Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 225bdc6020 | |||
| 3e807201ee | |||
| aeae26711f |
@@ -208,6 +208,20 @@ vault::disable_mlock: false
|
|||||||
profiles::dns::base::nameservers:
|
profiles::dns::base::nameservers:
|
||||||
- 198.18.19.16
|
- 198.18.19.16
|
||||||
profiles::dns::master::basedir: '/var/named/sources'
|
profiles::dns::master::basedir: '/var/named/sources'
|
||||||
|
|
||||||
|
# dns record publishing. During the k8s cutover both methods run; set
|
||||||
|
# manage_export false once k8s is authoritative.
|
||||||
|
# - export: legacy exported-resources -> puppet DNS master
|
||||||
|
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
||||||
|
# inert until the TSIG key is set in eyaml:
|
||||||
|
# profiles::dns::updater::key_secret: ENC[...]
|
||||||
|
# (must match the key the bind-authoritative zones allow-update
|
||||||
|
# with; algorithm hmac-sha256)
|
||||||
|
profiles::dns::updater::manage_export: true
|
||||||
|
profiles::dns::updater::manage_nsupdate: true
|
||||||
|
profiles::dns::updater::server: '198.18.200.9'
|
||||||
|
profiles::dns::updater::key_name: 'client-update'
|
||||||
|
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
||||||
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||||
#profiles::dns::base::use_ns: 'region'
|
#profiles::dns::base::use_ns: 'region'
|
||||||
profiles::consul::server::members_role: roles::infra::storage::consul
|
profiles::consul::server::members_role: roles::infra::storage::consul
|
||||||
|
|||||||
@@ -12,6 +12,61 @@ hiera_include:
|
|||||||
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
rke2::bootstrap_node: prodnxsr0001.main.unkin.net
|
||||||
rke2::join_url: https://join-k8s.service.consul:9345
|
rke2::join_url: https://join-k8s.service.consul:9345
|
||||||
rke2::manage_registries: true
|
rke2::manage_registries: true
|
||||||
|
rke2::registries:
|
||||||
|
docker.io:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "dockerhub/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
ghcr.io:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "ghcr/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
quay.io:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "quay/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
registry.k8s.io:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "k8s-registry/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
registry.gitlab.com:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "gitlab/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
docker.elastic.co:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "elastic/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
gcr.io:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "gcr/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
docker.litellm.ai:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "litellm/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
public.ecr.aws:
|
||||||
|
endpoint:
|
||||||
|
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
||||||
|
rewrite:
|
||||||
|
"^(.*)$": "ecr-public/$1"
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
rke2::config_hash:
|
rke2::config_hash:
|
||||||
bind-address: "%{hiera('networking_loopback0_ip')}"
|
bind-address: "%{hiera('networking_loopback0_ip')}"
|
||||||
node-ip: "%{hiera('networking_loopback0_ip')}"
|
node-ip: "%{hiera('networking_loopback0_ip')}"
|
||||||
|
|||||||
@@ -0,0 +1,88 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
# lib/facter/dns_records.rb
|
||||||
|
#
|
||||||
|
# Reports this host's expected DNS records (assembled by profiles::dns::updater
|
||||||
|
# into its records file) versus what is currently deployed on the authoritative
|
||||||
|
# server, so puppet can detect drift and re-apply.
|
||||||
|
#
|
||||||
|
# Structured value:
|
||||||
|
# { server, count, expected => [{zone,fqdn,type,ttl,value}], in_sync,
|
||||||
|
# drift => [{...,deployed => [...]}] }
|
||||||
|
|
||||||
|
# Helpers for the dns_records fact.
|
||||||
|
module DnsRecordsFact
|
||||||
|
RECORDS_FILE = '/var/lib/dns-updater/records'
|
||||||
|
SERVER_FILE = '/var/lib/dns-updater/server'
|
||||||
|
|
||||||
|
module_function
|
||||||
|
|
||||||
|
# normalise a value for comparison: strip, drop trailing dot, downcase
|
||||||
|
def norm(value)
|
||||||
|
value.to_s.strip.chomp('.').downcase
|
||||||
|
end
|
||||||
|
|
||||||
|
def server
|
||||||
|
File.exist?(SERVER_FILE) ? File.read(SERVER_FILE).strip : nil
|
||||||
|
end
|
||||||
|
|
||||||
|
# a name relative to a zone (or @) as a fully-qualified name
|
||||||
|
def to_fqdn(name, zone)
|
||||||
|
return "#{zone}." if name.to_s.empty? || name == '@'
|
||||||
|
|
||||||
|
"#{name}.#{zone}."
|
||||||
|
end
|
||||||
|
|
||||||
|
# parse one "zone|name|type|ttl|value" line into a record hash (nil to skip)
|
||||||
|
def parse_line(line)
|
||||||
|
line = line.strip
|
||||||
|
return nil if line.empty? || line.start_with?('#')
|
||||||
|
|
||||||
|
zone, name, type, ttl, value = line.split('|', 5)
|
||||||
|
return nil unless zone && type && value
|
||||||
|
|
||||||
|
{ 'zone' => zone, 'fqdn' => to_fqdn(name, zone), 'type' => type, 'ttl' => ttl, 'value' => value }
|
||||||
|
end
|
||||||
|
|
||||||
|
# parse the records file into record hashes
|
||||||
|
def expected
|
||||||
|
return [] unless File.exist?(RECORDS_FILE)
|
||||||
|
|
||||||
|
File.readlines(RECORDS_FILE).filter_map { |line| parse_line(line) }
|
||||||
|
end
|
||||||
|
|
||||||
|
# the values currently deployed for a record, per the authoritative server
|
||||||
|
def deployed(record, srv)
|
||||||
|
cmd = ['dig', '+short', '+time=2', '+tries=1']
|
||||||
|
cmd << "@#{srv}" if srv && !srv.empty?
|
||||||
|
cmd += [record['fqdn'], record['type']]
|
||||||
|
out = Facter::Core::Execution.execute(cmd.join(' '), on_fail: '')
|
||||||
|
out.to_s.split("\n").map { |line| norm(line) }.reject(&:empty?)
|
||||||
|
end
|
||||||
|
|
||||||
|
def report
|
||||||
|
srv = server
|
||||||
|
exp = expected
|
||||||
|
drift = exp.filter_map do |record|
|
||||||
|
dep = deployed(record, srv)
|
||||||
|
record.merge('deployed' => dep) unless dep.include?(norm(record['value']))
|
||||||
|
end
|
||||||
|
{ 'server' => srv, 'count' => exp.length, 'expected' => exp, 'in_sync' => drift.empty?, 'drift' => drift }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
Facter.add(:dns_records) do
|
||||||
|
confine kernel: 'Linux'
|
||||||
|
setcode do
|
||||||
|
File.exist?(DnsRecordsFact::RECORDS_FILE) ? DnsRecordsFact.report : nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Convenience boolean for `if $facts['dns_records_insync']` guards.
|
||||||
|
Facter.add(:dns_records_insync) do
|
||||||
|
confine kernel: 'Linux'
|
||||||
|
setcode do
|
||||||
|
v = Facter.value(:dns_records)
|
||||||
|
v.nil? ? nil : v['in_sync']
|
||||||
|
end
|
||||||
|
end
|
||||||
@@ -1,38 +0,0 @@
|
|||||||
---
|
|
||||||
# DO NOT MODIFY - MANAGED BY PUPPET
|
|
||||||
mirrors:
|
|
||||||
docker.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "dockerhub/$1"
|
|
||||||
ghcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ghcr/$1"
|
|
||||||
quay.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "quay/$1"
|
|
||||||
registry.k8s.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "k8s-registry/$1"
|
|
||||||
registry.gitlab.com:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gitlab/$1"
|
|
||||||
docker.elastic.co:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "elastic/$1"
|
|
||||||
gcr.io:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "gcr/$1"
|
|
||||||
@@ -8,6 +8,7 @@ class rke2::config (
|
|||||||
String $node_token = $rke2::node_token,
|
String $node_token = $rke2::node_token,
|
||||||
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::extra_config_files,
|
||||||
Boolean $manage_registries = $rke2::manage_registries,
|
Boolean $manage_registries = $rke2::manage_registries,
|
||||||
|
Hash $registries = $rke2::registries,
|
||||||
){
|
){
|
||||||
|
|
||||||
# if its not the bootstrap node, add join path to config
|
# if its not the bootstrap node, add join path to config
|
||||||
@@ -35,7 +36,7 @@ class rke2::config (
|
|||||||
owner => 'root',
|
owner => 'root',
|
||||||
group => 'root',
|
group => 'root',
|
||||||
mode => '0644',
|
mode => '0644',
|
||||||
source => 'puppet:///modules/rke2/registries.yaml',
|
content => epp('rke2/registries.yaml.epp', { registries => $registries }),
|
||||||
require => Package["rke2-${node_type}"],
|
require => Package["rke2-${node_type}"],
|
||||||
notify => Service["rke2-${node_type}"],
|
notify => Service["rke2-${node_type}"],
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -13,6 +13,7 @@ class rke2 (
|
|||||||
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
|
||||||
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
|
||||||
Boolean $manage_registries = $rke2::params::manage_registries,
|
Boolean $manage_registries = $rke2::params::manage_registries,
|
||||||
|
Hash $registries = $rke2::params::registries,
|
||||||
) inherits rke2::params {
|
) inherits rke2::params {
|
||||||
|
|
||||||
include rke2::install
|
include rke2::install
|
||||||
|
|||||||
@@ -13,4 +13,5 @@ class rke2::params (
|
|||||||
Array[String[1]] $extra_config_files = [],
|
Array[String[1]] $extra_config_files = [],
|
||||||
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
|
||||||
Boolean $manage_registries = false,
|
Boolean $manage_registries = false,
|
||||||
|
Hash $registries = {},
|
||||||
) {}
|
) {}
|
||||||
|
|||||||
@@ -0,0 +1,20 @@
|
|||||||
|
<%- | Hash $registries | -%>
|
||||||
|
---
|
||||||
|
# DO NOT MODIFY - MANAGED BY PUPPET
|
||||||
|
mirrors:
|
||||||
|
<%- $registries.each |$registry, $config| { -%>
|
||||||
|
<%= $registry %>:
|
||||||
|
endpoint:
|
||||||
|
<%- $config['endpoint'].each |$ep| { -%>
|
||||||
|
- "<%= $ep %>"
|
||||||
|
<%- } -%>
|
||||||
|
<%- if $config['rewrite'] { -%>
|
||||||
|
rewrite:
|
||||||
|
<%- $config['rewrite'].each |$pattern, $replacement| { -%>
|
||||||
|
"<%= $pattern %>": "<%= $replacement %>"
|
||||||
|
<%- } -%>
|
||||||
|
<%- } -%>
|
||||||
|
<%- if $config['disable-default-registry-endpoint'] { -%>
|
||||||
|
disable-default-registry-endpoint: true
|
||||||
|
<%- } -%>
|
||||||
|
<%- } -%>
|
||||||
@@ -11,9 +11,12 @@ class profiles::dns::base (
|
|||||||
Optional[String] $ns_role = undef,
|
Optional[String] $ns_role = undef,
|
||||||
){
|
){
|
||||||
|
|
||||||
# install bind_utils
|
# install bind_utils (provides nsupdate)
|
||||||
include bind::updater
|
include bind::updater
|
||||||
|
|
||||||
|
# assemble the host's DNS records and nsupdate them to the authoritative server
|
||||||
|
include profiles::dns::updater
|
||||||
|
|
||||||
# if ns_role is set, find all hosts matching that enc_role
|
# if ns_role is set, find all hosts matching that enc_role
|
||||||
$nameserver_array = $ns_role ? {
|
$nameserver_array = $ns_role ? {
|
||||||
undef => $nameservers,
|
undef => $nameservers,
|
||||||
|
|||||||
@@ -1,4 +1,10 @@
|
|||||||
# defines the base record that will be exported
|
# profiles::dns::record
|
||||||
|
#
|
||||||
|
# Declares a DNS record for this host. Publishes it via either or both methods,
|
||||||
|
# controlled by profiles::dns::updater's toggles (both on during cutover):
|
||||||
|
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
|
||||||
|
# which nsupdates it to the authoritative server.
|
||||||
|
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
|
||||||
define profiles::dns::record (
|
define profiles::dns::record (
|
||||||
String $record,
|
String $record,
|
||||||
Enum[
|
Enum[
|
||||||
@@ -13,11 +19,26 @@ define profiles::dns::record (
|
|||||||
String $value,
|
String $value,
|
||||||
String $zone,
|
String $zone,
|
||||||
Integer $order,
|
Integer $order,
|
||||||
Stdlib::AbsolutePath $basedir = lookup('profiles::dns::master::basedir'),
|
Integer $ttl = 300,
|
||||||
) {
|
) {
|
||||||
|
include profiles::dns::updater
|
||||||
|
|
||||||
|
# new: local records file consumed by the nsupdate service
|
||||||
|
if $profiles::dns::updater::manage_nsupdate {
|
||||||
|
# zone|name|type|ttl|value (parsed by the dns-update script)
|
||||||
|
concat::fragment { "dns-record-${name}":
|
||||||
|
target => $profiles::dns::updater::records_file,
|
||||||
|
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
|
||||||
|
order => sprintf('%03d', $order),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# legacy: export the fragment to the puppet DNS master
|
||||||
|
if $profiles::dns::updater::manage_export {
|
||||||
@@concat::fragment { "${zone}_${name}":
|
@@concat::fragment { "${zone}_${name}":
|
||||||
target => "${basedir}/${zone}.conf",
|
target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
|
||||||
content => "${record} IN ${type} ${value}\n",
|
content => "${record} IN ${type} ${value}\n",
|
||||||
order => $order,
|
order => $order,
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,127 @@
|
|||||||
|
# profiles::dns::updater
|
||||||
|
#
|
||||||
|
# Publishes this host's DNS records. Two methods, independently toggled so both
|
||||||
|
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
||||||
|
#
|
||||||
|
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
||||||
|
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
||||||
|
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
||||||
|
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
||||||
|
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
||||||
|
#
|
||||||
|
# nsupdate comes from bind-utils (installed via bind::updater in
|
||||||
|
# profiles::dns::base).
|
||||||
|
class profiles::dns::updater (
|
||||||
|
Boolean $manage_nsupdate = true,
|
||||||
|
Boolean $manage_export = true,
|
||||||
|
String $server = '198.18.200.9',
|
||||||
|
String $key_name = 'client-update',
|
||||||
|
String $key_algorithm = 'hmac-sha256',
|
||||||
|
Optional[Sensitive[String]] $key_secret = undef,
|
||||||
|
Integer $default_ttl = 300,
|
||||||
|
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
||||||
|
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
||||||
|
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
||||||
|
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
||||||
|
) {
|
||||||
|
|
||||||
|
$state_file = "${state_dir}/applied"
|
||||||
|
$server_file = "${state_dir}/server"
|
||||||
|
$key_file = "${config_dir}/key"
|
||||||
|
|
||||||
|
if $manage_nsupdate {
|
||||||
|
|
||||||
|
file { $state_dir:
|
||||||
|
ensure => directory,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0755',
|
||||||
|
}
|
||||||
|
|
||||||
|
# Server address, read by the dns_records fact for drift detection.
|
||||||
|
file { $server_file:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
content => "${server}\n",
|
||||||
|
require => File[$state_dir],
|
||||||
|
}
|
||||||
|
|
||||||
|
# Records file, assembled from profiles::dns::record fragments.
|
||||||
|
concat { $records_file:
|
||||||
|
ensure => present,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
ensure_newline => true,
|
||||||
|
warn => false,
|
||||||
|
require => File[$state_dir],
|
||||||
|
}
|
||||||
|
|
||||||
|
concat::fragment { 'dns-update-header':
|
||||||
|
target => $records_file,
|
||||||
|
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
||||||
|
order => '00',
|
||||||
|
}
|
||||||
|
|
||||||
|
if $key_secret =~ Undef {
|
||||||
|
notify { 'dns-updater-inert':
|
||||||
|
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
||||||
|
loglevel => 'info',
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
file { $config_dir:
|
||||||
|
ensure => directory,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0700',
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $key_file:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0600',
|
||||||
|
show_diff => false,
|
||||||
|
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
||||||
|
'name' => $key_name,
|
||||||
|
'algorithm' => $key_algorithm,
|
||||||
|
'secret' => $key_secret.unwrap,
|
||||||
|
})),
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/usr/local/bin/dns-update':
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0755',
|
||||||
|
content => epp('profiles/dns/dns-update.sh.epp', {
|
||||||
|
'server' => $server,
|
||||||
|
'key_file' => $key_file,
|
||||||
|
'records_file' => $records_file,
|
||||||
|
'state_file' => $state_file,
|
||||||
|
}),
|
||||||
|
}
|
||||||
|
|
||||||
|
systemd::unit_file { 'dns-update.service':
