From 07d91e02d18caef51a34a3c86ffb5b1b2af7c88a Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 20 Jun 2024 15:08:02 +0200
Subject: [PATCH] ipareplica: Refactor CA file handling
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
---
.../ipareplica/library/ipareplica_prepare.py | 27 +++++++++++++++----
roles/ipareplica/library/ipareplica_test.py | 5 ++--
.../module_utils/ansible_ipa_replica.py | 7 ++++-
roles/ipareplica/tasks/install.yml | 2 ++
4 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 63f1dcbd..d4464a93 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -250,6 +250,10 @@ options:
type: bool
default: no
required: no
+ client_configured:
+ description: Was client configured already
+ type: bool
+ required: yes
author:
- Thomas Woerner (@t-woerner)
'''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
check_domain_level_is_supported, errors, ScriptError, setup_logging,
logger, check_dns_resolution, service, find_providing_server, ca, kra,
dns, no_matching_interface_for_ip_address_warning, adtrust,
- constants, api, redirect_stdout, replica_conn_check, tasks
+ constants, api, redirect_stdout, replica_conn_check, tasks,
+ install_ca_cert
)
from ansible.module_utils import six
@@ -353,6 +358,7 @@ def main():
skip_conncheck=dict(required=False, type='bool'),
sid_generation_always=dict(required=False, type='bool',
default=False),
+ ipa_client_installed=dict(required=True, type='bool'),
),
supports_check_mode=False,
)
@@ -436,6 +442,7 @@ def main():
# options._random_serial_numbers is generated by ca.install_check and
# later used by ca.install in the _setup_ca module.
options._random_serial_numbers = False
+ ipa_client_installed = ansible_module.params.get('ipa_client_installed')
# init #
@@ -601,10 +608,20 @@ def main():
ansible_log.debug("-- CA_CRT --")
cafile = paths.IPA_CA_CRT
- if not os.path.isfile(cafile):
- ansible_module.fail_json(
- msg="CA cert file is not available! Please reinstall"
- "the client and try again.")
+ if install_ca_cert is not None:
+ if not os.path.isfile(cafile):
+ ansible_module.fail_json(
+ msg="CA cert file is not available! Please reinstall"
+ "the client and try again.")
+ else:
+ if ipa_client_installed:
+ # host was already an IPA client, refresh client cert stores to
+ # ensure we have up to date CA certs.
+ try:
+ ipautil.run([paths.IPA_CERTUPDATE])
+ except ipautil.CalledProcessError:
+ ansible_module.fail_json(
+ msg="ipa-certupdate failed to refresh certs.")
ansible_log.debug("-- REMOTE_API --")
diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py
index 95bd7e32..fabb52aa 100644
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
- IPA_PYTHON_VERSION, getargspec, adtrustinstance
+ IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
)
@@ -542,7 +542,8 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
- sid_generation_always=sid_generation_always
+ sid_generation_always=sid_generation_always,
+ install_ca_certs=install_ca_cert is not None
)
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index f798833a..c244e288 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -144,7 +144,7 @@ try:
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
from ipaserver.install.server.replicainstall import (
- make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+ make_pkcs12_info, install_replica_ds, install_krb,
install_http, install_dns_records, create_ipa_conf, check_dirsrv,
check_dns_resolution, configure_certmonger,
remove_replica_info_dir,
@@ -157,6 +157,11 @@ try:
# ensure_enrolled,
promotion_check_ipa_domain
)
+ try:
+ from ipaserver.install.server.replicainstall import \
+ install_ca_cert
+ except ImportError:
+ install_ca_cert = None
import SSSDConfig
from subprocess import CalledProcessError
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index fe63879c..076842a3 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -209,6 +209,7 @@
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
+ ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_install_ca_certs
+ when: result_ipareplica_test.install_ca_certs
- name: Install - Setup DS
ipareplica_setup_ds:
--
GitLab