domain_name }}"
+  register: replace_output
+
+- name: Add the domain name in /etc/resolv.conf when there is no domain name
+  replace:
+    path: "{{ temp_resolv_conf_path }}"
+    regexp: "# Generated by NetworkManager"
+    replace: "# Generated by NetworkManager\nsearch {{ domain_name }}"
+  when: replace_output.msg | length == 0

control_plane/roles/control_plane_security/tasks/main.yml

@@ -0,0 +1,39 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Add ports of manager and login node to firewall
+  include_tasks: firewall_settings.yml
+  when:
+    - enable_security_support
+
+- name: Enable module idm in Rocky or Centos >= 8.0
+  include_tasks: enable_dnf_module.yml
+  when:
+    - enable_security_support
+
+- name: Update Packages
+  include_tasks: update_package.yml
+  when:
+    - enable_security_support
+
+- name: Install required packages
+  include_tasks: install_packages.yml
+  when:
+    - enable_security_support
+
+- name: Install free-ipa server
+  include_tasks: install_ipa_server.yml
+  when:
+    - enable_security_support

control_plane/roles/control_plane_security/tasks/update_package.yml

@@ -0,0 +1,23 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Update nss package to install ipa server/client
+  command: yum update nss -y
+  changed_when: false
+  args:
+    warn: false
+  when:
+    - ( ansible_distribution | lower == os_centos )
+    - ( ansible_distribution_version < os_version )

control_plane/roles/control_plane_security/vars/main.yml

@@ -0,0 +1,50 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Usage: set_fqdn.yml
+etc_hosts_file_dest: /etc/hosts
+file_mode: '0644'
+
+# Usage: firewall_settings.yml
+https_port1: "80/tcp"
+https_port2: "443/tcp"
+ldap_port1: "389/tcp"
+ldap_port2: "636/tcp"
+kerberos_port1: "88/tcp"
+kerberos_port2: "464/tcp"
+kerberos_port3: "88/udp"
+kerberos_port4: "464/udp"
+dns_port1: "53/tcp"
+dns_port2: "53/udp"
+dt_port1: "7389/tcp"
+ntp_port1: "123/udp"
+
+# Usage: enable_dnf_module.yml
+os_centos: 'centos'
+os_rocky: 'rocky'
+os_version: '8.0'
+
+# Usage: install_packages.yml
+ipa_server_packages:
+  - bind
+  - bind-dyndb-ldap
+  - ipa-server-dns
+  - freeipa-server
+
+# Usage: install_ipa_server.yml
+resolv_conf_path: /etc/resolv.conf
+temp_resolv_conf_path: /tmp/resolv.conf
+resolv_file_mode: '0644'
+server_file: "{{ playbook_dir }}/roles/control_plane_security/files/.ipavars.yml"

roles/cluster_validation/tasks/fetch_ipa_password.yml

@@ -0,0 +1,85 @@
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Include base_vars of control plane
+  include_vars: "{{ role_path }}/../../control_plane/input_params/base_vars.yml"
+
+- name: Unset ipa server status on MS
+  set_fact:
+    ipa_server_ms: false
+
+- name: Check if ipa server file of MS exists
+  stat:
+    path: "{{ ipa_secret_file }}"
+  register: ms_file_exists
+
+- name: Check if ipa server is installed on MS
+  block:
+    - name: Check login_vars file is encrypted
+      command: cat "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
+      changed_when: false
+      register: config_content
+      no_log: true
+
+    - name: Decrpyt login_vars.yml
+      command: >-
+        ansible-vault decrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
+        --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
+      changed_when: false
+      when: "'$ANSIBLE_VAULT;' in config_content.stdout"
+
+    - name: Include variable file login_vars.yml
+      include_vars: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
+      no_log: true
+
+    - name: Save variables of ipa server from Management Station
+      set_fact:
+        ms_ipa_admin_password: '{{ ipa_admin_password }}'
+
+    - name: Create ansible vault key
+      set_fact:
+        vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
+      when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
+
+    - name: Save vault key
+      copy:
+        dest: "{{ role_path }}/../../control_plane/{{ vault_filename }}"
+        content: |
+          {{ vault_key }}
+        owner: root
+        force: yes
+        mode: "{{ vault_file_perm }}"
+      when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
+
+    - name: Encrypt input config file
+      command: >-
+        ansible-vault encrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
+        --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
+      changed_when: false
+
+    - name: Update login_vars.yml permission
+      file:
+        path: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
+        mode: "{{ vault_file_perm }}"
+
+    - name: Include ipa server hostname and domain name
+      include_vars: "{{ ipa_secret_file }}"
+
+    - name: Set ipa server status on MS
+      set_fact:
+        ipa_server_ms: true
+  when:
+    - enable_security_support
+    - ms_file_exists.stat.exists

roles/cluster_validation/tasks/fetch_password.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -13,6 +13,9 @@
 #  limitations under the License.
 ---
 
+- name: Include base_vars of control plane
+  include_vars: "{{ role_path }}/../../control_plane/input_params/base_vars.yml"
+
 - name: Check if omnia_vault_key exists
   stat:
     path: "{{ role_path }}/../../{{ config_vaultname }}"
@@ -68,7 +71,8 @@
       realm_name | length < 1 or
       directory_manager_password | length < 1 or
       ipa_admin_password | length < 1 ) and
-      login_node_required
+      login_node_required and
+      not enable_security_support
 
 - name: Assert mariadb_password
   assert:
@@ -135,7 +139,9 @@
       - domain_name is regex("^(?!-)[A-Za-z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Za-z]{2,}$")
     success_msg: "{{ domain_name_success_msg }}"
     fail_msg: "{{ domain_name_fail_msg }}"
-  when: login_node_required
+  when:
+    - login_node_required
+    - not enable_security_support
 
 - name: Validate the realm name
   assert:
@@ -144,7 +150,9 @@
       - '"." in realm_name'
     success_msg: "{{ realm_name_success_msg }}"
     fail_msg: "{{ realm_name_fail_msg }}"
-  when: login_node_required
+  when:
+    - login_node_required
+    - not enable_security_support
 
 - name: Assert directory_manager_password
   assert:
@@ -157,7 +165,9 @@
       - " \"'\" not in directory_manager_password "
     success_msg: "{{ success_msg_directory_manager_password }}"
     fail_msg: "{{ fail_msg_directory_manager_password }}"
-  when: login_node_required
+  when:
+    - login_node_required
+    - not enable_security_support
 
 - name: Assert ipa_admin_password
   assert:
@@ -170,7 +180,9 @@
       - " \"'\" not in ipa_admin_password "
     success_msg: "{{ success_msg_ipa_admin_password }}"
     fail_msg: "{{ fail_msg_ipa_admin_password }}"
-  when: login_node_required
+  when:
+    - login_node_required
+    - not enable_security_support
 
 - name: Encrypt input config file
   command: >-

roles/cluster_validation/tasks/main.yml

@@ -56,6 +56,10 @@
       include_tasks: fetch_powervault_status.yml
       when: nfs_node_status
 
+    - name: Initialize ipa server variables
+      include_tasks: fetch_ipa_password.yml
+      when: login_node_required
+
 - name: omnia.yml runing on host
   block:
     - name: Passwordless SSH status

roles/cluster_validation/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -57,4 +57,10 @@ nfs_node_group_success_msg: "nfs_node group check passed"
 tower_config_path: "{{ playbook_dir }}/control_plane/roles/webui_awx/files/.tower_cli.cfg"
 tower_vault_path: "{{ playbook_dir }}/control_plane/roles/webui_awx/files/.tower_vault_key"
 powervault_inventory_name: "powervault_me4_inventory"
-powervault_group: "powervault_me4"
+powervault_group: "powervault_me4"
+
+# Usage: fetch_ipa_password.yml
+login_vars_filename: input_params/login_vars.yml
+vault_filename: input_params/.login_vault_key
+vault_file_perm: '0644'
+ipa_secret_file: "{{ playbook_dir }}/control_plane/roles/control_plane_security/files/.ipavars.yml"

roles/login_node/tasks/install_ipa_client.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -27,6 +27,20 @@
     state: present
   tags: install
 
