From 7d43c861bbd9cffb2b9020c606a0287d1c3a788e Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 7 Jun 2019 17:45:16 +0200
Subject: [PATCH] ipaserver: Add support for pki_config_override
The addtion is not oly adding the config setting, but also fixing the
deployment without the setting as functions and methods have been changed
for pki_config_override.
There is a new setting for the ipaserver role:
ipaserver_pki_config_override
---
roles/ipaserver/README.md | 3 +++
roles/ipaserver/library/ipaserver_setup_ca.py | 3 +++
roles/ipaserver/library/ipaserver_setup_kra.py | 3 +++
roles/ipaserver/library/ipaserver_test.py | 18 ++++++++++++++++--
.../module_utils/ansible_ipa_server.py | 4 ++++
roles/ipaserver/tasks/install.yml | 5 +++++
6 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index c96e4636..79588ea5 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -129,6 +129,9 @@ Variables
**ipaserver_no_host_dns** - Do not use DNS for hostname lookup during installation.
(bool, optional)
+**ipaserver_pki_config_override** - Path to ini file with config overrides.
+ (string, optional)
+
**ipaserver_no_dnssec_validation** - Disable DNSSEC validation on this server.
(bool, optional)
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 1ac0bea0..50ca0e3e 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -91,6 +91,7 @@ def main():
realm=dict(required=True),
hostname=dict(required=False),
no_host_dns=dict(required=False, type='bool', default=False),
+ pki_config_override=dict(required=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
@@ -136,6 +137,8 @@ def main():
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.no_host_dns = ansible_module.params.get('no_host_dns')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index c1776a16..fbfd1e1e 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -58,6 +58,7 @@ def main():
setup_ca=dict(required=True, type='bool'),
setup_kra=dict(required=True, type='bool'),
realm=dict(required=True),
+ pki_config_override=dict(required=False),
),
)
@@ -71,6 +72,8 @@ def main():
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_kra = ansible_module.params.get('setup_kra')
options.realm_name = ansible_module.params.get('realm')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
options.promote = False # first master, no promotion
# init ##########################################################
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 63856511..4b752407 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -66,6 +66,7 @@ def main():
hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list', default=[]),
no_host_dns=dict(required=False, type='bool', default=False),
+ pki_config_override=dict(required=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
@@ -134,13 +135,13 @@ def main():
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
- options.ip_addresses = ansible_module_get_parsed_ip_addresses(
- ansible_module)
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
options.no_host_dns = ansible_module.params.get('no_host_dns')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_dns = ansible_module.params.get('setup_dns')
@@ -213,6 +214,19 @@ def main():
# options.setup_kra = False
# ansible_module.warn(msg="kra is not supported, disabling")
+ if options.pki_config_override is not None:
+ if PKIIniLoader is None:
+ ansible_module.warn("The use of pki_config_override is not "
+ "supported for this IPA version")
+ else:
+ # From DogtagInstallInterface @pki_config_override.validator
+ try:
+ PKIIniLoader.verify_pki_config_override(
+ options.pki_config_override)
+ except ValueError as e:
+ ansible_module.fail_json(
+ msg="pki_config_override: %s" % str(e))
+
# validation #############################################################
if options.dm_password is None:
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index dfa26031..255a2336 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -101,6 +101,10 @@ if NUM_VERSION >= 40500:
from ipaserver.install.server.install import (
check_dirsrv, validate_admin_password, validate_dm_password,
write_cache)
+ try:
+ from ipaserver.install.dogtaginstance import PKIIniLoader
+ except ImportError:
+ PKIIniLoader = None
try:
from ipaserver.install.installutils import default_subject_base
except ImportError:
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 7678166f..ccb823df 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -39,6 +39,7 @@
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
no_host_dns: "{{ ipaserver_no_host_dns }}"
+ pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
### server ###
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
setup_kra: "{{ ipaserver_setup_kra }}"
@@ -228,6 +229,8 @@
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
+ pki_config_override: "{{ ipaserver_pki_config_override |
+ default(omit) }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
@@ -294,6 +297,8 @@
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
realm: "{{ result_ipaserver_test.realm }}"
+ pki_config_override: "{{ ipaserver_pki_config_override |
+ default(omit) }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup DNS
--
GitLab