ipareplica: Refactor CA file handling

replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is called instead if the client was configured before deploying with iparepica role. FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d Refactor CA file handling in replica installer Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already.

ipareplica: Refactor CA file handling
07d91e02 · Thomas Woerner · 127d7581 · 07d91e02 · 07d91e02 · 07d91e02
Commit 07d91e02 authored Jun 20, 2024 by Thomas Woerner
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -250,6 +250,10 @@ options:
    type: bool
    default: no
    required: no
+  client_configured:
+    description: Was client configured already
+    type: bool
+    required: yes
 author:
    - Thomas Woerner (@t-woerner)
 '''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
    check_domain_level_is_supported, errors, ScriptError, setup_logging,
    logger, check_dns_resolution, service, find_providing_server, ca, kra,
    dns, no_matching_interface_for_ip_address_warning, adtrust,
-    constants, api, redirect_stdout, replica_conn_check, tasks
+    constants, api, redirect_stdout, replica_conn_check, tasks,
+    install_ca_cert
 )
 from ansible.module_utils import six
@@ -353,6 +358,7 @@ def main():
            skip_conncheck=dict(required=False, type='bool'),
            sid_generation_always=dict(required=False, type='bool',
                                       default=False),
+            ipa_client_installed=dict(required=True, type='bool'),
        ),
        supports_check_mode=False,
    )
@@ -436,6 +442,7 @@ def main():
    # options._random_serial_numbers is generated by ca.install_check and
    # later used by ca.install in the _setup_ca module.
    options._random_serial_numbers = False
+    ipa_client_installed = ansible_module.params.get('ipa_client_installed')
    # init #
@@ -601,10 +608,20 @@ def main():
    ansible_log.debug("-- CA_CRT --")
    cafile = paths.IPA_CA_CRT
+    if install_ca_cert is not None:
        if not os.path.isfile(cafile):
            ansible_module.fail_json(
                msg="CA cert file is not available! Please reinstall"
                "the client and try again.")
+    else:
+        if ipa_client_installed:
+            # host was already an IPA client, refresh client cert stores to
+            # ensure we have up to date CA certs.
+            try:
+                ipautil.run([paths.IPA_CERTUPDATE])
+            except ipautil.CalledProcessError:
+                ansible_module.fail_json(
+                    msg="ipa-certupdate failed to refresh certs.")
    ansible_log.debug("-- REMOTE_API --")

--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
    paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
    redirect_stdout, create_ipa_conf, ipautil,
    x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
 )
@@ -542,7 +542,8 @@ def main():
        # additional
        client_enrolled=client_enrolled,
        change_master_for_certmonger=change_master_for_certmonger,
-        sid_generation_always=sid_generation_always
+        sid_generation_always=sid_generation_always,
+        install_ca_certs=install_ca_cert is not None
    )

--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -144,7 +144,7 @@ try:
        from ipaserver.install.replication import (
            ReplicationManager, replica_conn_check)
        from ipaserver.install.server.replicainstall import (
-            make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+            make_pkcs12_info, install_replica_ds, install_krb,
            install_http, install_dns_records, create_ipa_conf, check_dirsrv,
            check_dns_resolution, configure_certmonger,
            remove_replica_info_dir,
@@ -157,6 +157,11 @@ try:
            # ensure_enrolled,
            promotion_check_ipa_domain
        )
+        try:
+            from ipaserver.install.server.replicainstall import \
+                install_ca_cert
+        except ImportError:
+            install_ca_cert = None
        import SSSDConfig
        from subprocess import CalledProcessError

--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -209,6 +209,7 @@
      server: "{{ result_ipareplica_test.server }}"
      skip_conncheck: "{{ ipareplica_skip_conncheck }}"
      sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
+      ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
    register: result_ipareplica_prepare
  - name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
      config_ips: "{{ result_ipareplica_prepare.config_ips }}"
    register: result_ipareplica_install_ca_certs
+    when: result_ipareplica_test.install_ca_certs
  - name: Install - Setup DS
    ipareplica_setup_ds: