Enable Kerberos ticket caching role for PVC Base examples (#142)

* Update tf_hosts to make instance idempotent
* Use latest cldr-runner images
* Update pre_setup to enable caching of Kerberos ticket as files
* Add restart sssd handler
* Move tasks for KRB ticket cache setup to role

Signed-off-by: Jim Enright <[email protected]>

Author: jimright

private-cloud/base/aws-iaas/ansible-navigator.yml

@@ -49,7 +49,7 @@ ansible-navigator:
         ANSIBLE_DEPRECATION_WARNINGS: False
         ANSIBLE_HOST_KEY_CHECKING: False
         ANSIBLE_SSH_RETRIES: 10
-    image: ghcr.io/cloudera-labs/cldr-runner:aws-latest
+    image: ghcr.io/cloudera-labs/cldr-runner-aws:latest
     pull:
       arguments:
         - "--tls-verify=false"

private-cloud/base/aws-iaas/pre_setup.yml

@@ -130,6 +130,12 @@
         ipaadmin_principal: "{{ freeipa.ipaadmin_user | default(lookup('ansible.builtin.env', 'IPA_USER', default=omit)) }}"
         enable_dns: yes  
 
+    - name: Update SSSD to enable Kerberos file ticket caching
+      ansible.builtin.import_role:
+        name: krb_file_ticket_cache
+      vars:
+        sssd_domain: "{{ domain }}"
+        
 - name: Establish supporting services resources
   hosts: deployment
   gather_facts: no

private-cloud/base/aws-iaas/roles/krb_file_ticket_cache/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# sssd_domain:

private-cloud/base/aws-iaas/roles/krb_file_ticket_cache/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart sssd
+  ansible.builtin.service:
+    name: sssd
+    state: restarted 

private-cloud/base/aws-iaas/roles/krb_file_ticket_cache/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Update the SSSD for caching of Kerberos ticket as files
+  community.general.ini_file:
+    path: /etc/sssd/sssd.conf
+    section: "domain/{{ sssd_domain }}"
+    option: "{{ sssd.key }}"
+    value: "{{ sssd.value | string }}"
+  loop: "{{ entries | dict2items }}"
+  loop_control:
+    loop_var: sssd
+    label: "{{ sssd.key }}"
+  vars:
+    entries:
+      krb5_ccname_template: 'FILE:/tmp/krb5cc_%U_XXXXXX'
+  notify: restart sssd
+
+- name: Comment default_ccache_name in krb5.conf.d
+  ansible.builtin.replace:
+    dest: /etc/krb5.conf.d/kcm_default_ccache
+    regexp: '({{ krb_item }})'
+    replace: '# \1'
+  loop_control:
+    loop_var: krb_item
+  loop:
+    - '^\[libdefaults\]'
+    - '^\s+default_ccache_name = KCM'
+  notify: restart sssd

private-cloud/base/aws-iaas/tf_hosts/main.tf

@@ -43,7 +43,7 @@ resource "aws_instance" "pvc_base" {
   subnet_id                   = var.subnet_ids[count.index % length(var.subnet_ids)]
   associate_public_ip_address = var.public_ip
 
-  security_groups = var.security_groups
+  vpc_security_group_ids      = var.security_groups
 
   root_block_device {
     delete_on_termination = var.root_volume.delete_on_termination