Filter out the pki healthcheck sources if IPA CA is not installed

The pki checks spew the error "Invalid PKI instance: pki-tomcat" so we need to suppress them in the IPA CA-less installation case. So if the IPA CA is not configured then don't register the pki sources. A side-effect is that to user the sources will not be listed at all in this case. This should not affect pki-healthcheck and it will continue to return errors in the unconfigured case. freeipa#201 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten · May 19, 2021 · a48cc19 · a48cc19
1 parent 29f32f1
commit a48cc19
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
@@ -265,6 +265,13 @@ def run_healthcheck(self):
         if rval is not None:
             return rval
 
+        # If we have IPA configured without a CA then we want to skip
+        # the pkihealthcheck plugins otherwise they will generated a
+        # lot of false positives. The IPA plugins are loaded first so
+        # which should set ca_configured in its registry to True or
+        # False. We will skip the pkihealthcheck plugins only if
+        # ca_configured is False which means that it was set by IPA.
+        ca_configured = None
         for name, registry in find_registries(self.entry_points).items():
             try:
                 registry.initialize(framework, config, options)
@@ -276,6 +283,11 @@ def run_healthcheck(self):
                 except Exception as e:
                     logger.error("Unable to initialize %s: %s", name, e)
                     continue
+            if hasattr(registry, 'ca_configured'):
+                ca_configured = registry.ca_configured
+            if 'pkihealthcheck' in name and ca_configured is False:
+                logger.debug('IPA CA is not configured, skipping %s', name)
+                continue
             for plugin in find_plugins(name, registry):
                 plugins.append(plugin)
 

diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py
@@ -34,6 +34,7 @@ def __init__(self):
         super().__init__()
         self.trust_agent = False
         self.trust_controller = False
+        self.ca_configured = False
 
     def initialize(self, framework, config, options=None):
         super().initialize(framework, config)
@@ -85,5 +86,8 @@ def initialize(self, framework, config, options=None):
         if role.get('status') == 'enabled':
             self.trust_controller = True
 
+        ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host)
+        self.ca_configured = ca.is_configured()
+
 
 registry = IPARegistry()