dns: dual-write toggles + drift fact
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
Publish records both ways during the k8s cutover, and expose expected vs deployed records for drift detection. - profiles::dns::updater + ::record: manage_nsupdate and manage_export booleans (both default on); export keeps the legacy master flow, so disable it once k8s is authoritative - dns_records fact: parses the expected records file and digs the authoritative server for each, reporting expected / in_sync / drift (plus dns_records_insync boolean); updater writes the server address to /var/lib/dns-updater/server for the fact - hiera: manage_export/manage_nsupdate = true (cutover)
This commit is contained in:
+10
-4
@@ -209,10 +209,16 @@ profiles::dns::base::nameservers:
|
||||
- 198.18.19.16
|
||||
profiles::dns::master::basedir: '/var/named/sources'
|
||||
|
||||
# dns::updater nsupdates host records to the k8s authoritative write endpoint
|
||||
# (bind-authoritative-primary). Inert until the TSIG key is set in eyaml:
|
||||
# profiles::dns::updater::key_secret: ENC[...] (must match the key the
|
||||
# bind-authoritative zones allow-update with; algorithm hmac-sha256)
|
||||
# dns record publishing. During the k8s cutover both methods run; set
|
||||
# manage_export false once k8s is authoritative.
|
||||
# - export: legacy exported-resources -> puppet DNS master
|
||||
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
||||
# inert until the TSIG key is set in eyaml:
|
||||
# profiles::dns::updater::key_secret: ENC[...]
|
||||
# (must match the key the bind-authoritative zones allow-update
|
||||
# with; algorithm hmac-sha256)
|
||||
profiles::dns::updater::manage_export: true
|
||||
profiles::dns::updater::manage_nsupdate: true
|
||||
profiles::dns::updater::server: '198.18.200.9'
|
||||
profiles::dns::updater::key_name: 'client-update'
|
||||
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
||||
|
||||
@@ -0,0 +1,88 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# lib/facter/dns_records.rb
|
||||
#
|
||||
# Reports this host's expected DNS records (assembled by profiles::dns::updater
|
||||
# into its records file) versus what is currently deployed on the authoritative
|
||||
# server, so puppet can detect drift and re-apply.
|
||||
#
|
||||
# Structured value:
|
||||
# { server, count, expected => [{zone,fqdn,type,ttl,value}], in_sync,
|
||||
# drift => [{...,deployed => [...]}] }
|
||||
|
||||
# Helpers for the dns_records fact.
|
||||
module DnsRecordsFact
|
||||
RECORDS_FILE = '/var/lib/dns-updater/records'
|
||||
SERVER_FILE = '/var/lib/dns-updater/server'
|
||||
|
||||
module_function
|
||||
|
||||
# normalise a value for comparison: strip, drop trailing dot, downcase
|
||||
def norm(value)
|
||||
value.to_s.strip.chomp('.').downcase
|
||||
end
|
||||
|
||||
def server
|
||||
File.exist?(SERVER_FILE) ? File.read(SERVER_FILE).strip : nil
|
||||
end
|
||||
|
||||
# a name relative to a zone (or @) as a fully-qualified name
|
||||
def to_fqdn(name, zone)
|
||||
return "#{zone}." if name.to_s.empty? || name == '@'
|
||||
|
||||
"#{name}.#{zone}."
|
||||
end
|
||||
|
||||
# parse one "zone|name|type|ttl|value" line into a record hash (nil to skip)
|
||||
def parse_line(line)
|
||||
line = line.strip
|
||||
return nil if line.empty? || line.start_with?('#')
|
||||
|
||||
zone, name, type, ttl, value = line.split('|', 5)
|
||||
return nil unless zone && type && value
|
||||
|
||||
{ 'zone' => zone, 'fqdn' => to_fqdn(name, zone), 'type' => type, 'ttl' => ttl, 'value' => value }
|
||||
end
|
||||
|
||||
# parse the records file into record hashes
|
||||
def expected
|
||||
return [] unless File.exist?(RECORDS_FILE)
|
||||
|
||||
File.readlines(RECORDS_FILE).filter_map { |line| parse_line(line) }
|
||||
end
|
||||
|
||||
# the values currently deployed for a record, per the authoritative server
|
||||
def deployed(record, srv)
|
||||
cmd = ['dig', '+short', '+time=2', '+tries=1']
|
||||
cmd << "@#{srv}" if srv && !srv.empty?
|
||||
cmd += [record['fqdn'], record['type']]
|
||||
out = Facter::Core::Execution.execute(cmd.join(' '), on_fail: '')
|
||||
out.to_s.split("\n").map { |line| norm(line) }.reject(&:empty?)
