dns: nsupdate host records to the authoritative server
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful

Replaces the exported-resources -> puppet DNS master zone-file flow with
per-host RFC2136 dynamic updates against the k8s bind-authoritative write
endpoint (198.18.200.9), so the master no longer manages zone files.

- add profiles::dns::updater: assembles the host's records into a concat
  file and runs nsupdate via a systemd .path unit that watches it; the
  dns-update script sends only the delta and deletes removed records
- switch profiles::dns::record to write local concat fragments
  (zone|name|type|ttl|value) instead of exporting to the master
- include profiles::dns::updater from profiles::dns::base (all nodes)
- inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml
- hiera: updater server/key_name/algorithm in common.yaml
This commit is contained in:
2026-07-05 16:11:46 +10:00
parent aeae26711f
commit 3e807201ee
8 changed files with 217 additions and 7 deletions
+8
View File
@@ -208,6 +208,14 @@ vault::disable_mlock: false
profiles::dns::base::nameservers:
- 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources'
# dns::updater nsupdates host records to the k8s authoritative write endpoint
# (bind-authoritative-primary). Inert until the TSIG key is set in eyaml:
# profiles::dns::updater::key_secret: ENC[...] (must match the key the
# bind-authoritative zones allow-update with; algorithm hmac-sha256)
profiles::dns::updater::server: '198.18.200.9'
profiles::dns::updater::key_name: 'client-update'
profiles::dns::updater::key_algorithm: 'hmac-sha256'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul