vault: select a server with KRA for vault operations

This uses the same mechanism which is used for the CA.

https://fedorahosted.org/freeipa/ticket/5302

Reviewed-By: Martin Basti <mbasti@redhat.com>

ipalib/constants.py

@@ -167,9 +167,6 @@ DEFAULT_CONFIG = (
     ('ca_agent_install_port', None),
     ('ca_ee_install_port', None),
 
-    # KRA plugin
-    ('kra_host', FQDN),  # Set in Env._finalize_core()
-
     # Topology plugin
     ('recommended_max_agmts', 4),  # Recommended maximum number of replication
                                    # agreements

ipaserver/plugins/dogtag.py

@@ -1906,6 +1906,26 @@ class kra(Backend):
 
         super(kra, self).__init__(api)
 
+    @property
+    def kra_host(self):
+        """
+        :return:   host
+                   as str
+
+        Select our KRA host.
+        """
+        ldap2 = self.api.Backend.ldap2
+        if host_has_service(api.env.ca_host, ldap2, "KRA"):
+            return api.env.ca_host
+        if api.env.host != api.env.ca_host:
+            if host_has_service(api.env.host, ldap2, "KRA"):
+                return api.env.host
+        host = select_any_master(ldap2, "KRA")
+        if host:
+            return host
+        else:
+            return api.env.ca_host
+
     def get_client(self):
         """
         Returns an authenticated KRA client to access KRA services.
@@ -1925,7 +1945,7 @@ class kra(Backend):
         # https://fedorahosted.org/freeipa/ticket/4557
         connection = PKIConnection(
             'https',
-            api.env.kra_host,
+            self.kra_host,
             str(self.kra_port),
             'kra')