dns: nsupdate host records to the authoritative server
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful

Replaces the exported-resources -> puppet DNS master zone-file flow with
per-host RFC2136 dynamic updates against the k8s bind-authoritative write
endpoint (198.18.200.9), so the master no longer manages zone files.

- add profiles::dns::updater: assembles the host's records into a concat
  file and runs nsupdate via a systemd .path unit that watches it; the
  dns-update script sends only the delta and deletes removed records
- switch profiles::dns::record to write local concat fragments
  (zone|name|type|ttl|value) instead of exporting to the master
- include profiles::dns::updater from profiles::dns::base (all nodes)
- inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml
- hiera: updater server/key_name/algorithm in common.yaml
This commit is contained in:
2026-07-05 16:11:46 +10:00
parent aeae26711f
commit 3e807201ee
8 changed files with 217 additions and 7 deletions
@@ -0,0 +1,56 @@
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
#!/bin/bash
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
# successful run is sent; removed records are deleted.
set -euo pipefail
SERVER="<%= $server %>"
KEYFILE="<%= $key_file %>"
RECORDS="<%= $records_file %>"
STATE="<%= $state_file %>"
[ -f "$RECORDS" ] || exit 0
touch "$STATE"
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
[ "$desired" = "$applied" ] && exit 0
fqdn() { # name zone
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
}
msg="$(mktemp)"
trap 'rm -f "$msg"' EXIT
printf 'server %s\n' "$SERVER" >> "$msg"
# Process per zone so each UPDATE message targets a single zone.
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
for zone in $zones; do
printf 'zone %s.\n' "$zone" >> "$msg"
# Additions/updates: replace the RRset for every desired record in this zone.
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
while IFS='|' read -r z name type ttl value; do
f="$(fqdn "$name" "$z")"
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
done
# Deletions: records present last run but gone now.
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
while IFS='|' read -r z name type ttl value; do
f="$(fqdn "$name" "$z")"
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
done
printf 'send\n' >> "$msg"
done
if nsupdate -k "$KEYFILE" "$msg"; then
printf '%s\n' "$desired" > "$STATE"
else
echo "dns-update: nsupdate to ${SERVER} failed" >&2
exit 1
fi