ipareplica: Refactor CA file handling

replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is called instead if the client was configured before deploying with iparepica role. FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d Refactor CA file handling in replica installer Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already.
2026-03-26 21:33:05 +00:00 · 2024-06-20 15:08:02 +02:00
parent 127d758100
commit 07d91e02d1
4 changed files with 33 additions and 8 deletions
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -250,6 +250,10 @@ options:
    type: bool
    default: no
    required: no
+  client_configured:
+    description: Was client configured already
+    type: bool
+    required: yes
 author:
    - Thomas Woerner (@t-woerner)
 '''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
    check_domain_level_is_supported, errors, ScriptError, setup_logging,
    logger, check_dns_resolution, service, find_providing_server, ca, kra,
    dns, no_matching_interface_for_ip_address_warning, adtrust,
-    constants, api, redirect_stdout, replica_conn_check, tasks
+    constants, api, redirect_stdout, replica_conn_check, tasks,
+    install_ca_cert
 )
 from ansible.module_utils import six

@@ -353,6 +358,7 @@ def main():
            skip_conncheck=dict(required=False, type='bool'),
            sid_generation_always=dict(required=False, type='bool',
                                       default=False),
+            ipa_client_installed=dict(required=True, type='bool'),
        ),
        supports_check_mode=False,
    )
@@ -436,6 +442,7 @@ def main():
    # options._random_serial_numbers is generated by ca.install_check and
    # later used by ca.install in the _setup_ca module.
    options._random_serial_numbers = False
+    ipa_client_installed = ansible_module.params.get('ipa_client_installed')

    # init #

@@ -601,10 +608,20 @@ def main():
    ansible_log.debug("-- CA_CRT --")

    cafile = paths.IPA_CA_CRT
-    if not os.path.isfile(cafile):
-        ansible_module.fail_json(
-            msg="CA cert file is not available! Please reinstall"
-            "the client and try again.")
+    if install_ca_cert is not None:
+        if not os.path.isfile(cafile):
+            ansible_module.fail_json(
+                msg="CA cert file is not available! Please reinstall"
+                "the client and try again.")
+    else:
+        if ipa_client_installed:
+            # host was already an IPA client, refresh client cert stores to
+            # ensure we have up to date CA certs.
+            try:
+                ipautil.run([paths.IPA_CERTUPDATE])
+            except ipautil.CalledProcessError:
+                ansible_module.fail_json(
+                    msg="ipa-certupdate failed to refresh certs.")

    ansible_log.debug("-- REMOTE_API --")

--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
    paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
    redirect_stdout, create_ipa_conf, ipautil,
    x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
 )


@@ -542,7 +542,8 @@ def main():
        # additional
        client_enrolled=client_enrolled,
        change_master_for_certmonger=change_master_for_certmonger,
-        sid_generation_always=sid_generation_always
+        sid_generation_always=sid_generation_always,
+        install_ca_certs=install_ca_cert is not None
    )


--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -144,7 +144,7 @@ try:
        from ipaserver.install.replication import (
            ReplicationManager, replica_conn_check)
        from ipaserver.install.server.replicainstall import (
-            make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+            make_pkcs12_info, install_replica_ds, install_krb,
            install_http, install_dns_records, create_ipa_conf, check_dirsrv,
            check_dns_resolution, configure_certmonger,
            remove_replica_info_dir,
@@ -157,6 +157,11 @@ try:
            # ensure_enrolled,
            promotion_check_ipa_domain
        )
+        try:
+            from ipaserver.install.server.replicainstall import \
+                install_ca_cert
+        except ImportError:
+            install_ca_cert = None
        import SSSDConfig
        from subprocess import CalledProcessError

--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -209,6 +209,7 @@
      server: "{{ result_ipareplica_test.server }}"
      skip_conncheck: "{{ ipareplica_skip_conncheck }}"
      sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
+      ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
    register: result_ipareplica_prepare

  - name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
      config_ips: "{{ result_ipareplica_prepare.config_ips }}"
    register: result_ipareplica_install_ca_certs
+    when: result_ipareplica_test.install_ca_certs

  - name: Install - Setup DS
    ipareplica_setup_ds: