dns: exclude k8s/LB ranges from dns-updater; track latest
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Sets DNS_UPDATER_DENY_RANGES so the daemon never publishes records whose address is in the k8s pod CIDR (10.42.0.0/16), service CIDR (10.43.0.0/16), the LB VIP pool (198.18.200.0/24) or 198.18.199.0/24 — keeping kube-lb0/flannel/etc. and their reverse PTRs out of the authoritative zones and stopping NOTAUTH updates for zones we do not host. Exposes deny/allow ranges+domains as class params. Also bumps package_ensure to 'latest' so hosts pick up the filter release (rpm-internal metadata_expire is 1h).
This commit is contained in:
@@ -23,12 +23,22 @@ class profiles::dns::updater (
|
||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
||||
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
||||
# dns-updater daemon (replaces the dns-update shell script).
|
||||
String $package_ensure = 'installed',
|
||||
# dns-updater daemon (replaces the dns-update shell script). 'latest' so hosts
|
||||
# pick up new releases (e.g. the record filter); rpm-internal metadata_expire
|
||||
# is 1h so this does not thrash.
|
||||
String $package_ensure = 'latest',
|
||||
Stdlib::AbsolutePath $api_socket = '/run/dns-updater/api.sock',
|
||||
String $resync = '10m',
|
||||
Enum['debug', 'info', 'warn', 'error'] $log_level = 'info',
|
||||
Boolean $watch_interfaces = true,
|
||||
# Never publish records whose address falls in these ranges: the k8s pod CIDR
|
||||
# (10.42.0.0/16) and service CIDR (10.43.0.0/16), the LB VIP pool
|
||||
# (198.18.200.0/24) and 198.18.199.0/24. Keeps kube-lb0/flannel/etc. out of
|
||||
# the authoritative zones and stops NOTAUTH updates for zones we do not host.
|
||||
Array[String] $deny_ranges = ['198.18.199.0/24', '198.18.200.0/24', '10.42.0.0/16', '10.43.0.0/16'],
|
||||
Array[String] $allow_ranges = [],
|
||||
Array[String] $deny_domains = [],
|
||||
Array[String] $allow_domains = [],
|
||||
) {
|
||||
|
||||
$state_file = "${state_dir}/applied"
|
||||
@@ -103,6 +113,11 @@ class profiles::dns::updater (
|
||||
ensure => $package_ensure,
|
||||
}
|
||||
|
||||
$deny_ranges_str = join($deny_ranges, ',')
|
||||
$allow_ranges_str = join($allow_ranges, ',')
|
||||
$deny_domains_str = join($deny_domains, ',')
|
||||
$allow_domains_str = join($allow_domains, ',')
|
||||
|
||||
$env_content = @("ENV")
|
||||
# Managed by puppet (profiles::dns::updater).
|
||||
DNS_UPDATER_SERVER=${server}
|
||||
@@ -113,6 +128,10 @@ class profiles::dns::updater (
|
||||
DNS_UPDATER_RESYNC=${resync}
|
||||
DNS_UPDATER_WATCH_INTERFACES=${watch_interfaces}
|
||||
DNS_UPDATER_LOG_LEVEL=${log_level}
|
||||
DNS_UPDATER_DENY_RANGES=${deny_ranges_str}
|
||||
DNS_UPDATER_ALLOW_RANGES=${allow_ranges_str}
|
||||
DNS_UPDATER_DENY_DOMAINS=${deny_domains_str}
|
||||
DNS_UPDATER_ALLOW_DOMAINS=${allow_domains_str}
|
||||
| ENV
|
||||
|
||||
file { "${config_dir}/env":
|
||||
|
||||
Reference in New Issue
Block a user