ipa-server-install: add --setup-kra option #548
Conversation
| @@ -836,14 +836,12 @@ def install_check(installer): | |||
| root_logger.debug('No IPA DNS servers, ' | |||
| 'skipping forward/reverse resolution check') | |||
|
|
|||
| kra_enabled = remote_api.Command.kra_is_enabled()['result'] | |||
There was a problem hiding this comment.
If I understand this correctly, before this patch, KRA would be installed automatically if it was present on the master server. With this patch, --setup-kra would have to be explicitly passed to ipa-replica-install.
Is this the case or am I missing something? Is this behaviour change intended?
There was a problem hiding this comment.
No, you don't understand it. KRA would not be installed. See kra.py:install() for details.
| @@ -384,6 +384,8 @@ def install_check(installer): | |||
| print(" * Create and configure an instance of Directory Server") | |||
| print(" * Create and configure a Kerberos Key Distribution Center (KDC)") | |||
| print(" * Configure Apache (httpd)") | |||
| if options.setup_kra: | |||
There was a problem hiding this comment.
Please update the man pages with --setup-kra option for both ipa-server-install and ipa-replica-install.
|
NACK on the "KRA: run install and install_check only when KRA should be installed" commit. The end goal for all component installers is to make them isolated and handle their options themselves, so that they can be packaged separately (among other things). This commit takes the code in the opposite direction. Also it does not make the code more readable because it is inconsistent with the CA installer. |
ipaserver/install/server/__init__.py
Outdated
| @@ -159,7 +159,6 @@ def domain_level(self, value): | |||
| None, | |||
| description="configure a dogtag KRA", | |||
| ) | |||
| setup_kra = enroll_only(setup_kra) | |||
There was a problem hiding this comment.
Why did you remove this line? It must be here, otherwise --setup-kra will appear in ipa-replica-prepare once it's ported to the install framework.
There was a problem hiding this comment.
I somehow thought that it will not work, reverted.
This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731
This will allow to test --setup-kra option together with ipa-server-install in install tests Separate installation using ipa-kra-install is already covered. https://pagure.io/freeipa/issue/6731
|
Given that there is no time, I dropped commit you NACKed as it unneeded for this PR, but please note my disagreement about a way how |
ghost
added
the
No description provided.