Refactor CA file handling in replica installer #6620
Conversation
tiran
force-pushed
the
issue9272-replica-cafile
branch
from
025d31d
to
9e34c69
Compare
tiran
added
ipa-4-9
Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already. Related: https://pagure.io/freeipa/issue/9272
tiran
force-pushed
the
issue9272-replica-cafile
branch
from
9e34c69
to
f34f14d
Compare
|
|
|
The change works for me. Is it important to backport this to ipa-4-9/10? |
|
I don't mind if you don't backport the change for now. It's a prerequisite for ticket 9272, but HMSIDM doesn't need the feature backported at the moment. I developed some hacks to work around the problem. |
tiran
added
ipa-next
|
@t-woerner are we ok merging this? |
|
@t-woerner double-checking, cool to merge to master branch? |
|
@rjeffman I just want to confirm that this won't break ansible-freeipa before merging. |
| @@ -132,24 +132,6 @@ def install_krb(config, setup_pkinit=False, pkcs12_info=None, fstore=None): | |||
| return krb | |||
|
|
|||
|
|
|||
| def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT): | |||
There was a problem hiding this comment.
By removing this function ansible-freeipa replica install will not work anymore.
It is my understanding that ansible-freeipa deployment role should be updated, right?
There was a problem hiding this comment.
Yes, the removal of this function is needed for ansible-freeipa to be able to detect when ipa-certupdate needs to be used instead.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
The call `install_ca_cert()` is not needed anymore and is to be removed from FreeIPA (freeipa/freeipa#6620). This patch modifies ipareplica to remove its usage from ipareplica deployment role.
Yes, this is fine to be merged. |
The call `install_ca_cert()` is not needed anymore and is to be removed from FreeIPA (freeipa/freeipa#6620). This patch modifies ipareplica to remove its usage from ipareplica deployment role.
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This change is fine to be merged, isn't it? I'm providing ACK. |
|
master:
|
|
@tiran I'm not 100% sure that this completely resolves the upstream ticket. If I'm wrong feel free to close it. |
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already.
Related: https://pagure.io/freeipa/issue/9272