replica install: merge KRA agent cert export into KRA install

Merge all KRA agent cert export code paths into a single code path in KRA
install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

ipaserver/install/cainstance.py

@@ -66,10 +66,7 @@ from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
-# pylint: disable=unused-import
-from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
-                                              DogtagInstance)
-# pylint: enable=unused-import
+from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.plugins import ldap2
 
 # We need to reset the template because the CA uses the regular boot

ipaserver/install/ipa_kra_install.py

@@ -203,6 +203,8 @@ class KRAInstaller(KRAInstall):
                     self.options)
                 config.kra_host_name = config.master_host_name
 
+            config.setup_kra = True
+
             if config.subject_base is None:
                 attrs = api.Backend.ldap2.get_ipa_config()
                 config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

ipaserver/install/kra.py

@@ -19,6 +19,9 @@ from ipaserver.install import service
 
 
 def install_check(api, replica_config, options):
+    if replica_config is not None and not replica_config.setup_kra:
+        return
+
     kra = krainstance.KRAInstance(api.env.realm)
     if kra.is_installed():
         raise RuntimeError("KRA is already installed.")
@@ -68,6 +71,7 @@ def install(api, replica_config, options):
 
         pkcs12_info = None
         master_host = None
+        ra_only = False
         promote = False
     else:
         krafile = os.path.join(replica_config.dir, 'kracert.p12')
@@ -94,6 +98,7 @@ def install(api, replica_config, options):
 
         pkcs12_info = (krafile,)
         master_host = replica_config.kra_host_name
+        ra_only = not replica_config.setup_kra
         promote = options.promote
 
     kra = krainstance.KRAInstance(realm_name)
@@ -101,16 +106,18 @@ def install(api, replica_config, options):
                            subject_base=subject_base,
                            pkcs12_info=pkcs12_info,
                            master_host=master_host,
+                           ra_only=ra_only,
                            promote=promote)
 
     service.print_msg("Restarting the directory server")
     ds = dsinstance.DsInstance()
     ds.restart()
 
-    kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
+    if not ra_only:
+        kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
 
-    # Restart apache for new proxy config file
-    services.knownservices.httpd.restart(capture_output=True)
+        # Restart apache for new proxy config file
+        services.knownservices.httpd.restart(capture_output=True)
 
 
 def uninstall(standalone):

ipaserver/install/krainstance.py

@@ -79,7 +79,7 @@ class KRAInstance(DogtagInstance):
 
     def configure_instance(self, realm_name, host_name, dm_password,
                            admin_password, pkcs12_info=None, master_host=None,
-                           subject_base=None, promote=False):
+                           subject_base=None, ra_only=False, promote=False):
         """Create a KRA instance.
 
            To create a clone, pass in pkcs12_info.
@@ -99,35 +99,38 @@ class KRAInstance(DogtagInstance):
         self.realm = realm_name
         self.suffix = ipautil.realm_to_suffix(realm_name)
 
-        # Confirm that a KRA does not already exist
-        if self.is_installed():
-            raise RuntimeError(
-                "KRA already installed.")
-        # Confirm that a Dogtag 10 CA instance already exists
-        ca = cainstance.CAInstance(self.realm, certs.NSS_DIR)
-        if not ca.is_installed():
-            raise RuntimeError(
-                "KRA configuration failed.  "
-                "A Dogtag CA must be installed first")
+        if not ra_only:
+            # Confirm that a KRA does not already exist
+            if self.is_installed():
+                raise RuntimeError(
+                    "KRA already installed.")
+            # Confirm that a Dogtag 10 CA instance already exists
+            ca = cainstance.CAInstance(self.realm, certs.NSS_DIR)
+            if not ca.is_installed():
+                raise RuntimeError(
+                    "KRA configuration failed.  "
+                    "A Dogtag CA must be installed first")
 
-        if promote:
-            self.step("creating installation admin user", self.setup_admin)
-        self.step("configuring KRA instance", self.__spawn_instance)
-        if not self.clone:
-            self.step("create KRA agent",
-                      self.__create_kra_agent)
-        if promote:
-            self.step("destroying installation admin user", self.teardown_admin)
-        self.step("restarting KRA", self.restart_instance)
-        self.step("configure certmonger for renewals",
-                  self.configure_certmonger_renewal)
-        self.step("configure certificate renewals", self.configure_renewal)
-        self.step("configure HTTP to proxy connections",
-                  self.http_proxy)
-        self.step("add vault container", self.__add_vault_container)
-        self.step("apply LDAP updates", self.__apply_updates)
+            if promote:
+                self.step("creating installation admin user", self.setup_admin)
+            self.step("configuring KRA instance", self.__spawn_instance)
+            if not self.clone:
+                self.step("create KRA agent",
+                          self.__create_kra_agent)
+        self.step("exporting KRA agent cert", export_kra_agent_pem)
+        if not ra_only:
+            if promote:
+                self.step("destroying installation admin user", self.teardown_admin)
+            self.step("restarting KRA", self.restart_instance)
+            self.step("configure certmonger for renewals",
+                      self.configure_certmonger_renewal)
+            self.step("configure certificate renewals", self.configure_renewal)
+            self.step("configure HTTP to proxy connections",
+                      self.http_proxy)
+            self.step("add vault container", self.__add_vault_container)
+            self.step("apply LDAP updates", self.__apply_updates)
 
