dns: dual-write toggles + drift fact
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
Publish records both ways during the k8s cutover, and expose expected vs deployed records for drift detection. - profiles::dns::updater + ::record: manage_nsupdate and manage_export booleans (both default on); export keeps the legacy master flow, so disable it once k8s is authoritative - dns_records fact: parses the expected records file and digs the authoritative server for each, reporting expected / in_sync / drift (plus dns_records_insync boolean); updater writes the server address to /var/lib/dns-updater/server for the fact - hiera: manage_export/manage_nsupdate = true (cutover)
This commit is contained in:
@@ -1,9 +1,10 @@
|
||||
# profiles::dns::record
|
||||
#
|
||||
# Declares a DNS record for this host. The record is written to the local
|
||||
# dns-updater records file (profiles::dns::updater), which nsupdates it to the
|
||||
# authoritative DNS server. This replaces the old flow that exported a
|
||||
# @@concat::fragment to the puppet DNS master.
|
||||
# Declares a DNS record for this host. Publishes it via either or both methods,
|
||||
# controlled by profiles::dns::updater's toggles (both on during cutover):
|
||||
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
|
||||
# which nsupdates it to the authoritative server.
|
||||
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
|
||||
define profiles::dns::record (
|
||||
String $record,
|
||||
Enum[
|
||||
@@ -22,10 +23,22 @@ define profiles::dns::record (
|
||||
) {
|
||||
include profiles::dns::updater
|
||||
|
||||
# zone|name|type|ttl|value (parsed by the dns-update script)
|
||||
concat::fragment { "dns-record-${name}":
|
||||
target => $profiles::dns::updater::records_file,
|
||||
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
|
||||
order => sprintf('%03d', $order),
|
||||
# new: local records file consumed by the nsupdate service
|
||||
if $profiles::dns::updater::manage_nsupdate {
|
||||
# zone|name|type|ttl|value (parsed by the dns-update script)
|
||||
concat::fragment { "dns-record-${name}":
|
||||
target => $profiles::dns::updater::records_file,
|
||||
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
|
||||
order => sprintf('%03d', $order),
|
||||
}
|
||||
}
|
||||
|
||||
# legacy: export the fragment to the puppet DNS master
|
||||
if $profiles::dns::updater::manage_export {
|
||||
@@concat::fragment { "${zone}_${name}":
|
||||
target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
|
||||
content => "${record} IN ${type} ${value}\n",
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,111 +1,127 @@
|
||||
# profiles::dns::updater
|
||||
#
|
||||
# Applies this host's DNS records to the authoritative DNS server via TSIG
|
||||
# nsupdate, replacing the old exported-resources -> master zone-file flow.
|
||||
# Publishes this host's DNS records. Two methods, independently toggled so both
|
||||
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
||||
#
|
||||
# profiles::dns::record fragments are assembled into $records_file; a systemd
|
||||
# .path unit watches that file and runs dns-update.service (nsupdate) whenever
|
||||
# it changes. nsupdate comes from bind-utils (installed via bind::updater in
|
||||
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
||||
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
||||
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
||||
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
||||
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
||||
#
|
||||
# nsupdate comes from bind-utils (installed via bind::updater in
|
||||
# profiles::dns::base).
|
||||
#
|
||||
# Inert until $key_secret is set (the shared TSIG key that the k8s
|
||||
# bind-authoritative zones allow-update with): the records file is still
|
||||
# assembled, but the updater service is not managed, so nodes are safe before
|
||||
# the key is provisioned.
|
||||
class profiles::dns::updater (
|
||||
String $server = '198.18.200.9',
|
||||
String $key_name = 'client-update',
|
||||
String $key_algorithm = 'hmac-sha256',
|
||||
Optional[Sensitive[String]] $key_secret = undef,
|
||||
Integer $default_ttl = 300,
|
||||
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
||||
Boolean $manage_nsupdate = true,
|
||||
Boolean $manage_export = true,
|
||||
String $server = '198.18.200.9',
|
||||
String $key_name = 'client-update',
|
||||
String $key_algorithm = 'hmac-sha256',
|
||||
Optional[Sensitive[String]] $key_secret = undef,
|
||||
Integer $default_ttl = 300,
|
||||
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
||||
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
||||
) {
|
||||
|
||||
$state_file = "${state_dir}/applied"
|
||||
$key_file = "${config_dir}/key"
|
||||
$state_file = "${state_dir}/applied"
|
||||
$server_file = "${state_dir}/server"
|
||||
$key_file = "${config_dir}/key"
