dns: nsupdate host records to the authoritative server
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Replaces the exported-resources -> puppet DNS master zone-file flow with per-host RFC2136 dynamic updates against the k8s bind-authoritative write endpoint (198.18.200.9), so the master no longer manages zone files. - add profiles::dns::updater: assembles the host's records into a concat file and runs nsupdate via a systemd .path unit that watches it; the dns-update script sends only the delta and deletes removed records - switch profiles::dns::record to write local concat fragments (zone|name|type|ttl|value) instead of exporting to the master - include profiles::dns::updater from profiles::dns::base (all nodes) - inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml - hiera: updater server/key_name/algorithm in common.yaml
This commit is contained in:
@@ -0,0 +1,56 @@
|
||||
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
|
||||
#!/bin/bash
|
||||
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
|
||||
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
|
||||
# successful run is sent; removed records are deleted.
|
||||
set -euo pipefail
|
||||
|
||||
SERVER="<%= $server %>"
|
||||
KEYFILE="<%= $key_file %>"
|
||||
RECORDS="<%= $records_file %>"
|
||||
STATE="<%= $state_file %>"
|
||||
|
||||
[ -f "$RECORDS" ] || exit 0
|
||||
touch "$STATE"
|
||||
|
||||
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
|
||||
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
|
||||
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
|
||||
|
||||
[ "$desired" = "$applied" ] && exit 0
|
||||
|
||||
fqdn() { # name zone
|
||||
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
|
||||
}
|
||||
|
||||
msg="$(mktemp)"
|
||||
trap 'rm -f "$msg"' EXIT
|
||||
printf 'server %s\n' "$SERVER" >> "$msg"
|
||||
|
||||
# Process per zone so each UPDATE message targets a single zone.
|
||||
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
|
||||
for zone in $zones; do
|
||||
printf 'zone %s.\n' "$zone" >> "$msg"
|
||||
# Additions/updates: replace the RRset for every desired record in this zone.
|
||||
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
||||
while IFS='|' read -r z name type ttl value; do
|
||||
f="$(fqdn "$name" "$z")"
|
||||
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
|
||||
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
|
||||
done
|
||||
# Deletions: records present last run but gone now.
|
||||
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
|
||||
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
||||
while IFS='|' read -r z name type ttl value; do
|
||||
f="$(fqdn "$name" "$z")"
|
||||
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
|
||||
done
|
||||
printf 'send\n' >> "$msg"
|
||||
done
|
||||
|
||||
if nsupdate -k "$KEYFILE" "$msg"; then
|
||||
printf '%s\n' "$desired" > "$STATE"
|
||||
else
|
||||
echo "dns-update: nsupdate to ${SERVER} failed" >&2
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user