KRA: add --setup-kra to ipa-server-install

This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2024-12-23 07:33:27 -06:00 · 2017-03-02 17:08:59 +01:00 · 2017-03-02 17:08:59 +01:00 · 4006cbbc02
commit 4006cbbc02
parent ad3451067a
5 changed files with 21 additions and 7 deletions
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@ -47,8 +47,7 @@ steps:
  - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
  install_server:
  - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
-    -a ${server_password} --setup-dns --auto-forwarders
-  - ipa-kra-install -p ${server_password}
+    -a ${server_password} --setup-dns --setup-kra --auto-forwarders
  lint:
  - PYTHON=/usr/bin/python2 make V=0 lint
  - PYTHON=/usr/bin/python3 make V=0 pylint
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@ -146,6 +146,12 @@ Name of the Kerberos KDC SSL certificate to install
 \fB\-\-skip\-schema\-check\fR
 Skip check for updated CA DS schema on the remote master

+.SS "SECRET MANAGEMENT OPTIONS"
+.TP
+\fB\-\-setup\-kra\fR
+Install and configure a KRA on this replica. If a KRA is not configured then
+vault operations will be forwarded to a master with a KRA installed.
+
 .SS "DNS OPTIONS"
 .TP
 \fB\-\-setup\-dns\fR
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@ -134,6 +134,11 @@ The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs ar
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

+.SS "SECRET MANAGEMENT OPTIONS"
+.TP
+\fB\-\-setup\-kra\fR
+Install and configure a KRA on this server.
+
 .SS "DNS OPTIONS"
 IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.

--- a/ipaserver/install/server/init.py
+++ b/ipaserver/install/server/init.py
@ -533,7 +533,6 @@ class ServerMasterInstall(ServerMasterInstallInterface):
    host_password = None
    keytab = None
    setup_ca = True
-    setup_kra = False

    domain_name = knob(
        bases=ServerMasterInstallInterface.domain_name,
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -367,9 +367,9 @@ def install_check(installer):
    if not setup_ca and options.subject_base:
        raise ScriptError(
            "--subject-base cannot be used with CA-less installation")
-
-    # first instance of KRA must be installed by ipa-kra-install
-    options.setup_kra = False
+    if not setup_ca and options.setup_kra:
+        raise ScriptError(
+            "--setup-kra cannot be used with CA-less installation")

    print("======================================="
          "=======================================")
@ -384,6 +384,8 @@ def install_check(installer):
    print("  * Create and configure an instance of Directory Server")
    print("  * Create and configure a Kerberos Key Distribution Center (KDC)")
    print("  * Configure Apache (httpd)")
+    if options.setup_kra:
+        print("  * Configure KRA (dogtag) for secret management")
    if options.setup_dns:
        print("  * Configure DNS (bind)")
    if options.setup_adtrust:
@ -598,6 +600,7 @@ def install_check(installer):

    if setup_ca:
        ca.install_check(False, None, options)
+    if options.setup_kra:
        kra.install_check(api, None, options)

    if options.setup_dns:
@ -802,7 +805,6 @@ def install(installer):

    if setup_ca:
        ca.install_step_1(False, None, options)
-        kra.install(api, None, options)

    # The DS instance is created before the keytab, add the SSL cert we
    # generated
@ -842,6 +844,9 @@ def install(installer):
    service.print_msg("Restarting the KDC")
    krb.restart()

+    if options.setup_kra:
+        kra.install(api, None, options)
+
    if options.setup_dns:
        dns.install(False, False, options)
    else: