diff --git a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py index 95424615cfda4cacc5e726ceeb9a9a2c5df98617..922c888001f7e262fd495c55c6379090054af8b5 100644 --- a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py +++ b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py @@ -64,6 +64,12 @@ options: _ca_file: description: required: yes + _kra_enabled: + description: + required: yes + _kra_host_name: + description: + required: yes _dirsrv_pkcs12_info: description: required: yes @@ -103,6 +109,8 @@ def main(): ccache=dict(required=True), _ca_enabled=dict(required=False, type='bool'), _ca_file=dict(required=False), + _kra_enabled=dict(required=False, type='bool'), + _kra_host_name=dict(required=False), _dirsrv_pkcs12_info = dict(required=False), _pkinit_pkcs12_info = dict(required=False), _top_dir = dict(required=True), @@ -135,6 +143,8 @@ def main(): #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache') #installer._ccache = ansible_module.params.get('installer_ccache') ca_enabled = ansible_module.params.get('_ca_enabled') + kra_enabled = ansible_module.params.get('_kra_enabled') + kra_host_name = ansible_module.params.get('_kra_host_name') dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info') pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info') options._top_dir = ansible_module.params.get('_top_dir') @@ -161,6 +171,8 @@ def main(): config.ca_host_name = config_ca_host_name config.subject_base = options.subject_base config.promote = installer.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA) installer._remote_api = remote_api diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py index 35b288f2d502220b1e67a75ba68165e488a97e0a..d54a746bc77de39a30b8fdbc7fd20c00589b5cf9 100644 --- a/roles/ipareplica/library/ipareplica_enable_ipa.py +++ b/roles/ipareplica/library/ipareplica_enable_ipa.py @@ -49,6 +49,9 @@ options: setup_ca: description: Configure a dogtag CA required: yes + setup_kra: + description: Configure KRA + required: yes config_master_host_name: description: The master host name required: yes @@ -77,6 +80,7 @@ def main(): ccache=dict(required=True), _top_dir = dict(required=True), setup_ca=dict(required=True, type='bool'), + setup_kra=dict(required=True, type='bool'), config_master_host_name=dict(required=True), ), supports_check_mode = True, @@ -100,6 +104,7 @@ def main(): os.environ['KRB5CCNAME'] = ccache options._top_dir = ansible_module.params.get('_top_dir') options.setup_ca = ansible_module.params.get('setup_ca') + options.setup_kra = ansible_module.params.get('setup_kra') config_master_host_name = ansible_module.params.get('config_master_host_name') # init # diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py index 55994d2b0a3629cc1c0b8a960d4744ba1203233d..a9b1bcd19bb9df0d0474c67104dee2acfb66370e 100644 --- a/roles/ipareplica/library/ipareplica_prepare.py +++ b/roles/ipareplica/library/ipareplica_prepare.py @@ -728,6 +728,7 @@ def main(): config_setup_ca=config.setup_ca, config_master_host_name=config.master_host_name, config_ca_host_name=config.ca_host_name, + config_kra_host_name=config.kra_host_name, config_ips=[ str(ip) for ip in config.ips ], ### ad trust ### rid_base=options.rid_base, diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py index fb95bea599d0a916b7debe7ef26ca0d5434839b1..788fdae29334a2200b382c22f97cf533a5f7fc91 100644 --- a/roles/ipareplica/library/ipareplica_setup_ca.py +++ b/roles/ipareplica/library/ipareplica_setup_ca.py @@ -61,6 +61,12 @@ options: _ca_file: description: required: yes + _kra_enabled: + description: + required: yes + _kra_host_name: + description: + required: yes _dirsrv_pkcs12_info: description: required: yes @@ -118,6 +124,8 @@ def main(): ccache=dict(required=True), _ca_enabled=dict(required=False, type='bool'), _ca_file=dict(required=False), + _kra_enabled=dict(required=False, type='bool'), + _kra_host_name=dict(required=False), _dirsrv_pkcs12_info = dict(required=False), _pkinit_pkcs12_info = dict(required=False), _top_dir = dict(required=True), @@ -152,6 +160,8 @@ def main(): #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache') #installer._ccache = ansible_module.params.get('installer_ccache') ca_enabled = ansible_module.params.get('_ca_enabled') + kra_enabled = ansible_module.params.get('_kra_enabled') + kra_host_name = ansible_module.params.get('_kra_host_name') installer._dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info') installer._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info') options._top_dir = ansible_module.params.get('_top_dir') @@ -190,6 +200,8 @@ def main(): config.ca_host_name = config_ca_host_name config.ips = config_ips config.promote = options.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA) options._remote_api = remote_api @@ -213,7 +225,10 @@ def main(): if not hasattr(custodiainstance, "get_custodia_instance"): ca.install(False, config, options) else: - if ca_enabled: + if kra_enabled: + # A KRA peer always provides a CA, too. + mode = custodiainstance.CustodiaModes.KRA_PEER + elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py index a7fcc407cde9b5d9ed5682afebee40364f858ae9..ad950ad4cfa455ddf3cb215f5339c0910724675d 100644 --- a/roles/ipareplica/library/ipareplica_setup_custodia.py +++ b/roles/ipareplica/library/ipareplica_setup_custodia.py @@ -64,6 +64,12 @@ options: _ca_file: description: required: yes + _kra_enabled: + description: + required: yes + _kra_host_name: + description: + required: yes _top_dir: description: required: yes @@ -98,6 +104,8 @@ def main(): ccache=dict(required=True), _ca_enabled=dict(required=False, type='bool'), _ca_file=dict(required=False), + _kra_enabled=dict(required=False, type='bool'), + _kra_host_name=dict(required=False), _dirsrv_pkcs12_info = dict(required=False), _pkinit_pkcs12_info = dict(required=False), _top_dir = dict(required=True), @@ -127,6 +135,8 @@ def main(): #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache') #installer._ccache = ansible_module.params.get('installer_ccache') ca_enabled = ansible_module.params.get('_ca_enabled') + kra_enabled = ansible_module.params.get('_kra_enabled') + kra_host_name = ansible_module.params.get('_kra_host_name') dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info') options._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info') options._top_dir = ansible_module.params.get('_top_dir') @@ -149,6 +159,8 @@ def main(): config = gen_ReplicaConfig() config.dirman_password = dirman_password config.promote = installer.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) #installer._remote_api = remote_api @@ -174,7 +186,10 @@ def main(): ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --") custodia.create_instance() else: - if ca_enabled: + if kra_enabled: + # A KRA peer always provides a CA, too. + mode = custodiainstance.CustodiaModes.KRA_PEER + elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py index 961f15f76ba36fb1ad71c5fe7ef7b7fd3e2df544..fadb94dc786df3e6a04901f3ec3407de29e820e3 100644 --- a/roles/ipareplica/library/ipareplica_setup_kra.py +++ b/roles/ipareplica/library/ipareplica_setup_kra.py @@ -115,6 +115,7 @@ def main(): installer_ccache=dict(required=True), _ca_enabled=dict(required=False, type='bool'), _kra_enabled=dict(required=False, type='bool'), + _kra_host_name=dict(required=False), _dirsrv_pkcs12_info = dict(required=False), _http_pkcs12_info = dict(required=False), _pkinit_pkcs12_info = dict(required=False), @@ -176,6 +177,7 @@ def main(): installer._ccache = ansible_module.params.get('installer_ccache') ca_enabled = ansible_module.params.get('_ca_enabled') kra_enabled = ansible_module.params.get('_kra_enabled') + kra_host_name = ansible_module.params.get('_kra_host_name') dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info') http_pkcs12_info = ansible_module.params.get('_http_pkcs12_info') @@ -206,6 +208,8 @@ def main(): config = gen_ReplicaConfig() config.subject_base = options.subject_base config.promote = installer.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) installer._remote_api = remote_api diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 1bb89dcbd7c296245598ba54b89355df22efb7d0..97cbd413c1e7aaa6cca0df4b24d69f67621a206c 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -508,6 +508,8 @@ "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" + _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" + _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" @@ -527,6 +529,8 @@ _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" + _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" + _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" @@ -609,6 +613,7 @@ installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" + _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}" _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" @@ -653,6 +658,8 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" + _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" + _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" dirman_password: "{{ ipareplica_dirman_password }}" @@ -733,6 +740,8 @@ hostname: "{{ result_ipareplica_test.hostname }}" hidden_replica: "{{ ipareplica_hidden_replica }}" ### server ### + ### replica ### + setup_kra: "{{ result_ipareplica_test.setup_kra }}" ### certificate system ### subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ###