From 0c5905fddb5b7a95076c7c4452b06c0e25bd6165 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 14 Sep 2017 13:23:07 +0200
Subject: [PATCH] library/ipadiscovery.py: Add ca_cert_file argument for
 discovery

---
 library/ipadiscovery.py           | 27 ++++++++++++++++++++++++---
 roles/ipaclient/tasks/install.yml |  1 +
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/library/ipadiscovery.py b/library/ipadiscovery.py
index a42bc856..757ce221 100644
--- a/library/ipadiscovery.py
+++ b/library/ipadiscovery.py
@@ -48,6 +48,9 @@ options:
   hostname:
     description: The authorized kerberos principal used to join the IPA realm.
     required: false
+  ca_cert_file:
+    description: A CA certificate to use.
+    required: false
   check:
     description: Check if IPA client is installed and matching.
     required: false
@@ -147,6 +150,22 @@ from ipaclient.install import ipadiscovery
 from ipalib.install.sysrestore import SYSRESTORE_STATEFILE
 from ipaplatform.paths import paths
 
+def get_cert_path(cert_path):
+    """
+    If a CA certificate is passed in on the command line, use that.
+
+    Else if a CA file exists in paths.IPA_CA_CRT then use that.
+
+    Otherwise return None.
+    """
+    if cert_path is not None:
+        return cert_path
+
+    if os.path.exists(paths.IPA_CA_CRT):
+        return paths.IPA_CA_CRT
+
+    return None
+
 def is_client_configured():
     """
     Check if ipa client is configured.
@@ -188,6 +207,7 @@ def main():
             domain=dict(required=False),
             realm=dict(required=False),
             hostname=dict(required=False),
+            ca_cert_file=dict(required=False),
             check=dict(required=False, type='bool', default=False),
         ),
         # required_one_of = ( [ '', '' ] ),
@@ -199,6 +219,7 @@ def main():
     opt_servers = module.params.get('servers')
     opt_realm = module.params.get('realm')
     opt_hostname = module.params.get('hostname')
+    opt_ca_cert_file = module.params.get('ca_cert_file')
     opt_check = module.params.get('check')
 
     hostname = None
@@ -238,7 +259,7 @@ def main():
         servers=opt_servers,
         realm=opt_realm,
         hostname=hostname,
-        ca_cert_path=None)
+        ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     if opt_servers and ret != 0:
         # There is no point to continue with installation as server list was
@@ -276,7 +297,7 @@ def main():
             domain=cli_domain,
             servers=opt_servers,
             hostname=hostname,
-            ca_cert_path=None)
+            ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     if not cli_domain:
         if ds.domain:
@@ -299,7 +320,7 @@ def main():
             domain=cli_domain,
             servers=cli_server,
             hostname=hostname,
-            ca_cert_path=None)
+            ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     else:
         # Only set dnsok to True if we were not passed in one or more servers
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 79476d24..b635c00c 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -12,6 +12,7 @@
     servers: "{{ groups.ipaservers | default(omit) }}"
     realm: "{{ ipaclient_realm | default(omit) }}"
     hostname: "{{ ansible_fqdn }}"
+    #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
     check: yes
   register: ipadiscovery
 
-- 
GitLab