vault: select a server with KRA for vault operations

This uses the same mechanism which is used for the CA. https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-09-30 09:05:33 +02:00 · 2015-09-30 09:05:33 +02:00 · 4b381b1503
commit 4b381b1503
parent b035a2a114
2 changed files with 21 additions and 4 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -167,9 +167,6 @@ DEFAULT_CONFIG = (
    ('ca_agent_install_port', None),
    ('ca_ee_install_port', None),

-    # KRA plugin
-    ('kra_host', FQDN),  # Set in Env._finalize_core()
-
    # Topology plugin
    ('recommended_max_agmts', 4),  # Recommended maximum number of replication
                                   # agreements
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@ -1906,6 +1906,26 @@ class kra(Backend):

        super(kra, self).__init__(api)

+    @property
+    def kra_host(self):
+        """
+        :return:   host
+                   as str
+
+        Select our KRA host.
+        """
+        ldap2 = self.api.Backend.ldap2
+        if host_has_service(api.env.ca_host, ldap2, "KRA"):
+            return api.env.ca_host
+        if api.env.host != api.env.ca_host:
+            if host_has_service(api.env.host, ldap2, "KRA"):
+                return api.env.host
+        host = select_any_master(ldap2, "KRA")
+        if host:
+            return host
+        else:
+            return api.env.ca_host
+
    def get_client(self):
        """
        Returns an authenticated KRA client to access KRA services.
@ -1925,7 +1945,7 @@ class kra(Backend):
        # https://fedorahosted.org/freeipa/ticket/4557
        connection = PKIConnection(
            'https',
-            api.env.kra_host,
+            self.kra_host,
            str(self.kra_port),
            'kra')