From 5d881a9bf3b7e5a244a58e358fa52c31ebb07979 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 25 Jun 2019 10:53:07 +0200
Subject: [PATCH] ipareplica: Set all needed settings for kra
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).
These modules have been adapted:
ipareplica_custodia_import_dm_password
ipareplica_enable_ipa
ipareplica_setup_ca
ipareplica_setup_custodia
ipareplica_setup_kra
---
.../ipareplica_custodia_import_dm_password.py | 12 ++++++++++++
.../ipareplica/library/ipareplica_enable_ipa.py | 5 +++++
roles/ipareplica/library/ipareplica_prepare.py | 1 +
roles/ipareplica/library/ipareplica_setup_ca.py | 17 ++++++++++++++++-
.../library/ipareplica_setup_custodia.py | 17 ++++++++++++++++-
.../ipareplica/library/ipareplica_setup_kra.py | 4 ++++
roles/ipareplica/tasks/install.yml | 9 +++++++++
7 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
index 95424615..922c8880 100644
--- a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
+++ b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
@@ -64,6 +64,12 @@ options:
_ca_file:
description:
required: yes
+ _kra_enabled:
+ description:
+ required: yes
+ _kra_host_name:
+ description:
+ required: yes
_dirsrv_pkcs12_info:
description:
required: yes
@@ -103,6 +109,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
+ _kra_enabled=dict(required=False, type='bool'),
+ _kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -135,6 +143,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
+ kra_enabled = ansible_module.params.get('_kra_enabled')
+ kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -161,6 +171,8 @@ def main():
config.ca_host_name = config_ca_host_name
config.subject_base = options.subject_base
config.promote = installer.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
index 35b288f2..d54a746b 100644
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -49,6 +49,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: yes
+ setup_kra:
+ description: Configure KRA
+ required: yes
config_master_host_name:
description: The master host name
required: yes
@@ -77,6 +80,7 @@ def main():
ccache=dict(required=True),
_top_dir = dict(required=True),
setup_ca=dict(required=True, type='bool'),
+ setup_kra=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
),
supports_check_mode = True,
@@ -100,6 +104,7 @@ def main():
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
options.setup_ca = ansible_module.params.get('setup_ca')
+ options.setup_kra = ansible_module.params.get('setup_kra')
config_master_host_name = ansible_module.params.get('config_master_host_name')
# init #
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 55994d2b..a9b1bcd1 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -728,6 +728,7 @@ def main():
config_setup_ca=config.setup_ca,
config_master_host_name=config.master_host_name,
config_ca_host_name=config.ca_host_name,
+ config_kra_host_name=config.kra_host_name,
config_ips=[ str(ip) for ip in config.ips ],
### ad trust ###
rid_base=options.rid_base,
diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py
index fb95bea5..788fdae2 100644
--- a/roles/ipareplica/library/ipareplica_setup_ca.py
+++ b/roles/ipareplica/library/ipareplica_setup_ca.py
@@ -61,6 +61,12 @@ options:
_ca_file:
description:
required: yes
+ _kra_enabled:
+ description:
+ required: yes
+ _kra_host_name:
+ description:
+ required: yes
_dirsrv_pkcs12_info:
description:
required: yes
@@ -118,6 +124,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
+ _kra_enabled=dict(required=False, type='bool'),
+ _kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -152,6 +160,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
+ kra_enabled = ansible_module.params.get('_kra_enabled')
+ kra_host_name = ansible_module.params.get('_kra_host_name')
installer._dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
installer._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -190,6 +200,8 @@ def main():
config.ca_host_name = config_ca_host_name
config.ips = config_ips
config.promote = options.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
options._remote_api = remote_api
@@ -213,7 +225,10 @@ def main():
if not hasattr(custodiainstance, "get_custodia_instance"):
ca.install(False, config, options)
else:
- if ca_enabled:
+ if kra_enabled:
+ # A KRA peer always provides a CA, too.
+ mode = custodiainstance.CustodiaModes.KRA_PEER
+ elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py
index a7fcc407..ad950ad4 100644
--- a/roles/ipareplica/library/ipareplica_setup_custodia.py
+++ b/roles/ipareplica/library/ipareplica_setup_custodia.py
@@ -64,6 +64,12 @@ options:
_ca_file:
description:
required: yes
+ _kra_enabled:
+ description:
+ required: yes
+ _kra_host_name:
+ description:
+ required: yes
_top_dir:
description:
required: yes
@@ -98,6 +104,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
+ _kra_enabled=dict(required=False, type='bool'),
+ _kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -127,6 +135,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
+ kra_enabled = ansible_module.params.get('_kra_enabled')
+ kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
options._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -149,6 +159,8 @@ def main():
config = gen_ReplicaConfig()
config.dirman_password = dirman_password
config.promote = installer.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
#installer._remote_api = remote_api
@@ -174,7 +186,10 @@ def main():
ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
custodia.create_instance()
else:
- if ca_enabled:
+ if kra_enabled:
+ # A KRA peer always provides a CA, too.
+ mode = custodiainstance.CustodiaModes.KRA_PEER
+ elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py
index 961f15f7..fadb94dc 100644
--- a/roles/ipareplica/library/ipareplica_setup_kra.py
+++ b/roles/ipareplica/library/ipareplica_setup_kra.py
@@ -115,6 +115,7 @@ def main():
installer_ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_kra_enabled=dict(required=False, type='bool'),
+ _kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_http_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
@@ -176,6 +177,7 @@ def main():
installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
kra_enabled = ansible_module.params.get('_kra_enabled')
+ kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
http_pkcs12_info = ansible_module.params.get('_http_pkcs12_info')
@@ -206,6 +208,8 @@ def main():
config = gen_ReplicaConfig()
config.subject_base = options.subject_base
config.promote = installer.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 1bb89dcb..97cbd413 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -508,6 +508,8 @@
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
+ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+ _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -527,6 +529,8 @@
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+ _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -609,6 +613,7 @@
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+ _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
_http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
@@ -653,6 +658,8 @@
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
+ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+ _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
dirman_password: "{{ ipareplica_dirman_password }}"
@@ -733,6 +740,8 @@
hostname: "{{ result_ipareplica_test.hostname }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
### server ###
+ ### replica ###
+ setup_kra: "{{ result_ipareplica_test.setup_kra }}"
### certificate system ###
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
--
GitLab