IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Enable LWCA monitor explicitly

Browse Source 
Currently LWCA is only supported in IPA since the key
replication depends on Custodia, so LWCA is not actually
supported in regular PKI installation. However, currently
the AuthorityMonitor is enabled by default and it executes
a persistent search to monitor LWCA replication so it is
wasting resources in non-IPA environment.

To reduce unnecessary resource consumption the LWCA monitor
will be disabled by default in PKI, so IPA will need to
enable it explicitly for new and existing installations.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Endi S. Dewata 2023-09-28 09:45:15 -05:00 committed by Florence Blanc-Renaud
parent a8a923033b
commit 5270d58a04
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ipaserver/install/cainstance.py
View File

@ -435,6 +435,8 @@ class CAInstance(DogtagInstance):
configure_lightweight_ca_acls) configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists", self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container) ensure_lightweight_cas_container)
self.step("Enable lightweight CA monitor",
enable_lightweight_ca_monitor)
self.step( self.step(
"Ensuring backward compatibility", "Ensuring backward compatibility",
self.__dogtag10_migration) self.__dogtag10_migration)
@ -1783,6 +1785,28 @@ def ensure_lightweight_cas_container():
) )
def enable_lightweight_ca_monitor():
# Check LWCA monitor
value = directivesetter.get_directive(
paths.CA_CS_CFG_PATH,
'ca.authorityMonitor.enable',
separator='=')
if value == 'true':
return False # already enabled; restart not needed
# Enable LWCA monitor
directivesetter.set_directive(
paths.CA_CS_CFG_PATH,
'ca.authorityMonitor.enable',
'true',
quotes=False,
separator='=')
return True # restart needed
def minimum_acme_support(data=None): def minimum_acme_support(data=None):
""" """
ACME with global enable/disable is required. ACME with global enable/disable is required.

11
ipaserver/install/server/upgrade.py
View File

@ -482,6 +482,16 @@ def ca_ensure_lightweight_cas_container(ca):
return cainstance.ensure_lightweight_cas_container() return cainstance.ensure_lightweight_cas_container()
def ca_enable_lightweight_ca_monitor(ca):
logger.info('[Enabling LWCA monitor]')
if not ca.is_configured():
logger.info('CA is not configured')
return False
return cainstance.enable_lightweight_ca_monitor()
def ca_add_default_ocsp_uri(ca): def ca_add_default_ocsp_uri(ca):
logger.info('[Adding default OCSP URI configuration]') logger.info('[Adding default OCSP URI configuration]')
if not ca.is_configured(): if not ca.is_configured():
@ -1904,6 +1914,7 @@ def upgrade_configuration():
ca_configure_profiles_acl(ca), ca_configure_profiles_acl(ca),
ca_configure_lightweight_ca_acls(ca), ca_configure_lightweight_ca_acls(ca),
ca_ensure_lightweight_cas_container(ca), ca_ensure_lightweight_cas_container(ca),
ca_enable_lightweight_ca_monitor(ca),
ca_add_default_ocsp_uri(ca), ca_add_default_ocsp_uri(ca),
ca_disable_publish_cert(ca), ca_disable_publish_cert(ca),
]) ])