diff --git a/README-vault.md b/README-vault.md
index 3f5f989e9364bd30705835f4559d36f32357723e..545c343a595549ee6d264e7f771dc4bd2356a7c1 100644
--- a/README-vault.md
+++ b/README-vault.md
@@ -217,6 +217,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index 7af6c353e7c2bb29b8ce96a2d0619820e9a53e4e..abd5eddffd25ff0b4838bc957217bf02377e0242 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -443,6 +443,11 @@ def check_parameters( # pylint: disable=unused-argument
password, password_file, public_key, public_key_file, private_key,
private_key_file, vault_data, datafile_in, datafile_out, new_password,
new_password_file):
+ if module.params_get("ipaapi_context") == "server":
+ module.fail_json(
+ msg="Context 'server' for ipavault not yet supported."
+ )
+
invalid = []
if state == "present":
invalid = ['datafile_out']
@@ -718,7 +723,7 @@ def main():
changed = False
exit_args = {}
- with ansible_module.ipa_connect(context='ansible-freeipa') as ccache_name:
+ with ansible_module.ipa_connect(context="client") as ccache_name:
if ccache_name is not None:
os.environ["KRB5CCNAME"] = ccache_name
diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml
index 9b0d6f7e57fb5f1d691fecf1864db05815f6aff7..e545e791b190122833d8a4b4c1b1abe6a38b553b 100644
--- a/tests/vault/env_cleanup.yml
+++ b/tests/vault/env_cleanup.yml
@@ -26,6 +26,7 @@
- name: Ensure test users do not exist.
ipauser:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- user01
- user02
@@ -35,6 +36,7 @@
- name: Ensure test groups do not exist.
ipagroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: vaultgroup
state: absent
diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml
index 059caf5f7a95d6327a14be2777b7ca25f2ec12bb..4e2d40e84e8cea5cb3cb5e95bf724fd283ecfd7b 100644
--- a/tests/vault/env_setup.yml
+++ b/tests/vault/env_setup.yml
@@ -35,11 +35,13 @@
- name: Ensure vaultgroup exists.
ipagroup:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
name: vaultgroup
- name: Ensure testing users exist.
ipauser:
ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
users:
- name: user01
first: First
diff --git a/tests/vault/test_vault_client_context.yml b/tests/vault/test_vault_client_context.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2ebb410e9633aed52ac1dc22374daca7065b63dc
--- /dev/null
+++ b/tests/vault/test_vault_client_context.yml
@@ -0,0 +1,25 @@
+---
+- name: Test vault
+ hosts: ipaserver
+ become: no
+ # Need to gather facts for ansible_env.
+ gather_facts: yes
+
+ tasks:
+ - name: Setup testing environment.
+ import_tasks: env_setup.yml
+
+ # vault requires 'ipaapi_context: client', and uses this
+ # context by defoult, so we test only for the case where
+ # 'ipaapi_context: server' is explicitly set.
+ - name: Execute with server context.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: server
+ name: ThisShouldNotWork
+ vault_type: standard
+ register: result
+ failed_when: not (result.failed and result.msg is regex("Context 'server' for ipavault not yet supported."))
+
+ - name: Cleanup testing environment.
+ import_tasks: env_cleanup.yml