From 124f8011474615ed4495a3f6e42dfad9b452fbe7 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 10 May 2023 17:55:25 -0300
Subject: [PATCH] ipareplica: Refactor CA file handling in replica deployment

The call `install_ca_cert()` is not used in FreeIPA and is to be
removed in the near future (freeipa/freeipa#6620).

ipareplica can be modified to only use the function once it is
available, otherwise, `ipa-certupdate` will be used during replica
prepare.
---
 .../library/ipareplica_install_ca_certs.py    |  6 +++++
 .../ipareplica/library/ipareplica_prepare.py  | 24 +++++++++++++++----
 .../module_utils/ansible_ipa_replica.py       | 14 +++++++++--
 3 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/roles/ipareplica/library/ipareplica_install_ca_certs.py b/roles/ipareplica/library/ipareplica_install_ca_certs.py
index b6d42d6a43..0204746746 100644
--- a/roles/ipareplica/library/ipareplica_install_ca_certs.py
+++ b/roles/ipareplica/library/ipareplica_install_ca_certs.py
@@ -297,6 +297,12 @@ def main():
     config.ca_host_name = config_ca_host_name
     config.ips = config_ips
 
+    if install_ca_cert is None:
+        ansible_module.exit_json(
+            changed=False,
+            config_master_host_name=config.master_host_name,
+            config_ca_host_name=config.ca_host_name)
+
     remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
     installer._remote_api = remote_api
 
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 9ab59b2247..4df0d0882a 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -275,7 +275,8 @@
     check_domain_level_is_supported, errors, ScriptError, setup_logging,
     logger, check_dns_resolution, service, find_providing_server, ca, kra,
     dns, no_matching_interface_for_ip_address_warning, adtrust,
-    constants, api, redirect_stdout, replica_conn_check, tasks
+    constants, api, redirect_stdout, replica_conn_check, tasks,
+    is_ipa_client_configured, install_ca_cert,
 )
 from ansible.module_utils import six
 
@@ -601,10 +602,23 @@ def main():
     ansible_log.debug("-- CA_CRT --")
 
     cafile = paths.IPA_CA_CRT
-    if not os.path.isfile(cafile):
-        ansible_module.fail_json(
-            msg="CA cert file is not available! Please reinstall"
-            "the client and try again.")
+    if install_ca_cert is not None:
+        if not os.path.isfile(cafile):
+            ansible_module.fail_json(
+                msg="CA cert file is not available! Please reinstall"
+                "the client and try again.")
+    else:
+        if (
+            is_ipa_client_configured is not None
+            and is_ipa_client_configured(on_master=True)
+        ):
+            # host was already an IPA client, refresh client cert stores to
+            # ensure we have up to date CA certs.
+            try:
+                ipautil.run([paths.IPA_CERTUPDATE])
+            except ipautil.CalledProcessError:
+                ansible_module.fail_json(
+                    msg="ipa-certupdate failed to refresh certs.")
 
     ansible_log.debug("-- REMOTE_API --")
 
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index fb16801030..054aed0eb4 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@
            "dnsname", "kernel_keyring", "krbinstance", "getargspec",
            "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
            "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
-           "ReplicaConfig", "create_api"]
+           "ReplicaConfig", "create_api", "is_ipa_client_configured", ]
 
 import sys
 import logging
@@ -134,14 +134,24 @@ def getargspec(func):
                 find_providing_servers, find_providing_server)
         from ipaserver.install.installutils import (
             ReplicaConfig, load_pkcs12)
+        try:
+            from ipalib.facts import is_ipa_client_configured
+        except ImportError:
+            is_ipa_client_configured = None
         try:
             from ipalib.facts import is_ipa_configured
         except ImportError:
             from ipaserver.install.installutils import is_ipa_configured
         from ipaserver.install.replication import (
             ReplicationManager, replica_conn_check)
+        try:
+            from ipaserver.install.server.replicainstall import (
+                install_ca_cert
+            )
+        except ImportError:
+            install_ca_cert = None
         from ipaserver.install.server.replicainstall import (
-            make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+            make_pkcs12_info, install_replica_ds, install_krb,
             install_http, install_dns_records, create_ipa_conf, check_dirsrv,
             check_dns_resolution, configure_certmonger,
             remove_replica_info_dir,