ipareplica: Use ipa-certupdate to update certs on replica install

rjeffman · rjeffman · commit 1057558ac15f · 2023-05-09T11:03:30.000-03:00
Use ipa-certupdate to update certificates when promoting a client to a
replica.
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
@@ -275,7 +275,8 @@
     check_domain_level_is_supported, errors, ScriptError, setup_logging,
     logger, check_dns_resolution, service, find_providing_server, ca, kra,
     dns, no_matching_interface_for_ip_address_warning, adtrust,
-    constants, api, redirect_stdout, replica_conn_check, tasks
+    constants, api, redirect_stdout, replica_conn_check, tasks,
+    is_ipa_client_configured, install_ca_cert,
 )
 from ansible.module_utils import six
 
@@ -601,10 +602,20 @@ def main():
     ansible_log.debug("-- CA_CRT --")
 
     cafile = paths.IPA_CA_CRT
-    if not os.path.isfile(cafile):
-        ansible_module.fail_json(
-            msg="CA cert file is not available! Please reinstall"
-            "the client and try again.")
+    if install_ca_cert is not None:
+        if not os.path.isfile(cafile):
+            ansible_module.fail_json(
+                msg="CA cert file is not available! Please reinstall"
+                "the client and try again.")
+    else:
+        if is_ipa_client_configured(on_master=True):
+            # host was already an IPA client, refresh client cert stores to
+            # ensure we have up to date CA certs.
+            try:
+                ipautil.run([paths.IPA_CERTUPDATE])
+            except ipautil.CalledProcessError:
+                ansible_module.fail_json(
+                    msg="ipa-certupdate failed to refresh certs.")
 
     ansible_log.debug("-- REMOTE_API --")
 
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,10 +49,11 @@
            "dnsname", "kernel_keyring", "krbinstance", "getargspec",
            "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
            "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
-           "ReplicaConfig", "create_api"]
+           "ReplicaConfig", "create_api", "is_ipa_client_configured"]
 
 import sys
 import logging
+import os.path
 
 # Import getargspec from inspect or provide own getargspec for
 # Python 2 compatibility with Python 3.11+.
@@ -138,6 +139,19 @@ def getargspec(func):
             from ipalib.facts import is_ipa_configured
         except ImportError:
             from ipaserver.install.installutils import is_ipa_configured
+        try:
+            from ipalib.facts import is_ipa_client_configured
+        except ImportError:
+            def is_ipa_client_configured(_on_master=False):
+                return (
+                    os.path.isfile(paths.IPA_DEFAULT_CONF) and
+                    os.path.isfile(
+                        os.path.join(
+                            paths.IPA_CLIENT_SYSRESTORE,
+                            sysrestore.SYSRESTORE_STATEFILE
+                        )
+                    )
+                )
         from ipaserver.install.replication import (
             ReplicationManager, replica_conn_check)
         try:
