diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml index e473d499d..b7896c307 100644 --- a/.test_runner_config.yaml +++ b/.test_runner_config.yaml @@ -47,8 +47,7 @@ steps: - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing install_server: - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password} - -a ${server_password} --setup-dns --auto-forwarders - - ipa-kra-install -p ${server_password} + -a ${server_password} --setup-dns --setup-kra --auto-forwarders lint: - PYTHON=/usr/bin/python2 make V=0 lint - PYTHON=/usr/bin/python3 make V=0 pylint diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 362ce03d7..d63912c70 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -146,6 +146,12 @@ Name of the Kerberos KDC SSL certificate to install \fB\-\-skip\-schema\-check\fR Skip check for updated CA DS schema on the remote master +.SS "SECRET MANAGEMENT OPTIONS" +.TP +\fB\-\-setup\-kra\fR +Install and configure a KRA on this replica. If a KRA is not configured then +vault operations will be forwarded to a master with a KRA installed. + .SS "DNS OPTIONS" .TP \fB\-\-setup\-dns\fR diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 81663b08e..c48bdae74 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -134,6 +134,11 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +.SS "SECRET MANAGEMENT OPTIONS" +.TP +\fB\-\-setup\-kra\fR +Install and configure a KRA on this server. + .SS "DNS OPTIONS" IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 65dfa21c9..5a079ee95 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -533,7 +533,6 @@ class ServerMasterInstall(ServerMasterInstallInterface): host_password = None keytab = None setup_ca = True - setup_kra = False domain_name = knob( bases=ServerMasterInstallInterface.domain_name, diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 1e6aad922..1e67a1660 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -367,9 +367,9 @@ def install_check(installer): if not setup_ca and options.subject_base: raise ScriptError( "--subject-base cannot be used with CA-less installation") - - # first instance of KRA must be installed by ipa-kra-install - options.setup_kra = False + if not setup_ca and options.setup_kra: + raise ScriptError( + "--setup-kra cannot be used with CA-less installation") print("=======================================" "=======================================") @@ -384,6 +384,8 @@ def install_check(installer): print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") + if options.setup_kra: + print(" * Configure KRA (dogtag) for secret management") if options.setup_dns: print(" * Configure DNS (bind)") if options.setup_adtrust: @@ -598,6 +600,7 @@ def install_check(installer): if setup_ca: ca.install_check(False, None, options) + if options.setup_kra: kra.install_check(api, None, options) if options.setup_dns: @@ -802,7 +805,6 @@ def install(installer): if setup_ca: ca.install_step_1(False, None, options) - kra.install(api, None, options) # The DS instance is created before the keytab, add the SSL cert we # generated @@ -842,6 +844,9 @@ def install(installer): service.print_msg("Restarting the KDC") krb.restart() + if options.setup_kra: + kra.install(api, None, options) + if options.setup_dns: dns.install(False, False, options) else: