Refactor CA file handling in replica installer.#1093
Conversation
|
Hi Rafael, what should be done is to keep the old code for the IPA versions where install_ca_cert is available and used and only switch to ipa-certupdate when install_ca_cert does not exist anymore. The goal is to keep consistent behaviour to the command line installers as much as possible. |
|
It will be needed to add a new variable to ipareplica_test to active the old or new code path depending on the existence of Something like this would be good:
|
varunmylaraiah
left a comment
varunmylaraiah
left a comment
There was a problem hiding this comment.
Downstream tests are passed with this PR
t-woerner
left a comment
t-woerner
left a comment
There was a problem hiding this comment.
ipa-certupdate should only be used for new the IPA versions without install_ca_cert to do exactly the same as the old and new IPA command line installers.
rjeffman
force-pushed
the
ipareplica_remove_install_ca_cert
branch
3 times, most recently
from
1057558 to
2869544
Compare
|
@t-woerner I updated the PR with the requested changes. |
rjeffman
force-pushed
the
ipareplica_remove_install_ca_cert
branch
from
2869544 to
b7e997b
Compare
|
The "_ca_file" removal patch has been moved to PR #1096, so we can decide what to do with it later. |
rjeffman
force-pushed
the
ipareplica_remove_install_ca_cert
branch
from
b7e997b to
eafaa90
Compare
|
This PR should only be merged after the FreeIPA PR freeipa/freeipa#6620 has been merged. |
|
PR freeipa/freeipa#6620 has been merged. @t-woerner can we resume review/fix to merge this one? |
| msg="CA cert file is not available! Please reinstall" | ||
| "the client and try again.") | ||
| else: | ||
| if is_ipa_client_configured(on_master=True): |
There was a problem hiding this comment.
is_ipa_client_configured could be None according to ansible_ipa_replica.py. When is is_ipa_client_configured defined in ipalib.facts?
There should be a check to make sure that it is not None before it is used this way.
The call `install_ca_cert()` is not used in FreeIPA and is to be removed in the near future (freeipa/freeipa#6620). ipareplica can be modified to only use the function once it is available, otherwise, `ipa-certupdate` will be used during replica prepare.
rjeffman
force-pushed
the
ipareplica_remove_install_ca_cert
branch
from
eafaa90 to
124f801
Compare
3 participants
FreeIPA will refactor replica installer, and will remove function
ipaserver.install.server.replicainstall.install_ca_cert()which is used byipareplicarole. As this change will be introduced in the next FreeIPA release, ansible-freeipa will not be able to deploy a replica if it is not updated.The changes in FreeIPA can be found at freeipa/freeipa#6620
This PR brings these changes to
ipareplicarole.