[Freeipa-devel] New replica installation and topology - we need stable base

[Martin Kosek]

Hello all,

As FreeIPA 4.2 deadlines are approaching us slowly, there is a concern that not
all of the new replica install way (replication-package-less) based on Custodia
would be done and finished in time.

There will be certainly a lot of integration hurdles, in making sure that the
installed replica can ask for all needed secrets and that the server can
provide them and ensure proper encryption.

My question is - if we postpone new replica promotion way&Custodia, what is
needed to make FreeIPA 4.2 replica installation and topology management
GA-ready and finished?

This is the status of related functions, as I see it:

Domain Levels
- Done, committed
- Defaults to Level 1, i.e. Topology plugin powered infra enabled

Topology plugin
- We have the base plugin and it's installation pushed
- There is a critical bug that needs to be solved - #5035
- API&UI is in works (Petr Vobornik). We already committed the new server-*
commands used there. Overall, AFAIU the API should be mostly functionally complete
- Plugin is enabled during installation, but we still use the simple auth with
DM password during replica creation process. I think we planned to use GSSAPI,
no? Is anything else needed in the replica creation process, except fixing #5035?

Given this summary, if we forget about the Custodia parts for a moment, it
seems to me that the new Topology is almost functionally complete and we only
miss the management API. Is that correct or we miss some bigger piece?

I am for example not sure if the "IPA masters" hostgroup is needed for Topology
work without Custodia, I think Ludwig used some other group for authorization
purposes in Topology.

Thanks.

-- 
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.