dns: nsupdate host records to the authoritative server (#475)
Replaces the exported-resources → puppet DNS master zone-file flow with per-host RFC2136 dynamic updates against the k8s **bind-authoritative** write endpoint (198.18.200.9). The master no longer manages zone files. ## Design Each node assembles its DNS records into a local concat file; a systemd `.path` unit watches it and runs `dns-update` (nsupdate) on change — exactly the watch-a-file model requested. ## Changes - **profiles::dns::updater** (new): concat records file + TSIG key file + `dns-update` script + `dns-update.service` (oneshot) + `dns-update.path` (watcher). The script sends only the delta since last run and deletes removed records, grouped per zone. - **profiles::dns::record**: writes a local concat fragment (`zone|name|type|ttl|value`) instead of exporting `@@concat::fragment` to the master. - **profiles::dns::base**: includes `profiles::dns::updater` (all nodes). - **hiera**: `profiles::dns::updater` server/key_name/algorithm in common.yaml. ## Inert until keyed The updater does nothing until `profiles::dns::updater::key_secret` (TSIG) is set in eyaml — records are assembled but not applied, so nodes are safe before the key exists. ## Prerequisites (k8s side, separate) 1. The `bind-authoritative` zones must set `dynamicUpdate: true` + an `updateKeyRef` (a client-update BindTSIGKey) so they accept these updates. 2. The TSIG key must be shared: the operator-generated key value goes into eyaml here (or the planned Vault-sync feature bridges it). ## Validated puppet parser/epp validate, puppet-lint, and a functional test of the generated per-zone nsupdate message (replace + delete-removed). Reviewed-on: #475 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #475.
This commit is contained in:
@@ -146,6 +146,8 @@ lookup_options:
|
||||
strategy: deep
|
||||
profiles::etcd::node::initial_cluster_token:
|
||||
convert_to: Sensitive
|
||||
profiles::dns::updater::key_secret:
|
||||
convert_to: Sensitive
|
||||
sysctl::base::values:
|
||||
merge:
|
||||
strategy: deep
|
||||
@@ -208,6 +210,20 @@ vault::disable_mlock: false
|
||||
profiles::dns::base::nameservers:
|
||||
- 198.18.19.16
|
||||
profiles::dns::master::basedir: '/var/named/sources'
|
||||
|
||||
# dns record publishing. During the k8s cutover both methods run; set
|
||||
# manage_export false once k8s is authoritative.
|
||||
# - export: legacy exported-resources -> puppet DNS master
|
||||
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
||||
# inert until the TSIG key is set in eyaml:
|
||||
# profiles::dns::updater::key_secret: ENC[...]
|
||||
# (must match the key the bind-authoritative zones allow-update
|
||||
# with; algorithm hmac-sha256)
|
||||
profiles::dns::updater::manage_export: true
|
||||
profiles::dns::updater::manage_nsupdate: true
|
||||
profiles::dns::updater::server: '198.18.200.9'
|
||||
profiles::dns::updater::key_name: 'client-update'
|
||||
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
||||
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||
#profiles::dns::base::use_ns: 'region'
|
||||
profiles::consul::server::members_role: roles::infra::storage::consul
|
||||
|
||||
Reference in New Issue
Block a user