ipareplica: Set all needed settings for kra

Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).

These modules have been adapted:

  ipareplica_custodia_import_dm_password
  ipareplica_enable_ipa
  ipareplica_setup_ca
  ipareplica_setup_custodia
  ipareplica_setup_kra

roles/ipareplica/library/ipareplica_custodia_import_dm_password.py

@@ -64,6 +64,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description: 
+    required: yes
+  _kra_host_name:
+    description: 
+    required: yes
   _dirsrv_pkcs12_info:
     description: 
     required: yes
@@ -103,6 +109,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -135,6 +143,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -161,6 +171,8 @@ def main():
     config.ca_host_name = config_ca_host_name
     config.subject_base = options.subject_base
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
     installer._remote_api = remote_api

roles/ipareplica/library/ipareplica_enable_ipa.py

@@ -49,6 +49,9 @@ options:
   setup_ca:
     description: Configure a dogtag CA
     required: yes
+  setup_kra:
+    description: Configure KRA
+    required: yes
   config_master_host_name:
     description: The master host name
     required: yes
@@ -77,6 +80,7 @@ def main():
             ccache=dict(required=True),
             _top_dir = dict(required=True),
             setup_ca=dict(required=True, type='bool'),
+            setup_kra=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),
         ),
         supports_check_mode = True,
@@ -100,6 +104,7 @@ def main():
     os.environ['KRB5CCNAME'] = ccache
     options._top_dir = ansible_module.params.get('_top_dir')
     options.setup_ca = ansible_module.params.get('setup_ca')
+    options.setup_kra = ansible_module.params.get('setup_kra')
     config_master_host_name = ansible_module.params.get('config_master_host_name')
 
     # init #

roles/ipareplica/library/ipareplica_prepare.py

@@ -728,6 +728,7 @@ def main():
                              config_setup_ca=config.setup_ca,
                              config_master_host_name=config.master_host_name,
                              config_ca_host_name=config.ca_host_name,
+                             config_kra_host_name=config.kra_host_name,
                              config_ips=[ str(ip) for ip in config.ips ],
                              ### ad trust ###
                              rid_base=options.rid_base,

roles/ipareplica/library/ipareplica_setup_ca.py

@@ -61,6 +61,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description:
+    required: yes
+  _kra_host_name:
+    description:
+    required: yes
   _dirsrv_pkcs12_info:
     description: 
     required: yes
@@ -118,6 +124,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -152,6 +160,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     installer._dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     installer._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -190,6 +200,8 @@ def main():
     config.ca_host_name = config_ca_host_name
     config.ips = config_ips
     config.promote = options.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
     options._remote_api = remote_api
@@ -213,7 +225,10 @@ def main():
         if not hasattr(custodiainstance, "get_custodia_instance"):
             ca.install(False, config, options)
         else:
-            if ca_enabled:
+            if kra_enabled:
+                # A KRA peer always provides a CA, too.
+                mode = custodiainstance.CustodiaModes.KRA_PEER
+            elif ca_enabled:
                 mode = custodiainstance.CustodiaModes.CA_PEER
             else:
                 mode = custodiainstance.CustodiaModes.MASTER_PEER

roles/ipareplica/library/ipareplica_setup_custodia.py

@@ -64,6 +64,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description:
+    required: yes
+  _kra_host_name:
+    description:
+    required: yes
   _top_dir:
     description: 
     required: yes
@@ -98,6 +104,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -127,6 +135,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     options._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -149,6 +159,8 @@ def main():
     config = gen_ReplicaConfig()
     config.dirman_password = dirman_password
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
     #installer._remote_api = remote_api
@@ -174,7 +186,10 @@ def main():
                 ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
                 custodia.create_instance()
         else:
-            if ca_enabled:
+            if kra_enabled:
+                # A KRA peer always provides a CA, too.
+                mode = custodiainstance.CustodiaModes.KRA_PEER
+            elif ca_enabled:
                 mode = custodiainstance.CustodiaModes.CA_PEER
             else:
                 mode = custodiainstance.CustodiaModes.MASTER_PEER

roles/ipareplica/library/ipareplica_setup_kra.py

@@ -115,6 +115,7 @@ def main():
             installer_ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _http_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
@@ -176,6 +177,7 @@ def main():
     installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
     kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
 
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     http_pkcs12_info = ansible_module.params.get('_http_pkcs12_info')
@@ -206,6 +208,8 @@ def main():
     config = gen_ReplicaConfig()
     config.subject_base = options.subject_base
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
     installer._remote_api = remote_api

roles/ipareplica/tasks/install.yml

@@ -508,6 +508,8 @@
         "{{ result_ipareplica_prepare.config_master_host_name }}"
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -527,6 +529,8 @@
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
       _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -609,6 +613,7 @@
       installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
       _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
@@ -653,6 +658,8 @@
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
       dirman_password: "{{ ipareplica_dirman_password }}"
@@ -733,6 +740,8 @@
       hostname: "{{ result_ipareplica_test.hostname }}"
       hidden_replica: "{{ ipareplica_hidden_replica }}"
       ### server ###
+      ### replica ###
+      setup_kra: "{{ result_ipareplica_test.setup_kra }}"
       ### certificate system ###
       subject_base: "{{ result_ipareplica_prepare.subject_base }}"
       ### additional ###