Load dogtag RA plugin in installers so profiles can be loaded

In order to call import_included_profiles the dogtag RA plugin needs to have been loaded. Modify the requirements to also allow the installer context along with the ra_plugin value. This lets us add missing profiles during a replica installation. This is needed for ACME when installing a new replica in a cluster of older servers that don't have support for ACME. https://pagure.io/freeipa/issue/8738 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-04-23 18:09:46 -04:00 · 2021-04-23 18:09:46 -04:00 · b01547da79
commit b01547da79
parent 9ec73436bc
2 changed files with 17 additions and 4 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -477,12 +477,17 @@ class CAInstance(DogtagInstance):
                        self.step("exposing CA instance on LDAP",
                                  self.__expose_ca_in_ldap)

-                    self.step("migrating certificate profiles to LDAP",
-                              migrate_profiles_to_ldap)
                    self.step("importing IPA certificate profiles",
                              import_included_profiles)
+                    self.step("migrating certificate profiles to LDAP",
+                              migrate_profiles_to_ldap)
                    self.step("adding default CA ACL", ensure_default_caacl)
                    self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
+                else:
+                    # Re-import profiles in the promote case to pick up any
+                    # that will only be triggered by an upgrade.
+                    self.step("importing IPA certificate profiles",
+                              import_included_profiles)

                self.step("configuring certmonger renewal for lightweight CAs",
                          self.add_lightweight_ca_tracking_requests)
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@ -1100,9 +1100,17 @@ def parse_updateCRL_xml(doc):
 #-------------------------------------------------------------------------------

 from ipalib import Registry, errors, SkipPluginModule
-if api.isdone('finalize') and api.env.ra_plugin != 'dogtag':
+
+# We only load the dogtag RA plugin if it is necessary to do so.
+# This is legacy code from when multiple RA backends were supported.
+#
+# If the plugins are loaded by the server then load the RA backend.
+#
+if api.isdone("finalize") and not (
+    api.env.ra_plugin == 'dogtag' or api.env.context == 'installer'
+):
    # In this case, abort loading this plugin module...
-    raise SkipPluginModule(reason='dogtag not selected as RA plugin')
+    raise SkipPluginModule(reason='Not loading dogtag RA plugin')
 import os
 from ipaserver.plugins import rabase
 from ipalib.constants import TYPE_ERROR