added verification for FreeIPA TLS and clients

cloudera-labs · Feb 10, 2022 · 89f1f5f · 89f1f5f
1 parent 9879761
commit 89f1f5f
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/roles/verify/inventory/tasks/main.yml b/roles/verify/inventory/tasks/main.yml
@@ -32,3 +32,18 @@
       not (
       'ca_server' in groups and krb5_kdc_type == "Red Hat IPA")
       }}
+
+- block:
+    - set_fact:
+          cluster_hosts: >-
+            {{ groups.cluster | default([])
+               | union(groups.cloudera_manager | default([]))
+            }}
+
+    - name: Ensure that all hosts requiring TLS certificates have a FreeIPA client
+      assert:
+        that: >-
+          {{ groups.tls | difference(cluster_hosts) | length == 0 }}
+  when:
+    - krb5_kdc_type == "Red Hat IPA"
+    - not (skip_ipa_signing | default(false))