Request for enhancement

As admin, I want ipa-kra-install to exit if /etc/ipa/default.conf contains a ca_host line to avoid unintended and undesired behavior.

Issue

Currently, ipa-kra-install will accept to "install" the KRA on a replica where ca_host is overriden and points to another host in the cluster.
Not only the installation "succeeds", but the resulting KRA is not properly configured: ipa-kra-install will instead contact the other host's DogTag to "configure" it.

Steps to Reproduce

1. Have a 2-node ipa0/ipa1 IPA cluster without KRA but with 2xCA and default FirewallD profiles for IPA
2. Set ipa1 to hidden
3. Install KRA on ipa1
4. Add a ca_host entry in /etc/ipa/default.conf on ipa0 and set it to ipa1's FQDN
5. Launch ipa-kra-install on ipa0. It should fail early, as ipa1:8443 is not reachable.
6. Open tcp/8443 on ipa1's firewall
7. Launch ipa-kra-install on ipa0. It should succeed.
8. Try to use the KRA.

Actual behavior

The resulting KRA configuration is not working properly, which is not surprising as ipa0's DogTag is now misconfigured while ipa0 is listed as having the "KRA server" role.
This is even more visible if ipa1 is hidden.

Expected behavior

ipa-kra-install exits early if ca_host is overriden.