60389f5 Handle multiple AJP adapters during upgrade

1 file Authored by cipherboy 2 years ago, Committed by frenaud 2 years ago,
    Handle multiple AJP adapters during upgrade
    
    In this patch, we ensure we upgrade all AJP adapters with the same
    secret value if any are missing. This ensures that both IPv4 and IPv6
    adapters have the same secret value, so whichever httpd connects to
    will be in sync. This is consistent with what Dogtag does when
    provisioning them.
    
    Notably missing from this patch is handling of multiple unrelated AJP
    adapters. In an IPA scenario (and default PKI scenario) this shouldn't
    be necessary. However, with external load balancing, this might happen.
    
    This patch benefits IPA in the scenario when:
    
     1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
     2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
        resulting in split IPv4/IPv6 adapters -- this would only happen
        on a direct migration from 8.2 -> 8.4
     3. ipa upgrade script then runs to provision an AJP secret value for
        use with both Dogtag and IPA.
    
    Without this patch, only the first (IPv4) adapter would have a secret
    value provisioned in the above scenario.
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>