-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor CA file handling in replica installer #6620
Conversation
025d31d
to
9e34c69
Compare
Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already. Related: https://pagure.io/freeipa/issue/9272
9e34c69
to
f34f14d
Compare
|
The change works for me. Is it important to backport this to ipa-4-9/10? |
I don't mind if you don't backport the change for now. It's a prerequisite for ticket 9272, but HMSIDM doesn't need the feature backported at the moment. I developed some hacks to work around the problem. |
@t-woerner are we ok merging this? |
@t-woerner double-checking, cool to merge to master branch? |
@rjeffman I just want to confirm that this won't break ansible-freeipa before merging. |
@@ -132,24 +132,6 @@ def install_krb(config, setup_pkinit=False, pkcs12_info=None, fstore=None): | |||
return krb | |||
|
|||
|
|||
def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By removing this function ansible-freeipa replica install will not work anymore.
It is my understanding that ansible-freeipa deployment role should be updated, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the removal of this function is needed for ansible-freeipa to be able to detect when ipa-certupdate needs to be used instead.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
The call `install_ca_cert()` is not needed anymore and is to be removed from FreeIPA (freeipa/freeipa#6620). This patch modifies ipareplica to remove its usage from ipareplica deployment role.
Yes, this is fine to be merged. |
The call `install_ca_cert()` is not needed anymore and is to be removed from FreeIPA (freeipa/freeipa#6620). This patch modifies ipareplica to remove its usage from ipareplica deployment role.
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Remove parameter _ca_file from ipareplica modules as the parameter is not used. Related to: freeipa/freeipa#6620
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This change is fine to be merged, isn't it? I'm providing ACK. |
master:
|
@tiran I'm not 100% sure that this completely resolves the upstream ticket. If I'm wrong feel free to close it. |
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already.
Related: https://pagure.io/freeipa/issue/9272