|
 |
235f5a |
From b1ede44aed3c58a9c1abcb35a78e0fc15bfc37f6 Mon Sep 17 00:00:00 2001
|
|
|
235f5a |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
235f5a |
Date: Tue, 11 May 2021 13:26:00 -0400
|
|
|
235f5a |
Subject: [PATCH] Filter out the pki healthcheck sources if IPA CA is not
|
|
|
235f5a |
installed
|
|
|
235f5a |
|
|
|
235f5a |
The pki checks spew the error "Invalid PKI instance: pki-tomcat" so
|
|
|
235f5a |
we need to suppress them in the IPA CA-less installation case.
|
|
|
235f5a |
|
|
|
235f5a |
So if the IPA CA is not configured then don't register the
|
|
|
235f5a |
pki sources.
|
|
|
235f5a |
|
|
|
235f5a |
A side-effect is that to user the sources will not be listed at
|
|
|
235f5a |
all in this case.
|
|
|
235f5a |
|
|
|
235f5a |
This should not affect pki-healthcheck and it will continue to
|
|
|
235f5a |
return errors in the unconfigured case.
|
|
|
235f5a |
|
|
|
235f5a |
https://github.com/freeipa/freeipa-healthcheck/issues/201
|
|
|
235f5a |
|
|
|
235f5a |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
235f5a |
---
|
|
|
235f5a |
src/ipahealthcheck/core/core.py | 12 ++++++++++++
|
|
|
235f5a |
src/ipahealthcheck/ipa/plugin.py | 4 ++++
|
|
|
235f5a |
2 files changed, 16 insertions(+)
|
|
|
235f5a |
|
|
|
235f5a |
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
|
|
|
235f5a |
index eaa2d9c..d6b2357 100644
|
|
|
235f5a |
--- a/src/ipahealthcheck/core/core.py
|
|
|
235f5a |
+++ b/src/ipahealthcheck/core/core.py
|
|
|
235f5a |
@@ -281,6 +281,13 @@ class RunChecks:
|
|
|
235f5a |
if rval is not None:
|
|
|
235f5a |
return rval
|
|
|
235f5a |
|
|
|
235f5a |
+ # If we have IPA configured without a CA then we want to skip
|
|
|
235f5a |
+ # the pkihealthcheck plugins otherwise they will generated a
|
|
|
235f5a |
+ # lot of false positives. The IPA plugins are loaded first so
|
|
|
235f5a |
+ # which should set ca_configured in its registry to True or
|
|
|
235f5a |
+ # False. We will skip the pkihealthcheck plugins only if
|
|
|
235f5a |
+ # ca_configured is False which means that it was set by IPA.
|
|
|
235f5a |
+ ca_configured = None
|
|
|
235f5a |
for name, registry in find_registries(self.entry_points).items():
|
|
|
235f5a |
try:
|
|
|
235f5a |
registry.initialize(framework, config, options)
|
|
|
235f5a |
@@ -292,6 +299,11 @@ class RunChecks:
|
|
|
235f5a |
except Exception as e:
|
|
|
235f5a |
logger.error("Unable to initialize %s: %s" % (name, e))
|
|
|
235f5a |
continue
|
|
|
235f5a |
+ if hasattr(registry, 'ca_configured'):
|
|
|
235f5a |
+ ca_configured = registry.ca_configured
|
|
|
235f5a |
+ if 'pkihealthcheck' in name and ca_configured is False:
|
|
|
235f5a |
+ logger.debug('IPA CA is not configured, skipping %s', name)
|
|
|
235f5a |
+ continue
|
|
|
235f5a |
for plugin in find_plugins(name, registry):
|
|
|
235f5a |
plugins.append(plugin)
|
|
|
235f5a |
|
|
|
235f5a |
diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py
|
|
|
235f5a |
index 67d93e5..54d1ed3 100644
|
|
|
235f5a |
--- a/src/ipahealthcheck/ipa/plugin.py
|
|
|
235f5a |
+++ b/src/ipahealthcheck/ipa/plugin.py
|
|
|
235f5a |
@@ -35,6 +35,7 @@ class IPARegistry(Registry):
|
|
|
235f5a |
super(IPARegistry, self).__init__()
|
|
|
235f5a |
self.trust_agent = False
|
|
|
235f5a |
self.trust_controller = False
|
|
|
235f5a |
+ self.ca_configured = False
|
|
|
235f5a |
|
|
|
235f5a |
def initialize(self, framework, config, options=None):
|
|
|
235f5a |
super(IPARegistry, self).initialize(framework, config)
|
|
|
235f5a |
@@ -82,5 +83,8 @@ class IPARegistry(Registry):
|
|
|
235f5a |
if role.get('status') == 'enabled':
|
|
|
235f5a |
self.trust_controller = True
|
|
|
235f5a |
|
|
|
235f5a |
+ ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host)
|
|
|
235f5a |
+ self.ca_configured = ca.is_configured()
|
|
|
235f5a |
+
|
|
|
235f5a |
|
|
|
235f5a |
registry = IPARegistry()
|
|
|
235f5a |
--
|
|
|
235f5a |
2.31.1
|
|
|
235f5a |
|