|
||||||
|
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
||||||
|
}
|
||||||
|
|
||||||
|
# The .path unit watches the records file and triggers the service.
|
||||||
|
systemd::unit_file { 'dns-update.path':
|
||||||
|
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
||||||
|
active => true,
|
||||||
|
enable => true,
|
||||||
|
}
|
||||||
|
|
||||||
|
# Also apply within the puppet run whenever the records change.
|
||||||
|
exec { 'dns-update-apply':
|
||||||
|
command => '/usr/local/bin/dns-update',
|
||||||
|
refreshonly => true,
|
||||||
|
subscribe => Concat[$records_file],
|
||||||
|
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<%- | String $records_file | -%>
|
||||||
|
[Unit]
|
||||||
|
Description=Watch the DNS records file and apply changes
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
PathModified=<%= $records_file %>
|
||||||
|
Unit=dns-update.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
<%- | String $script | -%>
|
||||||
|
[Unit]
|
||||||
|
Description=Apply host DNS records via nsupdate
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=<%= $script %>
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
|
||||||
|
#!/bin/bash
|
||||||
|
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
|
||||||
|
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
|
||||||
|
# successful run is sent; removed records are deleted.
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
SERVER="<%= $server %>"
|
||||||
|
KEYFILE="<%= $key_file %>"
|
||||||
|
RECORDS="<%= $records_file %>"
|
||||||
|
STATE="<%= $state_file %>"
|
||||||
|
|
||||||
|
[ -f "$RECORDS" ] || exit 0
|
||||||
|
touch "$STATE"
|
||||||
|
|
||||||
|
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
|
||||||
|
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
|
||||||
|
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
|
||||||
|
|
||||||
|
[ "$desired" = "$applied" ] && exit 0
|
||||||
|
|
||||||
|
fqdn() { # name zone
|
||||||
|
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
|
||||||
|
}
|
||||||
|
|
||||||
|
msg="$(mktemp)"
|
||||||
|
trap 'rm -f "$msg"' EXIT
|
||||||
|
printf 'server %s\n' "$SERVER" >> "$msg"
|
||||||
|
|
||||||
|
# Process per zone so each UPDATE message targets a single zone.
|
||||||
|
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
|
||||||
|
for zone in $zones; do
|
||||||
|
printf 'zone %s.\n' "$zone" >> "$msg"
|
||||||
|
# Additions/updates: replace the RRset for every desired record in this zone.
|
||||||
|
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
||||||
|
while IFS='|' read -r z name type ttl value; do
|
||||||
|
f="$(fqdn "$name" "$z")"
|
||||||
|
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
|
||||||
|
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
|
||||||
|
done
|
||||||
|
# Deletions: records present last run but gone now.
|
||||||
|
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
|
||||||
|
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
||||||
|
while IFS='|' read -r z name type ttl value; do
|
||||||
|
f="$(fqdn "$name" "$z")"
|
||||||
|
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
|
||||||
|
done
|
||||||
|
printf 'send\n' >> "$msg"
|
||||||
|
done
|
||||||
|
|
||||||
|
if nsupdate -k "$KEYFILE" "$msg"; then
|
||||||
|
printf '%s\n' "$desired" > "$STATE"
|
||||||
|
else
|
||||||
|
echo "dns-update: nsupdate to ${SERVER} failed" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
<%- | String $name, String $algorithm, String $secret | -%>
|
||||||
|
key "<%= $name %>" {
|
||||||
|
algorithm <%= $algorithm %>;
|
||||||
|
secret "<%= $secret %>";
|
||||||
|
};
|
||||||
Reference in New Issue
Block a user