+- name: Set hostname of ipa server when MS has ipa server installed
+  set_fact:
+    required_ipa_admin_pwd: "{{ hostvars['127.0.0.1']['ipa_admin_password'] }}"
+    required_server_hostname: "{{ hostvars[groups['manager'][0]]['server_hostname'] }}"
+    required_domain_name: "{{ hostvars['127.0.0.1']['domain_name'] }}"
+  when: not hostvars['127.0.0.1']['ipa_server_ms']
+
+- name: Set hostname of ipa server when manager node has ipa server installed
+  set_fact:
+    required_ipa_admin_pwd: "{{ hostvars['127.0.0.1']['ms_ipa_admin_password'] }}"
+    required_server_hostname: "{{ hostvars['127.0.0.1']['server_hostname'] }}"
+    required_domain_name: "{{ hostvars['127.0.0.1']['server_domain'] }}"
+  when: hostvars['127.0.0.1']['ipa_server_ms']
+
 - name: Uninstall client if already installed
   command: ipa-client-install --uninstall -U
   changed_when: false
@@ -34,8 +48,8 @@
 
 - name: Install ipa client in CentOS 7.9
   command: >-
-    ipa-client-install --domain '{{ hostvars['127.0.0.1']['domain_name'] }}' --server '{{ hostvars[groups['manager'][0]]['server_hostname'] }}'
-    --principal admin --password '{{ hostvars['127.0.0.1']['ipa_admin_password'] }}' --force-join --enable-dns-updates --force-ntpd -U
+    ipa-client-install --domain '{{ required_domain_name }}' --server '{{ required_server_hostname }}'
+    --principal admin --password '{{ required_ipa_admin_pwd }}' --force-join --enable-dns-updates --force-ntpd -U
   changed_when: true
   no_log: true
   when:
@@ -44,8 +58,8 @@
 
 - name: Install ipa client in Rocky 8.4
   command: >-
-    ipa-client-install --domain '{{ hostvars['127.0.0.1']['domain_name'] }}' --server '{{ hostvars[groups['manager'][0]]['server_hostname'] }}'
-    --principal admin --password '{{ hostvars['127.0.0.1']['ipa_admin_password'] }}' --force-join --enable-dns-updates --no-ntp -U
+    ipa-client-install --domain '{{ required_domain_name }}' --server '{{ required_server_hostname }}'
+    --principal admin --password '{{ required_ipa_admin_pwd }}' --force-join --enable-dns-updates --no-ntp -U
   changed_when: true
   no_log: true
   when:

roles/login_server/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -15,12 +15,18 @@
 
 - name: Include variables
   include_vars: ../../login_common/vars/main.yml
-  when: hostvars['127.0.0.1']['login_node_required']
+  when:
+    - hostvars['127.0.0.1']['login_node_required']
+    - not hostvars['127.0.0.1']['ipa_server_ms']
 
 - name: Install required packages
   include_tasks: install_packages.yml
-  when: hostvars['127.0.0.1']['login_node_required']
+  when:
+    - hostvars['127.0.0.1']['login_node_required']
+    - not hostvars['127.0.0.1']['ipa_server_ms']
 
 - name: Install free-ipa server
   include_tasks: install_ipa_server.yml
-  when: hostvars['127.0.0.1']['login_node_required']
+  when:
+    - hostvars['127.0.0.1']['login_node_required']
+    - not hostvars['127.0.0.1']['ipa_server_ms']