From 5693d195501611c6abe9dbdf1370b898ffa6b3c7 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Jun 28 2016 14:56:35 +0000
Subject: CA replica promotion: add proper CA DNS records


Update 'ipa-ca' records with A/AAAA records of the newly added replica

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>

---

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 8451c99..0574bb3 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -272,3 +272,4 @@ DOMAIN_SUFFIX_NAME = 'domain'
 CA_SUFFIX_NAME = 'ca'
 PKI_GSSAPI_SERVICE_NAME = 'dogtag'
 IPA_CA_CN = u'ipa'
+IPA_CA_RECORD = "ipa-ca"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index a63b2df..2bc7538 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -37,7 +37,6 @@ from ipaserver.dns_data_management import (
 from ipaserver.install import installutils
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipaserver.install.cainstance import IPA_CA_RECORD
 from ipapython import sysrestore, ipautil, ipaldap
 from ipapython import dnsutil
 from ipapython.dnsutil import DNSName
@@ -45,6 +44,7 @@ from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 import ipalib
 from ipalib import api, errors
+from ipalib.constants import IPA_CA_RECORD
 from ipaplatform import services
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8dfb715..c741a7e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -63,6 +63,7 @@ from ipapython.ipa_log_manager import log_mgr,\
 from ipapython.secrets.kem import IPAKEMKeys
 
 from ipaserver.install import certs
+from ipaserver.install import bindinstance
 from ipaserver.install import dsinstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
@@ -81,10 +82,6 @@ except ImportError:
     import http.client as httplib
 
 
-# When IPA is installed with DNS support, this CNAME should hold all IPA
-# replicas with CA configured
-IPA_CA_RECORD = "ipa-ca"
-
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@@ -1296,6 +1293,14 @@ class CAInstance(DogtagInstance):
         basedn = ipautil.realm_to_suffix(self.realm)
         self.ldap_enable('CA', self.fqdn, None, basedn)
 
+    def __update_ca_records(self):
+        # Install CA DNS records
+        if bindinstance.dns_container_exists(
+            api.env.host, api.env.basedn, ldapi=True, realm=api.env.realm
+        ):
+            bind = bindinstance.BindInstance(ldapi=True)
+            bind.update_system_records()
+
     def configure_replica(self, master_host, subject_base=None,
                           ca_cert_bundle=None, ca_signing_algorithm=None,
                           ca_type=None):
@@ -1366,6 +1371,7 @@ class CAInstance(DogtagInstance):
                   self.__restart_http_instance)
 
         self.step("enabling CA instance", self.__enable_instance)
+        self.step("Updating DNS CA records", self.__update_ca_records)
 
         self.start_creation(runtime=210)
 
@@ -1722,7 +1728,7 @@ def __add_acls(new_rules):
 def __get_profile_config(profile_id):
     sub_dict = dict(
         DOMAIN=ipautil.format_netloc(api.env.domain),
-        IPA_CA_RECORD=IPA_CA_RECORD,
+        IPA_CA_RECORD=ipalib.constants.IPA_CA_RECORD,
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
         SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
     )