install: always export KRA agent PEM file

Export the file even when KRA is not installed locally so that vault commands work on all IPA replicas. https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-09-16 09:05:20 +02:00
parent 110e85cc74
commit b035a2a114
4 changed files with 9 additions and 9 deletions
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -61,8 +61,7 @@ def _main():
            # Load it into dogtag
            cainstance.update_people_entry(dercert)

-        kra = krainstance.KRAInstance(api.env.realm)
-        if kra.is_installed():
+        if api.Command.kra_is_enabled()['result']:
            krainstance.export_kra_agent_pem()
    finally:
        shutil.rmtree(tmpdir)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -64,8 +64,8 @@ from ipaserver.install import certs
 from ipaserver.install import dsinstance
 from ipaserver.install import installutils
 from ipaserver.install import service
-from ipaserver.install.dogtaginstance import DogtagInstance
-from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT
+from ipaserver.install.dogtaginstance import (
+    DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
 from ipaserver.plugins import ldap2

 # Python 3 rename. The package is available in "six.moves.http_client", but
@@ -892,6 +892,8 @@ class CAInstance(DogtagInstance):
        finally:
            os.remove(agent_name)

+        export_kra_agent_pem()
+
    def import_ra_cert(self, rafile):
        """
        Cloned RAs will use the same RA agent cert as the master so we
@@ -910,6 +912,8 @@ class CAInstance(DogtagInstance):

        self.configure_agent_renewal()

+        export_kra_agent_pem()
+
    def __create_ca_agent(self):
        """
        Create CA agent, assign a certificate, and add the user to
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -262,8 +262,6 @@ class KRAInstance(DogtagInstance):

        shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)

-        export_kra_agent_pem()
-
        self.log.debug("completed creating KRA instance")

    def __create_kra_agent(self):
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1258,9 +1258,8 @@ def export_kra_agent_pem():
        root_logger.info("KRA agent PEM file already exported")
        return

-    kra = krainstance.KRAInstance(api.env.realm)
-    if not kra.is_installed():
-        root_logger.info("KRA is not installed")
+    if not api.Command.kra_is_enabled()['result']:
+        root_logger.info("KRA is not enabled")
        return

    krainstance.export_kra_agent_pem()