Bug 1816784

Summary: KRA install fails if all KRA members are Hidden Replicas
Product: Red Hat Enterprise Linux 8 Reporter: François Cami <fcami>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Florian Delehaye <fdelehay>
Priority: unspecified    
Version: 8.0CC: afarley, fdelehay, lmcgarry, myusuf, pcech, rcritten, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.Installing KRA fails if all KRA members are hidden replicas The `ipa-kra-install` utility fails on a cluster where the Key Recovery Authority (KRA) is already present, if the first KRA instance is installed on a hidden replica. Consequently, you cannot add further KRA instances to the cluster. To work around this problem, unhide the hidden replica that has the KRA role before you add new KRA instances. You can hide it again when `ipa-kra-install` completes successfully.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:50:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
junit.xml none

Description François Cami 2020-03-24 17:51:52 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8240

### Issue
ipa-kra-install fails on a cluster with KRA already installed if all the KRA-enabled replica are hidden.

#### Steps to Reproduce
1. install master (DNS, CA)
2. install replica0 (DNS, CA) as hidden
3. install KRA on replica0 (so: on the hidden replica)
4. install KRA on master

#### Actual behavior
Lookup failed: Preferred host master.ipa.test does not provide KRA.
Failed to find an active KRA server!

#### Expected behavior
KRA successfully installed.

#### Version/Release/Distribution
Any up to at least 2020-3-24 IPA from git master.

#### Additional info:
- this is because ipa-kra-install does:
```
                config.kra_host_name = find_providing_server(
                    'KRA', api.Backend.ldap2, [api.env.ca_host]
                )
```
and masters.find_providing_servers()  does:
```
def find_providing_servers(svcname, conn=None, preferred_hosts=(), api=api):
(...)
        if ENABLED_SERVICE in cfgstrings:
            servers.append(servername)
        # use hidden services on preferred hosts
        elif HIDDEN_SERVICE in cfgstrings and servername in preferred_hosts:
            servers.append(servername)
```
e.g. in the absence  of preferred_hosts, find_providing_servers() returns an empty list.

The workaround is therefore to set ca_host in default.conf to the hidden replica's FQDN right before ipa-kra-install, and remove that setting right after ipa-kra-install.
Comment 1 François Cami 2020-03-25 15:57:19 UTC 
Actual, better workaround (setting ca_host is NOT recommended for this): un-hide the hidden replica even temporarily.
Comment 2 François Cami 2020-03-26 14:10:54 UTC 
Upstream test:
master:
https://pagure.io/freeipa/c/f9804558bbe745df1141c84f00be83edcbe06c91
ipa-4-8:
https://pagure.io/freeipa/c/a692212e3bee36fbccba73ed21f7825381eeade4
Comment 10 Mohammad Rizwan 2020-06-26 08:15:28 UTC 
Created attachment 1698886 [details]
junit.xml
Comment 11 Mohammad Rizwan 2020-06-26 08:17:27 UTC 

Automation passed, junit.xml is attached. Hence marking the bug a verified.
Comment 21 errata-xmlrpc 2020-11-04 02:50:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670