From 4ff6e35c282a344eb736ab8d18b28e9e3eaecbc6 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 19 Jun 2024 16:41:05 +0200
Subject: [PATCH] ipaserver: Set hsm attributes to None for now

The HSM parameters

    token_name
    token_library_path
    token_password
    token_password_file

are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
---
 roles/ipaserver/library/ipaserver_prepare.py   | 6 ++++++
 roles/ipaserver/library/ipaserver_setup_ca.py  | 6 ++++++
 roles/ipaserver/library/ipaserver_setup_kra.py | 8 +++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index 1c791756..24eccf23 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -326,6 +326,12 @@ def main():
     # ssl certificate
     # options.dirsrv_cert_files = ansible_module.params.get(
     #     'dirsrv_cert_files')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # client
     # options.no_ntp = ansible_module.params.get('no_ntp')
     # certificate system
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 4003e14d..1a453e49 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -305,6 +305,12 @@ def main():
     options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
     options._dirsrv_pkcs12_info = ansible_module.params.get(
         '_dirsrv_pkcs12_info')
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
     # certificate system
     options.external_ca = ansible_module.params.get('external_ca')
     options.external_ca_type = ansible_module.params.get('external_ca_type')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index 9f05ef5a..4ea9aa6e 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -74,7 +74,7 @@ RETURN = '''
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     check_imports, AnsibleModuleLog, setup_logging, options,
-    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
+    api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
 )
 
 
@@ -106,6 +106,12 @@ def main():
     options.pki_config_override = ansible_module.params.get(
         'pki_config_override')
     options.promote = False  # first master, no promotion
+    # hsm
+    if hasattr(ca, "hsm_version"):
+        options.token_name = None
+        options.token_library_path = None
+        options.token_password = None
+        options.token_password_file = None
 
     # init ##########################################################
 
-- 
GitLab