|
||||
end
|
||||
|
||||
def report
|
||||
srv = server
|
||||
exp = expected
|
||||
drift = exp.filter_map do |record|
|
||||
dep = deployed(record, srv)
|
||||
record.merge('deployed' => dep) unless dep.include?(norm(record['value']))
|
||||
end
|
||||
{ 'server' => srv, 'count' => exp.length, 'expected' => exp, 'in_sync' => drift.empty?, 'drift' => drift }
|
||||
end
|
||||
end
|
||||
|
||||
Facter.add(:dns_records) do
|
||||
confine kernel: 'Linux'
|
||||
setcode do
|
||||
File.exist?(DnsRecordsFact::RECORDS_FILE) ? DnsRecordsFact.report : nil
|
||||
end
|
||||
end
|
||||
|
||||
# Convenience boolean for `if $facts['dns_records_insync']` guards.
|
||||
Facter.add(:dns_records_insync) do
|
||||
confine kernel: 'Linux'
|
||||
setcode do
|
||||
v = Facter.value(:dns_records)
|
||||
v.nil? ? nil : v['in_sync']
|
||||
end
|
||||
end
|
||||
@@ -1,9 +1,10 @@
|
||||
# profiles::dns::record
|
||||
#
|
||||
# Declares a DNS record for this host. The record is written to the local
|
||||
# dns-updater records file (profiles::dns::updater), which nsupdates it to the
|
||||
# authoritative DNS server. This replaces the old flow that exported a
|
||||
# @@concat::fragment to the puppet DNS master.
|
||||
# Declares a DNS record for this host. Publishes it via either or both methods,
|
||||
# controlled by profiles::dns::updater's toggles (both on during cutover):
|
||||
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
|
||||
# which nsupdates it to the authoritative server.
|
||||
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
|
||||
define profiles::dns::record (
|
||||
String $record,
|
||||
Enum[
|
||||
@@ -22,6 +23,8 @@ define profiles::dns::record (
|
||||
) {
|
||||
include profiles::dns::updater
|
||||
|
||||
# new: local records file consumed by the nsupdate service
|
||||
if $profiles::dns::updater::manage_nsupdate {
|
||||
# zone|name|type|ttl|value (parsed by the dns-update script)
|
||||
concat::fragment { "dns-record-${name}":
|
||||
target => $profiles::dns::updater::records_file,
|
||||
@@ -29,3 +32,13 @@ define profiles::dns::record (
|
||||
order => sprintf('%03d', $order),
|
||||
}
|
||||
}
|
||||
|
||||
# legacy: export the fragment to the puppet DNS master
|
||||
if $profiles::dns::updater::manage_export {
|
||||
@@concat::fragment { "${zone}_${name}":
|
||||
target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
|
||||
content => "${record} IN ${type} ${value}\n",
|
||||
order => $order,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,18 +1,19 @@
|
||||
# profiles::dns::updater
|
||||
#
|
||||
# Applies this host's DNS records to the authoritative DNS server via TSIG
|
||||
# nsupdate, replacing the old exported-resources -> master zone-file flow.
|
||||
# Publishes this host's DNS records. Two methods, independently toggled so both
|
||||
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
||||
#
|
||||
# profiles::dns::record fragments are assembled into $records_file; a systemd
|
||||
# .path unit watches that file and runs dns-update.service (nsupdate) whenever
|
||||
# it changes. nsupdate comes from bind-utils (installed via bind::updater in
|
||||
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
||||
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
||||
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
||||
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
||||
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
||||
#
|
||||
# nsupdate comes from bind-utils (installed via bind::updater in
|
||||
# profiles::dns::base).
|
||||
#
|
||||
# Inert until $key_secret is set (the shared TSIG key that the k8s
|
||||
# bind-authoritative zones allow-update with): the records file is still
|
||||
# assembled, but the updater service is not managed, so nodes are safe before
|
||||
# the key is provisioned.
|
||||
class profiles::dns::updater (
|
||||
Boolean $manage_nsupdate = true,
|
||||
Boolean $manage_export = true,
|
||||
String $server = '198.18.200.9',
|
||||
String $key_name = 'client-update',
|
||||
String $key_algorithm = 'hmac-sha256',
|
||||
@@ -21,11 +22,15 @@ class profiles::dns::updater (
|
||||
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
||||
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
||||
) {
|
||||
|
||||
$state_file = "${state_dir}/applied"
|
||||
$server_file = "${state_dir}/server"
|
||||
$key_file = "${config_dir}/key"
|
||||
|
||||
if $manage_nsupdate {
|
||||
|
||||
file { $state_dir:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
@@ -33,6 +38,16 @@ class profiles::dns::updater (
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
# Server address, read by the dns_records fact for drift detection.
|
||||
file { $server_file:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => "${server}\n",
|
||||
require => File[$state_dir],
|
||||
}
|
||||
|
||||
# Records file, assembled from profiles::dns::record fragments.
|
||||
concat { $records_file:
|
||||
ensure => present,
|
||||
@@ -109,3 +124,4 @@ class profiles::dns::updater (
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user