Put the FreeIPA cluster behind a load balancer

[jsf9k]

🗣 Description

This pull request puts the FreeIPA cluster behind a load balancer.

Please read the message associated with commit edb2f2525106cd766de372f195fa228bfc58db80.

See also:

• cisagov/ansible-role-freeipa-server#49
• cisagov/freeipa-server-tf-module/pull/65
• cisagov/freeipa-server-packer/pull/79

💭 Motivation and context

With these changes, if a FreeIPA server becomes unresponsive DNS will automatically be updated to remove the unresponsive server from the rotation. It is hoped that these changes will help correct the errors described in cisagov/cool-system-internal#89.

🧪 Testing

All automated tests pass. I currently have these changes deployed to our COOL staging environment, and they appear to be functioning as expected.

✅ Pre-approval checklist

• [x] This PR has an informative and human-readable title.
• [x] Changes are limited to a single goal - eschew scope creep!
• [ ] All future TODOs are captured in issues, which are referenced in code comments.
• [x] All relevant type-of-change labels have been added.
• [x] I have read the CONTRIBUTING document.
• [x] These code changes follow cisagov code standards.
• [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• [x] All new and existing tests pass.

[jsf9k]

Unfortunately these changes didn't pan out. Anything that uses GSSAPI cannot be behind a load balancer, since the principal must contain the actual hostname and not that of the load balancer.