|
||||
|
||||
file { $state_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
if $manage_nsupdate {
|
||||
|
||||
# Records file, assembled from profiles::dns::record fragments.
|
||||
concat { $records_file:
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
ensure_newline => true,
|
||||
warn => false,
|
||||
require => File[$state_dir],
|
||||
}
|
||||
|
||||
concat::fragment { 'dns-update-header':
|
||||
target => $records_file,
|
||||
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
||||
order => '00',
|
||||
}
|
||||
|
||||
if $key_secret =~ Undef {
|
||||
notify { 'dns-updater-inert':
|
||||
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
||||
loglevel => 'info',
|
||||
}
|
||||
} else {
|
||||
file { $config_dir:
|
||||
file { $state_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
file { $key_file:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
show_diff => false,
|
||||
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
||||
'name' => $key_name,
|
||||
'algorithm' => $key_algorithm,
|
||||
'secret' => $key_secret.unwrap,
|
||||
})),
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/dns-update':
|
||||
# Server address, read by the dns_records fact for drift detection.
|
||||
file { $server_file:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => epp('profiles/dns/dns-update.sh.epp', {
|
||||
'server' => $server,
|
||||
'key_file' => $key_file,
|
||||
'records_file' => $records_file,
|
||||
'state_file' => $state_file,
|
||||
}),
|
||||
mode => '0644',
|
||||
content => "${server}\n",
|
||||
require => File[$state_dir],
|
||||
}
|
||||
|
||||
systemd::unit_file { 'dns-update.service':
|
||||
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
||||
# Records file, assembled from profiles::dns::record fragments.
|
||||
concat { $records_file:
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
ensure_newline => true,
|
||||
warn => false,
|
||||
require => File[$state_dir],
|
||||
}
|
||||
|
||||
# The .path unit watches the records file and triggers the service.
|
||||
systemd::unit_file { 'dns-update.path':
|
||||
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
||||
active => true,
|
||||
enable => true,
|
||||
concat::fragment { 'dns-update-header':
|
||||
target => $records_file,
|
||||
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
||||
order => '00',
|
||||
}
|
||||
|
||||
# Also apply within the puppet run whenever the records change.
|
||||
exec { 'dns-update-apply':
|
||||
command => '/usr/local/bin/dns-update',
|
||||
refreshonly => true,
|
||||
subscribe => Concat[$records_file],
|
||||
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
||||
if $key_secret =~ Undef {
|
||||
notify { 'dns-updater-inert':
|
||||
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
||||
loglevel => 'info',
|
||||
}
|
||||
} else {
|
||||
file { $config_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
}
|
||||
|
||||
file { $key_file:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
show_diff => false,
|
||||
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
||||
'name' => $key_name,
|
||||
'algorithm' => $key_algorithm,
|
||||
'secret' => $key_secret.unwrap,
|
||||
})),
|
||||
}
|
||||
|
||||
file { '/usr/local/bin/dns-update':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
content => epp('profiles/dns/dns-update.sh.epp', {
|
||||
'server' => $server,
|
||||
'key_file' => $key_file,
|
||||
'records_file' => $records_file,
|
||||
'state_file' => $state_file,
|
||||
}),
|
||||
}
|
||||
|
||||
systemd::unit_file { 'dns-update.service':
|
||||
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
||||
}
|
||||
|
||||
# The .path unit watches the records file and triggers the service.
|
||||
systemd::unit_file { 'dns-update.path':
|
||||
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
||||
active => true,
|
||||
enable => true,
|
||||
}
|
||||
|
||||
# Also apply within the puppet run whenever the records change.
|
||||
exec { 'dns-update-apply':
|
||||
command => '/usr/local/bin/dns-update',
|
||||
refreshonly => true,
|
||||
subscribe => Concat[$records_file],
|
||||
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user