|
 |
531784 |
From 62c14dbff5a947b50194df197de9f7052597ffb4 Mon Sep 17 00:00:00 2001
|
|
|
531784 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
531784 |
Date: Thu, 17 Feb 2022 08:56:38 -0500
|
|
|
531784 |
Subject: [PATCH] Don't depend on IPA status when suppressing pki checks
|
|
|
531784 |
|
|
|
531784 |
The pki healthchecks are noisy if a CA is not configured. We
|
|
|
531784 |
want to suppresse these in IPA so don't make the checks visible
|
|
|
531784 |
if a CA is not configured.
|
|
|
531784 |
|
|
|
531784 |
So this means we need to be able to run in these conditions:
|
|
|
531784 |
|
|
|
531784 |
1. IPA is configured with a CA: the pki checks are run
|
|
|
531784 |
2. IPA is configured without a CA: the pki checks are not run
|
|
|
531784 |
3. IPA is not configured: the pki checks are run
|
|
|
531784 |
|
|
|
531784 |
Which basically equates to three states: True, False, None
|
|
|
531784 |
|
|
|
531784 |
This was done originally with the ca_configured variable set to
|
|
|
531784 |
None. Using some inside knowledge the registries are loaded which
|
|
|
531784 |
will set ca_configured to True or False in the IPA registry.
|
|
|
531784 |
Using that we can determine if the pki checks should be available.
|
|
|
531784 |
Unfortunately I changed the initialization to False so it always
|
|
|
531784 |
assumes that IPA is installed. ca_configured will be False for the
|
|
|
531784 |
case of IPA not installed instead of None so we can't handle that
|
|
|
531784 |
last state.
|
|
|
531784 |
|
|
|
531784 |
So initialize ca_configured to None so we can satisfy all three
|
|
|
531784 |
states.
|
|
|
531784 |
|
|
|
531784 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
531784 |
---
|
|
|
531784 |
src/ipahealthcheck/core/core.py | 22 ++++++++++++++++------
|
|
|
531784 |
1 file changed, 16 insertions(+), 6 deletions(-)
|
|
|
531784 |
|
|
|
531784 |
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
|
|
|
531784 |
index a6b4fe8..19f7818 100644
|
|
|
531784 |
--- a/src/ipahealthcheck/core/core.py
|
|
|
531784 |
+++ b/src/ipahealthcheck/core/core.py
|
|
|
531784 |
@@ -281,13 +281,23 @@ class RunChecks:
|
|
|
531784 |
if rval is not None:
|
|
|
531784 |
return rval
|
|
|
531784 |
|
|
|
531784 |
+ # The pki checks are noisy if a CA is not configured so we
|
|
|
531784 |
+ # want to suppress that for IPA.
|
|
|
531784 |
+ #
|
|
|
531784 |
+ # There are 3 possible states:
|
|
|
531784 |
+ # 1. IPA is configured with a CA
|
|
|
531784 |
+ # 2. IPA is configured without a CA
|
|
|
531784 |
+ # 3. IPA is not configured
|
|
|
531784 |
+ #
|
|
|
531784 |
# If we have IPA configured without a CA then we want to skip
|
|
|
531784 |
- # the pkihealthcheck plugins otherwise they will generated a
|
|
|
531784 |
- # lot of false positives. The IPA plugins are loaded first so
|
|
|
531784 |
- # which should set ca_configured in its registry to True or
|
|
|
531784 |
- # False. We will skip the pkihealthcheck plugins only if
|
|
|
531784 |
- # ca_configured is False which means that it was set by IPA.
|
|
|
531784 |
- ca_configured = False
|
|
|
531784 |
+ # the pkihealthcheck plugins
|
|
|
531784 |
+ #
|
|
|
531784 |
+ # The IPA registry will set ca_configured in its registry to True
|
|
|
531784 |
+ # or False. We will skip the pkihealthcheck plugins only if
|
|
|
531784 |
+ # ca_configured is False which means that it was set by IPA. So
|
|
|
531784 |
+ # we initialize ca_configured to None so that the pki checks
|
|
|
531784 |
+ # will always be executed with pki-healthcheck.
|
|
|
531784 |
+ ca_configured = None
|
|
|
531784 |
for name, registry in find_registries(self.entry_points).items():
|
|
|
531784 |
try:
|
|
|
531784 |
registry.initialize(framework, config, options)
|
|
|
531784 |
--
|
|
|
531784 |
2.31.1
|
|
|
531784 |
|