dns: dual-write toggles + drift fact
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful

Publish records both ways during the k8s cutover, and expose expected vs
deployed records for drift detection.

- profiles::dns::updater + ::record: manage_nsupdate and manage_export
  booleans (both default on); export keeps the legacy master flow, so
  disable it once k8s is authoritative
- dns_records fact: parses the expected records file and digs the
  authoritative server for each, reporting expected / in_sync / drift
  (plus dns_records_insync boolean); updater writes the server address
  to /var/lib/dns-updater/server for the fact
- hiera: manage_export/manage_nsupdate = true (cutover)
This commit is contained in:
2026-07-05 17:14:54 +10:00
parent 3e807201ee
commit 225bdc6020
4 changed files with 221 additions and 98 deletions
+10 -4
View File
@@ -209,10 +209,16 @@ profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
# dns::updater nsupdates host records to the k8s authoritative write endpoint
# (bind-authoritative-primary). Inert until the TSIG key is set in eyaml:
# profiles::dns::updater::key_secret: ENC[...] (must match the key the
# bind-authoritative zones allow-update with; algorithm hmac-sha256)
# dns record publishing. During the k8s cutover both methods run; set
# manage_export false once k8s is authoritative.
# - export: legacy exported-resources -> puppet DNS master
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
# inert until the TSIG key is set in eyaml:
# profiles::dns::updater::key_secret: ENC[...]
# (must match the key the bind-authoritative zones allow-update
# with; algorithm hmac-sha256)
profiles::dns::updater::manage_export: true
profiles::dns::updater::manage_nsupdate: true
profiles::dns::updater::server: '198.18.200.9'
profiles::dns::updater::key_name: 'client-update'
profiles::dns::updater::key_algorithm: 'hmac-sha256'