ipa-kra-install fails on a cluster with KRA already installed if all the KRA-enabled replica are hidden.
Lookup failed: Preferred host master.ipa.test does not provide KRA. Failed to find an active KRA server!
KRA successfully installed.
Any up to at least 2020-3-24 IPA from git master.
config.kra_host_name = find_providing_server( 'KRA', api.Backend.ldap2, [api.env.ca_host] )
and masters.find_providing_servers() does:
def find_providing_servers(svcname, conn=None, preferred_hosts=(), api=api): (...) if ENABLED_SERVICE in cfgstrings: servers.append(servername) # use hidden services on preferred hosts elif HIDDEN_SERVICE in cfgstrings and servername in preferred_hosts: servers.append(servername)
e.g. in the absence of preferred_hosts, find_providing_servers() returns an empty list.
The workaround is therefore to set ca_host in default.conf to the hidden replica's FQDN right before ipa-kra-install, and remove that setting right after ipa-kra-install.
Added PR: https://github.com/freeipa/freeipa/pull/4428 for a test that exhibits the issue.
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4428
Metadata Update from @fcami: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1816784
Issue linked to Bugzilla: Bug 1816784
So, the better workaround is to unhide temporarily the hidden replica. Overriding ca_host at ipa-kra-install time produces undesirable side-effects.
master:
ipa-4-8:
Closing, the only change is to test the workaround / workflow.
Metadata Update from @fcami: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @fcami: - Custom field changelog adjusted to Test that a hidden replica containing the first KRA can be temporarily made visible to install more KRA instances.
Metadata Update from @fcami: - Issue assigned to fcami
If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.
Metadata Update from @fcami: - Custom field changelog adjusted to If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete. (was: Test that a hidden replica containing the first KRA can be temporarily made visible to install more KRA instances.)
Metadata Update from @abbra: - Custom field knownissue adjusted to on
Metadata Update from @abbra: - Custom field knownissue reset (from on)
Metadata Update from @abbra: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on (was: false)
Login to comment on this ticket.