dns: dual-write toggles + drift fact
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
Publish records both ways during the k8s cutover, and expose expected vs deployed records for drift detection. - profiles::dns::updater + ::record: manage_nsupdate and manage_export booleans (both default on); export keeps the legacy master flow, so disable it once k8s is authoritative - dns_records fact: parses the expected records file and digs the authoritative server for each, reporting expected / in_sync / drift (plus dns_records_insync boolean); updater writes the server address to /var/lib/dns-updater/server for the fact - hiera: manage_export/manage_nsupdate = true (cutover)
This commit is contained in:
+10
-4
@@ -209,10 +209,16 @@ profiles::dns::base::nameservers:
|
||||
- 198.18.19.16
|
||||
profiles::dns::master::basedir: '/var/named/sources'
|
||||
|
||||
# dns::updater nsupdates host records to the k8s authoritative write endpoint
|
||||
# (bind-authoritative-primary). Inert until the TSIG key is set in eyaml:
|
||||
# profiles::dns::updater::key_secret: ENC[...] (must match the key the
|
||||
# bind-authoritative zones allow-update with; algorithm hmac-sha256)
|
||||
# dns record publishing. During the k8s cutover both methods run; set
|
||||
# manage_export false once k8s is authoritative.
|
||||
# - export: legacy exported-resources -> puppet DNS master
|
||||
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
||||
# inert until the TSIG key is set in eyaml:
|
||||
# profiles::dns::updater::key_secret: ENC[...]
|
||||
# (must match the key the bind-authoritative zones allow-update
|
||||
# with; algorithm hmac-sha256)
|
||||
profiles::dns::updater::manage_export: true
|
||||
profiles::dns::updater::manage_nsupdate: true
|
||||
profiles::dns::updater::server: '198.18.200.9'
|
||||
profiles::dns::updater::key_name: 'client-update'
|
||||
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
||||
|
||||
Reference in New Issue
Block a user