Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If there are KRAs, ensure the renewal server is one #290

Merged
merged 1 commit into from
Apr 7, 2023
Merged

If there are KRAs, ensure the renewal server is one #290

merged 1 commit into from
Apr 7, 2023

Conversation

rcritten
Copy link
Collaborator

If there are KRAs in the topology and there isn't one on the renewal server then the KRA certificates will not be renewed because they expect another server to do it for them.

Fixes: #125

@rcritten rcritten force-pushed the issue_125 branch 2 times, most recently from ba79783 to 6724bf0 Compare March 30, 2023 19:23
flo-renaud
flo-renaud reviewed Apr 6, 2023
View reviewed changes
Copy link
Contributor

@flo-renaud flo-renaud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @rcritten
Thanks for the PR. The new check works as expected, but I was wondering why it's performing a search to find the KRAs. The call to config_show already gathers all the needed information:

# ipa config-show
[...]
  IPA CA renewal master: server.ipa.test
  IPA KRA servers: replica.ipa.test
[...]

Any reason to not rely on this info?

@flo-renaud flo-renaud self-assigned this Apr 6, 2023
@rcritten
If there are KRAs, ensure the renewal server is one
f9ac2f4 
If there are KRAs in the topology and there isn't one on
the renewal server then the KRA certificates will not be
renewed because they expect another server to do it for them.

Fixes: freeipa#125

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
Copy link
Collaborator Author

rcritten commented Apr 6, 2023

Any reason to not rely on this info?

No, I totally missed this. Dropped the search as it is much simpler code.

@flo-renaud
Copy link
Contributor

Thanks for the update, LGTM. I tested the same scenario as the pytest:

  • host is not renewal master
  • host is renewal master, no KRA at all
  • host is renewal master, there is a KRA but not on this host
  • host is renewal master and has KRA

@rcritten rcritten merged commit 4185976 into freeipa:master Apr 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flo-renaud flo-renaud flo-renaud approved these changes

Assignees

@flo-renaud flo-renaud

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Detect if KRA is installed and not the CA renewal master
2 participants
@rcritten @flo-renaud