dns: nsupdate host records to the authoritative server
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful

Replaces the exported-resources -> puppet DNS master zone-file flow with
per-host RFC2136 dynamic updates against the k8s bind-authoritative write
endpoint (198.18.200.9), so the master no longer manages zone files.

- add profiles::dns::updater: assembles the host's records into a concat
  file and runs nsupdate via a systemd .path unit that watches it; the
  dns-update script sends only the delta and deletes removed records
- switch profiles::dns::record to write local concat fragments
  (zone|name|type|ttl|value) instead of exporting to the master
- include profiles::dns::updater from profiles::dns::base (all nodes)
- inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml
- hiera: updater server/key_name/algorithm in common.yaml
This commit is contained in:
2026-07-05 16:11:46 +10:00
parent aeae26711f
commit 3e807201ee
8 changed files with 217 additions and 7 deletions
+4 -1
View File
@@ -11,9 +11,12 @@ class profiles::dns::base (
Optional[String] $ns_role = undef,
){
# install bind_utils
# install bind_utils (provides nsupdate)
include bind::updater
# assemble the host's DNS records and nsupdate them to the authoritative server
include profiles::dns::updater
# if ns_role is set, find all hosts matching that enc_role
$nameserver_array = $ns_role ? {
undef => $nameservers,