Remove DL0 specific code from kra in ipaserver/install

The code to add missing KRA certificates has been removed from install_check as it was only reached if replica_config is not None and promote was False for DL0 replica installations. Also the other places. Promote is now hard set to True if replica_config is not None in install for later use in krainstance. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-28 09:06:44 -06:00 · 2018-09-10 15:07:55 +02:00 · 2018-09-10 15:07:55 +02:00 · 71e19f11b4
commit 71e19f11b4
parent eaae9935f4
1 changed files with 10 additions and 36 deletions
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@ -9,13 +9,11 @@ KRA installer module
 from __future__ import absolute_import

 import os
-import shutil

 from ipalib import api
 from ipalib.install.kinit import kinit_keytab
 from ipaplatform import services
 from ipaplatform.paths import paths
-from ipapython import certdb
 from ipapython import ipautil
 from ipapython.install.core import group
 from ipaserver.install import cainstance
@ -52,22 +50,6 @@ def install_check(api, replica_config, options):
                "KRA is not installed on the master system. Please use "
                "'ipa-kra-install' command to install the first instance.")

-        if options.promote:
-            return
-
-        with certdb.NSSDatabase() as tmpdb:
-            tmpdb.create_db()
-            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
-                                replica_config.dirman_password)
-            kra_cert_nicknames = [
-                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
-                "auditSigningCert cert-pki-kra"
-            ]
-            if not all(tmpdb.has_nickname(nickname)
-                       for nickname in kra_cert_nicknames):
-                raise RuntimeError("Missing KRA certificates, please create a "
-                                   "new replica file.")
-

 def install(api, replica_config, options, custodia):
    if replica_config is None:
@ -85,23 +67,15 @@ def install(api, replica_config, options, custodia):
        if not replica_config.setup_kra:
            return
        krafile = os.path.join(replica_config.dir, 'kracert.p12')
-        if options.promote:
-            with ipautil.private_ccache():
-                ccache = os.environ['KRB5CCNAME']
-                kinit_keytab(
-                    'host/{env.host}@{env.realm}'.format(env=api.env),
-                    paths.KRB5_KEYTAB,
-                    ccache)
-                custodia.get_kra_keys(
-                    krafile,
-                    replica_config.dirman_password)
-        else:
-            cafile = os.path.join(replica_config.dir, 'cacert.p12')
-            if not os.path.isfile(cafile):
-                raise RuntimeError(
-                    "Unable to clone KRA."
-                    "  cacert.p12 file not found in replica file")
-            shutil.copy(cafile, krafile)
+        with ipautil.private_ccache():
+            ccache = os.environ['KRB5CCNAME']
+            kinit_keytab(
+                'host/{env.host}@{env.realm}'.format(env=api.env),
+                paths.KRB5_KEYTAB,
+                ccache)
+            custodia.get_kra_keys(
+                krafile,
+                replica_config.dirman_password)

        realm_name = replica_config.realm_name
        dm_password = replica_config.dirman_password
@ -110,7 +84,7 @@ def install(api, replica_config, options, custodia):

        pkcs12_info = (krafile,)
        master_host = replica_config.kra_host_name
-        promote = options.promote
+        promote = True

    kra = krainstance.KRAInstance(realm_name)
    kra.configure_instance(realm_name, host_name, dm_password, dm_password,