From: David Galloway <dgallowa@redhat.com>
Date: Thu, 14 Jul 2022 18:53:06 +0000 (-0400)
Subject: common: Remove, clean up, and reinstall Satellite CA cert
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=884acf23c2909fdb9d97690c9e3bbd689125eb99;p=ceph-cm-ansible.git

common: Remove, clean up, and reinstall Satellite CA cert

This reverts commit ed59d0bb3f6470ecf62fc6af19663d0f674dd84e.

This was originally added because if one upgrades the Satellite server, the katello-ca-consumer-latest RPM actually gets an incremented version number and conflicts with an already installed katello-ca RPM.  `rpm --reinstall` was not sufficient to "upgrade" the package.

We won't ever be upgrading the Satellite server again and the proper way to "reinstall" the Satellite's CA Cert is to remove it, subscription-manager clean, then reinstall as per https://access.redhat.com/solutions/3336921.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/roles/common/tasks/rhel-entitlements.yml b/roles/common/tasks/rhel-entitlements.yml
index 1989a481..eeda6674 100644
--- a/roles/common/tasks/rhel-entitlements.yml
+++ b/roles/common/tasks/rhel-entitlements.yml
@@ -18,16 +18,27 @@
   set_fact:
     have_entitlements: "{{ subscription_manager_org != '' and subscription_manager_activationkey != ''}}"
 
-- name: Download CA Cert from Satellite Server
-  get_url:
-    url: "{{ satellite_cert_rpm }}"
-    dest: /tmp/katello-ca-consumer-latest.noarch.rpm
+- name: Find existing CA Cert RPMs
+  command: rpm -qa katello-ca-consumer*
+  register: existing_satellite_cert
+  when: use_satellite == true
+
+- name: Uninstall previous CA Certs from Satellite Servers
+  command: rpm -e "{{ existing_satellite_cert.stdout }}"
+  when:
+    - use_satellite == true
+    - existing_satellite_cert.stdout|length>0
+
+- name: Subscription-manager clean
+  command: subscription-manager clean
   when: use_satellite == true
 
 - name: Install CA Cert from Satellite Server
-  command: rpm --reinstall -Uvh /tmp/katello-ca-consumer-latest.noarch.rpm
-  register: sat_rpm_install
-  failed_when: sat_rpm_install.rc != 0 and "is already installed" not in sat_rpm_install.stderr
+  yum:
+    name: "{{ satellite_cert_rpm }}"
+    state: present
+    validate_certs: no
+    disable_gpg_check: yes
   when: use_satellite == true
 
 # set the releasever cause without it rhel-7-server-rpms repo fails on rhel7.9 machines