From 7db5d59de15ef479d984dd9f50fc986b472a28c7 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 5 Jul 2022 15:08:49 +0200
Subject: [PATCH] ipaserver,ipareplica: Add random_serial_numbers to options
With the support for Random Serial Numbers v3 in FreeIPA 4.10, the
attribute random_serial_numbers has been added to the installer options.
options._random_serial_numbers is generated by ca.install_check and
later used by ca.install in the _setup_ca module.
ca.install_check is using options.random_serial_numbers and generating
options._random_serial_numbers which is later used by ca.install in
ca.install the _setup_ca module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2103928
https://bugzilla.redhat.com/show_bug.cgi?id=2103924
---
roles/ipareplica/library/ipareplica_prepare.py | 7 +++++++
roles/ipareplica/library/ipareplica_setup_ca.py | 6 ++++++
roles/ipareplica/tasks/install.yml | 1 +
roles/ipaserver/library/ipaserver_prepare.py | 9 ++++++++-
roles/ipaserver/library/ipaserver_setup_ca.py | 6 ++++++
roles/ipaserver/tasks/install.yml | 2 ++
6 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index a78629d2..a875d6d5 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -351,6 +351,12 @@ def main():
options.server = ansible_module.params.get('server')
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
+ # random serial numbers are master_only, therefore setting to False
+ options.random_serial_numbers = False
+ # options._random_serial_numbers is generated by ca.install_check and
+ # later used by ca.install in the _setup_ca module.
+ options._random_serial_numbers = False
+
# init #
fstore = sysrestore.FileStore(paths.SYSRESTORE)
@@ -838,6 +844,7 @@ def main():
_http_ca_cert=http_ca_cert,
_pkinit_pkcs12_info=pkinit_pkcs12_info,
_pkinit_ca_cert=pkinit_ca_cert,
+ _random_serial_numbers=options._random_serial_numbers,
no_dnssec_validation=options.no_dnssec_validation,
config_setup_ca=config.setup_ca,
config_master_host_name=config.master_host_name,
diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py
index 18aedd3d..951bcbe2 100644
--- a/roles/ipareplica/library/ipareplica_setup_ca.py
+++ b/roles/ipareplica/library/ipareplica_setup_ca.py
@@ -85,6 +85,9 @@ options:
_subject_base:
description: The installer _subject_base setting
required: no
+ _random_serial_numbers:
+ description: The installer _random_serial_numbers setting
+ required: yes
dirman_password:
description: Directory Manager (master) password
required: no
@@ -144,6 +147,7 @@ def main():
_top_dir=dict(required=True),
_ca_subject=dict(required=True),
_subject_base=dict(required=True),
+ _random_serial_numbers=dict(required=True),
dirman_password=dict(required=True, no_log=True),
config_setup_ca=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
@@ -190,6 +194,8 @@ def main():
options._subject_base = ansible_module.params.get('_subject_base')
if options._subject_base is not None:
options._subject_base = DN(options._subject_base)
+ options._random_serial_numbers = ansible_module.params.get(
+ '_random_serial_numbers')
dirman_password = ansible_module.params.get('dirman_password')
config_setup_ca = ansible_module.params.get('config_setup_ca')
config_master_host_name = ansible_module.params.get(
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 695242d1..0a9d7e9d 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -557,6 +557,7 @@
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
+ _random_serial_numbers: "{{ result_ipareplica_prepare._random_serial_numbers }}"
dirman_password: "{{ ipareplica_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index b9f1da2b..f7590be8 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -213,6 +213,8 @@ def main():
# additional
setup_ca=dict(required=False, type='bool', default=False),
+ random_serial_numbers=dict(required=False, type='bool',
+ default=False),
_hostname_overridden=dict(required=False, type='bool',
default=False),
),
@@ -225,9 +227,11 @@ def main():
# initialize return values for flake ############################
- # These are set by ca.install_check
+ # These are set by ca.install_check and need to be passed to ca.install
+ # in the _setup_ca module and also some others.
options._subject_base = None
options._ca_subject = None
+ options._random_serial_numbers = None
# set values ####################################################
@@ -277,6 +281,8 @@ def main():
options.netbios_name = ansible_module.params.get('netbios_name')
# additional
options.setup_ca = ansible_module.params.get('setup_ca')
+ options.random_serial_numbers = ansible_module.params.get(
+ 'random_serial_numbers')
options._host_name_overridden = ansible_module.params.get(
'_hostname_overridden')
options.kasp_db_file = None
@@ -405,6 +411,7 @@ def main():
_subject_base=options._subject_base,
ca_subject=options.ca_subject,
_ca_subject=options._ca_subject,
+ _random_serial_numbers=options._random_serial_numbers,
# dns
reverse_zones=options.reverse_zones,
forward_policy=options.forward_policy,
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index fb185ac2..5863f4bc 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -132,6 +132,9 @@ options:
ca_signing_algorithm:
description: Signing algorithm of the IPA CA certificate
required: yes
+ _random_serial_numbers:
+ description: The installer _random_serial_numbers setting
+ required: yes
reverse_zones:
description: The reverse DNS zones to use
required: yes
@@ -204,6 +207,7 @@ def main():
ca_subject=dict(required=False),
_ca_subject=dict(required=False),
ca_signing_algorithm=dict(required=False),
+ _random_serial_numbers=dict(required=True),
# dns
reverse_zones=dict(required=False, type='list', default=[]),
no_reverse=dict(required=False, type='bool', default=False),
@@ -259,6 +263,8 @@ def main():
options._ca_subject = ansible_module.params.get('_ca_subject')
options.ca_signing_algorithm = ansible_module.params.get(
'ca_signing_algorithm')
+ options._random_serial_numbers = ansible_module.params.get(
+ '_random_serial_numbers')
# dns
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.no_reverse = ansible_module.params.get('no_reverse')
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 8099a158..8bd808d4 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -191,6 +191,7 @@
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+ random_serial_numbers: no
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
register: result_ipaserver_prepare
@@ -298,6 +299,7 @@
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
default(omit) }}"
+ _random_serial_numbers: "{{ result_ipaserver_prepare._random_serial_numbers }}"
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
--
GitLab