search

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation
GNU General Public License v3.0
50 stars 28 forks source link

Use new approach to validate whether the ipa-ca DNS record is complete #274

Closed rcritten closed 2 years ago

rcritten commented 2 years ago

Related to the ticket:

Use new approach to validate whether the ipa-ca DNS record is complete

The previous method counted the number of servers with CA's and
expected an identical count of servers in ipa-ca, for each of the
A and AAAA types.

If one server had only A or AAAA records then this count could be
off and issue a spurious warning.

Instead get the list of A and AAAA records for servers with a CA
and compare the IP addresses to those of the A and AAAA records
of ipa-ca. Return a warning if any are missing or not expected
(e.g. a server was removed but remains in ipa-ca).

https://github.com/freeipa/freeipa-healthcheck/issues/270

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

I ran into this while testing the above patch so went ahead and included the fix:

Use exceptions to indicate parsing errors, not a return value

The validation in parse_options() retured a 1 on failure.
Raise an exception instead and expect the caller to handle it.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten commented 2 years ago

Need to address the lint items and just found that the IPv6 address of hidden servers is being reported as unexpected. It isn't in the ipa-ca dig output though.

rcritten commented 2 years ago

The bad ipa-ca record is not a healthcheck issue. I opened https://pagure.io/freeipa/issue/9195

rcritten commented 2 years ago

Thanks for the review!