-        self.step("enabling KRA instance", self.__enable_instance)
+            self.step("enabling KRA instance", self.__enable_instance)
 
         self.start_creation(runtime=126)
 

ipaserver/install/server/replicainstall.py

@@ -36,7 +36,7 @@ from ipalib.util import (
 import ipaclient.ipachangeconf
 import ipaclient.ntpconf
 from ipaserver.install import (
-    bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
+    bindinstance, ca, certs, dns, dsinstance, httpinstance,
     installutils, kra, krbinstance, memcacheinstance,
     ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import (
@@ -713,13 +713,15 @@ def install_check(installer):
             root_logger.debug('No IPA DNS servers, '
                               'skipping forward/reverse resolution check')
 
+        kra_enabled = remote_api.Command.kra_is_enabled()['result']
+
         if ca_enabled:
             options.realm_name = config.realm_name
             options.host_name = config.host_name
             options.subject = config.subject_base
             ca.install_check(False, config, options)
 
-        if config.setup_kra:
+        if kra_enabled:
             try:
                 kra.install_check(remote_api, config, options)
             except RuntimeError as e:
@@ -763,6 +765,7 @@ def install_check(installer):
             ca_cert_file=cafile)
 
     installer._ca_enabled = ca_enabled
+    installer._kra_enabled = kra_enabled
     installer._remote_api = remote_api
     installer._fstore = fstore
     installer._sstore = sstore
@@ -773,6 +776,7 @@ def install_check(installer):
 def install(installer):
     options = installer
     ca_enabled = installer._ca_enabled
+    kra_enabled = installer._kra_enabled
     fstore = installer._fstore
     sstore = installer._sstore
     config = installer._config
@@ -835,9 +839,6 @@ def install(installer):
     otpd.create_instance('OTPD', config.host_name,
                          ipautil.realm_to_suffix(config.realm_name))
 
-    if ca_enabled:
-        cainstance.export_kra_agent_pem()
-
     custodia = custodiainstance.CustodiaInstance(config.host_name,
                                                  config.realm_name)
     custodia.create_instance()
@@ -850,11 +851,8 @@ def install(installer):
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
 
-    if options.setup_kra:
+    if kra_enabled:
         kra.install(api, config, options)
-    else:
-        service.print_msg("Restarting the directory server")
-        ds.restart()
 
     service.print_msg("Restarting the KDC")
     krb.restart()
@@ -1276,12 +1274,17 @@ def promote_check(installer):
                                   "custom certificates.")
                 raise ScriptError(rval=3)
 
-        config.kra_host_name = service.find_providing_server(
+        kra_host = service.find_providing_server(
                 'KRA', conn, config.kra_host_name)
-        if options.setup_kra and config.kra_host_name is None:
-            root_logger.error("There is no KRA server in the domain, can't "
-                              "setup a KRA clone")
-            raise ScriptError(rval=3)
+        if kra_host is not None:
+            config.kra_host_name = kra_host
+            kra_enabled = True
+        else:
+            if options.setup_kra:
+                root_logger.error("There is no KRA server in the domain, "
+                                  "can't setup a KRA clone")
+                raise ScriptError(rval=3)
+            kra_enabled = False
 
         if ca_enabled:
             options.realm_name = config.realm_name
@@ -1289,7 +1292,7 @@ def promote_check(installer):
             options.subject = config.subject_base
             ca.install_check(False, config, options)
 
-        if config.setup_kra:
+        if kra_enabled:
             try:
                 kra.install_check(remote_api, config, options)
             except RuntimeError as e:
@@ -1344,6 +1347,7 @@ def promote_check(installer):
         raise RuntimeError("CA cert file is not available.")
 
     installer._ca_enabled = ca_enabled
+    installer._kra_enabled = kra_enabled
     installer._fstore = fstore
     installer._sstore = sstore
     installer._config = config
@@ -1361,6 +1365,7 @@ def promote_check(installer):
 def promote(installer):
     options = installer
     ca_enabled = installer._ca_enabled
+    kra_enabled = installer._kra_enabled
     fstore = installer._fstore
     sstore = installer._sstore
     config = installer._config
@@ -1471,9 +1476,6 @@ def promote(installer):
                                                  config.realm_name)
     custodia.create_replica(config.master_host_name)
 
-    if installer._ca_enabled:
-        cainstance.export_kra_agent_pem()
-
     install_krb(
         config,
         setup_pkinit=not options.no_pkinit,
@@ -1500,7 +1502,7 @@ def promote(installer):
         options.dm_password = config.dirman_password
         ca.install(False, config, options)
 
-    if options.setup_kra:
+    if kra_enabled:
         kra.install(api, config, options)
 
     custodia.import_dm_password(config.master_host_name)