Nelson LAMEIRAS via FreeIPA-users wrote:
Hi all,
I'm looking for a way to automatize certificate creation for services hosted on
servers inside a highly available cluster.
exemple: we have the following setup :
- http/serverha (an IPA service that will be highly available)
- server01 (not kickstarted yet)
- server02 (not kickstarted yet)
Both server01 and server02 must be able to get http/serverha certificate when
kickstarted, but I find this impossible because they are not part of "managed
by" hosts configured in service http/serverha
I'm forced to add manually each host to "managed by" section of the
service, but only after it is kickstarted, which ruins my automatation goal
I hope this explanation is clear.
1 - Is there an elegant (ie. official) way to automaticaly manage this situation ?
2 - My intuitive solution would be to use automember to put server01 and server02 inside
the same hostgroup and to able to add hostsgroups to the "managed by" section on
a service, but this is not possible on my current setup (IPA v4.6.8) - only adding hosts
(not hostgroups!) are allowed. Could this be a legitimate RFE I should write?
Please note that I'm not suppose to know beforehand the precise name of serverXY ? it
could be server24... ;)
To use automember for this you'd need a new configuration as the
current configuration only adds member not other attributes. See
cn=automember,cn=etc,dc=example,dc=test.
I suspect this would do very unexpected things though and add managedby
to entries you don't want.
For it to work you need to be able to control the regex of hostnames
otherwise there's no chance for it to work.
There is no way to use hostgroups for managedby that I can think of.
rob