CA replica promotion: add proper CA DNS records

Update 'ipa-ca' records with A/AAAA records of the newly added replica https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-22 12:20:09 +02:00 · 2016-06-22 12:20:09 +02:00 · 5693d19550
commit 5693d19550
parent 104040cf36
3 changed files with 13 additions and 6 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -272,3 +272,4 @@ DOMAIN_SUFFIX_NAME = 'domain'
 CA_SUFFIX_NAME = 'ca'
 PKI_GSSAPI_SERVICE_NAME = 'dogtag'
 IPA_CA_CN = u'ipa'
+IPA_CA_RECORD = "ipa-ca"
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -37,7 +37,6 @@ from ipaserver.dns_data_management import (
 from ipaserver.install import installutils
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipaserver.install.cainstance import IPA_CA_RECORD
 from ipapython import sysrestore, ipautil, ipaldap
 from ipapython import dnsutil
 from ipapython.dnsutil import DNSName
@ -45,6 +44,7 @@ from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 import ipalib
 from ipalib import api, errors
+from ipalib.constants import IPA_CA_RECORD
 from ipaplatform import services
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -63,6 +63,7 @@ from ipapython.ipa_log_manager import log_mgr,\
 from ipapython.secrets.kem import IPAKEMKeys

 from ipaserver.install import certs
+from ipaserver.install import bindinstance
 from ipaserver.install import dsinstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
@ -81,10 +82,6 @@ except ImportError:
    import http.client as httplib


-# When IPA is installed with DNS support, this CNAME should hold all IPA
-# replicas with CA configured
-IPA_CA_RECORD = "ipa-ca"
-
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@ -1296,6 +1293,14 @@ class CAInstance(DogtagInstance):
        basedn = ipautil.realm_to_suffix(self.realm)
        self.ldap_enable('CA', self.fqdn, None, basedn)

+    def __update_ca_records(self):
+        # Install CA DNS records
+        if bindinstance.dns_container_exists(
+            api.env.host, api.env.basedn, ldapi=True, realm=api.env.realm
+        ):
+            bind = bindinstance.BindInstance(ldapi=True)
+            bind.update_system_records()
+
    def configure_replica(self, master_host, subject_base=None,
                          ca_cert_bundle=None, ca_signing_algorithm=None,
                          ca_type=None):
@ -1366,6 +1371,7 @@ class CAInstance(DogtagInstance):
                  self.__restart_http_instance)

        self.step("enabling CA instance", self.__enable_instance)
+        self.step("Updating DNS CA records", self.__update_ca_records)

        self.start_creation(runtime=210)

@ -1722,7 +1728,7 @@ def __add_acls(new_rules):
 def __get_profile_config(profile_id):
    sub_dict = dict(
        DOMAIN=ipautil.format_netloc(api.env.domain),
-        IPA_CA_RECORD=IPA_CA_RECORD,
+        IPA_CA_RECORD=ipalib.constants.IPA_CA_RECORD,
        CRL_ISSUER='CN=Certificate Authority,o=ipaca',
        SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
    )