feat: manage externaldns bind (#428)
- add module to manage externaldns bind for k8s - add infra::dns::externaldns role - add 198.18.19.20 as anycast for k8s external-dns service Reviewed-on: #428
This commit was merged in pull request #428.
This commit is contained in:
@@ -0,0 +1,15 @@
|
||||
# ExternalDNS BIND module - automatically configures master or slave
|
||||
class externaldns (
|
||||
Stdlib::Fqdn $bind_master_hostname,
|
||||
Array[Stdlib::Fqdn] $k8s_zones = [],
|
||||
Array[Stdlib::Fqdn] $slave_servers = [],
|
||||
String $externaldns_key_secret = '',
|
||||
String $externaldns_key_algorithm = 'hmac-sha256',
|
||||
) {
|
||||
|
||||
if $trusted['certname'] == $bind_master_hostname {
|
||||
include externaldns::master
|
||||
} else {
|
||||
include externaldns::slave
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
# ExternalDNS BIND master server class
|
||||
class externaldns::master inherits externaldns {
|
||||
|
||||
include bind
|
||||
|
||||
# Query PuppetDB for slave server IP addresses
|
||||
$slave_ips = $externaldns::slave_servers.map |$fqdn| {
|
||||
puppetdb_query("inventory[facts.networking.ip] { certname = '${fqdn}' }")[0]['facts.networking.ip']
|
||||
}.filter |$ip| { $ip != undef }
|
||||
|
||||
# Create TSIG key for ExternalDNS authentication
|
||||
bind::key { 'externaldns-key':
|
||||
algorithm => $externaldns::externaldns_key_algorithm,
|
||||
secret => $externaldns::externaldns_key_secret,
|
||||
}
|
||||
|
||||
# Create ACL for slave servers
|
||||
if !empty($slave_ips) {
|
||||
bind::acl { 'dns-slaves':
|
||||
addresses => $slave_ips,
|
||||
}
|
||||
}
|
||||
|
||||
# Create master zones for each Kubernetes domain
|
||||
$externaldns::k8s_zones.each |$zone| {
|
||||
bind::zone { $zone:
|
||||
zone_type => 'master',
|
||||
dynamic => true,
|
||||
allow_updates => ['key externaldns-key'],
|
||||
allow_transfers => empty($slave_ips) ? {
|
||||
true => [],
|
||||
false => ['dns-slaves'],
|
||||
},
|
||||
ns_notify => !empty($slave_ips),
|
||||
also_notify => $slave_ips,
|
||||
dnssec => false,
|
||||
}
|
||||
}
|
||||
|
||||
# Create default view to include the zones
|
||||
bind::view { 'externaldns':
|
||||
recursion => false,
|
||||
zones => $externaldns::k8s_zones,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,36 @@
|
||||
# ExternalDNS BIND slave server class
|
||||
class externaldns::slave inherits externaldns {
|
||||
|
||||
include bind
|
||||
|
||||
# Query PuppetDB for master server IP address
|
||||
$query = "inventory[facts.networking.ip] { certname = '${externaldns::bind_master_hostname}' }"
|
||||
$master_ip = puppetdb_query($query)[0]['facts.networking.ip']
|
||||
|
||||
# Create TSIG key for zone transfers (same as master)
|
||||
bind::key { 'externaldns-key':
|
||||
algorithm => $externaldns::externaldns_key_algorithm,
|
||||
secret => $externaldns::externaldns_key_secret,
|
||||
}
|
||||
|
||||
# Create ACL for master server
|
||||
bind::acl { 'dns-master':
|
||||
addresses => [$master_ip],
|
||||
}
|
||||
|
||||
# Create slave zones for each Kubernetes domain
|
||||
$externaldns::k8s_zones.each |$zone| {
|
||||
bind::zone { $zone:
|
||||
zone_type => 'slave',
|
||||
masters => [$master_ip],
|
||||
allow_notify => ['dns-master'],
|
||||
ns_notify => false,
|
||||
}
|
||||
}
|
||||
|
||||
# Create default view to include the zones
|
||||
bind::view { 'externaldns':
|
||||
recursion => false,
|
||||
zones => $externaldns::k8s_zones,
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user