ipareplica: Refactor CA file handling in replica deployment

The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
freeipa · May 16, 2023 · b7e997b · b7e997b
1 parent 8ec5b1f
commit b7e997b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 7 deletions.
diff --git a/roles/ipareplica/library/ipareplica_install_ca_certs.py b/roles/ipareplica/library/ipareplica_install_ca_certs.py
@@ -297,6 +297,12 @@ def main():
  config.ca_host_name = config_ca_host_name
  config.ips = config_ips
 
+ if install_ca_cert is None:
+ ansible_module.exit_json(
+ changed=False,
+ config_master_host_name=config.master_host_name,
+ config_ca_host_name=config.ca_host_name)
+
  remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
  installer._remote_api = remote_api
 

diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
@@ -275,7 +275,8 @@
  check_domain_level_is_supported, errors, ScriptError, setup_logging,
  logger, check_dns_resolution, service, find_providing_server, ca, kra,
  dns, no_matching_interface_for_ip_address_warning, adtrust,
- constants, api, redirect_stdout, replica_conn_check, tasks
+ constants, api, redirect_stdout, replica_conn_check, tasks,
+ is_ipa_client_configured, install_ca_cert,
 )
 from ansible.module_utils import six
 
@@ -601,10 +602,20 @@ def main():
  ansible_log.debug("-- CA_CRT --")
 
  cafile = paths.IPA_CA_CRT
- if not os.path.isfile(cafile):
- ansible_module.fail_json(
- msg="CA cert file is not available! Please reinstall"
- "the client and try again.")
+ if install_ca_cert is not None:
+ if not os.path.isfile(cafile):
+ ansible_module.fail_json(
+ msg="CA cert file is not available! Please reinstall"
+ "the client and try again.")
+ else:
+ if is_ipa_client_configured(on_master=True):
+ # host was already an IPA client, refresh client cert stores to
+ # ensure we have up to date CA certs.
+ try:
+ ipautil.run([paths.IPA_CERTUPDATE])
+ except ipautil.CalledProcessError:
+ ansible_module.fail_json(
+ msg="ipa-certupdate failed to refresh certs.")
 
  ansible_log.debug("-- REMOTE_API --")
 

diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@
  "dnsname", "kernel_keyring", "krbinstance", "getargspec",
  "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
  "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
- "ReplicaConfig", "create_api"]
+ "ReplicaConfig", "create_api", "is_ipa_client_configured", ]
 
 import sys
 import logging
@@ -134,14 +134,24 @@ def getargspec(func):
  find_providing_servers, find_providing_server)
  from ipaserver.install.installutils import (
  ReplicaConfig, load_pkcs12)
+ try:
+ from ipalib.facts import is_ipa_client_configured
+ except ImportError:
+ is_ipa_client_configured = None
  try:
  from ipalib.facts import is_ipa_configured
  except ImportError:
  from ipaserver.install.installutils import is_ipa_configured
  from ipaserver.install.replication import (
  ReplicationManager, replica_conn_check)
+ try:
+ from ipaserver.install.server.replicainstall import (
+ install_ca_cert
+ )
+ except ImportError:
+ install_ca_cert = None
  from ipaserver.install.server.replicainstall import (
- make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+ make_pkcs12_info, install_replica_ds, install_krb,
  install_http, install_dns_records, create_ipa_conf, check_dirsrv,
  check_dns_resolution, configure_certmonger,
  remove_replica_info_dir,