Take advantage of the ca/kra code cleanup in replica installation

The recent cleanup of ca/kra installation code can be used to
greatly reduce the number of differences between DL0 and DL1
in replica installation.

This change also allows to move Custodia instance creation after
Kerberos and httpd instances installation.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 11 insertions, 27 deletions

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e6a64fccd..054513d85 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1407,18 +1407,6 @@ def install(installer):
             # To config certmonger would try to connect to local server
             create_ipa_conf(fstore, config, ca_enabled)
 
-    if promote:
-        custodia = custodiainstance.CustodiaInstance(config.host_name,
-                                                     config.realm_name)
-        custodia.create_replica(config.master_host_name)
-    else:
-        options.dm_password = config.dirman_password
-        if ca_enabled:
-            options.realm_name = config.realm_name
-            options.domain_name = config.domain_name
-            options.host_name = config.host_name
-            ca.install_step_0(False, config, options)
-
     krb = install_krb(
         config,
         setup_pkinit=not options.no_pkinit,
@@ -1436,23 +1424,21 @@ def install(installer):
     otpd.create_instance('OTPD', config.host_name,
                          ipautil.realm_to_suffix(config.realm_name))
 
+    custodia = custodiainstance.CustodiaInstance(config.host_name,
+                                                 config.realm_name)
     if promote:
-        if ca_enabled:
-            options.realm_name = config.realm_name
-            options.domain_name = config.domain_name
-            options.host_name = config.host_name
-            options.dm_password = config.dirman_password
-            ca.install(False, config, options)
+        custodia.create_replica(config.master_host_name)
+        custodia.import_dm_password(config.master_host_name)
     else:
-        if ca_enabled:
-            # Done after install_krb() because lightweight CA key
-            # retrieval setup needs to create kerberos principal.
-            ca.install_step_1(False, config, options)
-
-        custodia = custodiainstance.CustodiaInstance(config.host_name,
-                                                     config.realm_name)
         custodia.create_instance()
 
+    if ca_enabled:
+        options.realm_name = config.realm_name
+        options.domain_name = config.domain_name
+        options.host_name = config.host_name
+        options.dm_password = config.dirman_password
+        ca.install(False, config, options)
+
     # Apply any LDAP updates. Needs to be done after the replica is synced-up
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
@@ -1464,8 +1450,6 @@ def install(installer):
     krb.restart()
 
     if promote:
-        custodia.import_dm_password(config.master_host_name)
-
         promote_sssd(config.host_name)
         promote_openldap_conf(config.host_name, config.master_host_name)