Use new approach to validate whether the ipa-ca DNS record is complete

[rcritten]

Related to the ticket:

Use new approach to validate whether the ipa-ca DNS record is complete

The previous method counted the number of servers with CA's and
expected an identical count of servers in ipa-ca, for each of the
A and AAAA types.

If one server had only A or AAAA records then this count could be
off and issue a spurious warning.

Instead get the list of A and AAAA records for servers with a CA
and compare the IP addresses to those of the A and AAAA records
of ipa-ca. Return a warning if any are missing or not expected
(e.g. a server was removed but remains in ipa-ca).

https://github.com/freeipa/freeipa-healthcheck/issues/270

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

I ran into this while testing the above patch so went ahead and included the fix:

Use exceptions to indicate parsing errors, not a return value

The validation in parse_options() retured a 1 on failure.
Raise an exception instead and expect the caller to handle it.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

[rcritten]

Need to address the lint items and just found that the IPv6 address of hidden servers is being reported as unexpected. It isn't in the ipa-ca dig output though.

[rcritten]

The bad ipa-ca record is not a healthcheck issue. I opened https://pagure.io/freeipa/issue/9195

[flo-renaud]

Hi @rcritten
thanks for the patch, LGTM. I tested various situations where the CA servers have only ipv4 / only ipv6 / both addresses and the new code properly handles the cases. Also works with hidden servers.

[rcritten]

Thanks for the review!