3 Commits

Author SHA1 Message Date
unkinben 225bdc6020 dns: dual-write toggles + drift fact
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
Publish records both ways during the k8s cutover, and expose expected vs
deployed records for drift detection.

- profiles::dns::updater + ::record: manage_nsupdate and manage_export
  booleans (both default on); export keeps the legacy master flow, so
  disable it once k8s is authoritative
- dns_records fact: parses the expected records file and digs the
  authoritative server for each, reporting expected / in_sync / drift
  (plus dns_records_insync boolean); updater writes the server address
  to /var/lib/dns-updater/server for the fact
- hiera: manage_export/manage_nsupdate = true (cutover)
2026-07-05 17:14:54 +10:00
unkinben 3e807201ee dns: nsupdate host records to the authoritative server
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Replaces the exported-resources -> puppet DNS master zone-file flow with
per-host RFC2136 dynamic updates against the k8s bind-authoritative write
endpoint (198.18.200.9), so the master no longer manages zone files.

- add profiles::dns::updater: assembles the host's records into a concat
  file and runs nsupdate via a systemd .path unit that watches it; the
  dns-update script sends only the delta and deletes removed records
- switch profiles::dns::record to write local concat fragments
  (zone|name|type|ttl|value) instead of exporting to the master
- include profiles::dns::updater from profiles::dns::base (all nodes)
- inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml
- hiera: updater server/key_name/algorithm in common.yaml
2026-07-05 16:11:46 +10:00
unkinben aeae26711f Convert RKE2 registries to template, disable default endpoints (#474)
## Summary
- Replace static `registries.yaml` with EPP template driven by `rke2::registries` hash
- Add `disable-default-registry-endpoint: true` to all mirrors — RKE2 will only use artifactapi and never fall back to upstream registries
- Registry configuration now fully managed via hiera data (`roles/infra/k8s.yaml`)

Reviewed-on: #474
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-29 22:30:48 +10:00
15 changed files with 419 additions and 46 deletions
+14
View File
@@ -208,6 +208,20 @@ vault::disable_mlock: false
profiles::dns::base::nameservers: profiles::dns::base::nameservers:
- 198.18.19.16 - 198.18.19.16
profiles::dns::master::basedir: '/var/named/sources' profiles::dns::master::basedir: '/var/named/sources'
# dns record publishing. During the k8s cutover both methods run; set
# manage_export false once k8s is authoritative.
# - export: legacy exported-resources -> puppet DNS master
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
# inert until the TSIG key is set in eyaml:
# profiles::dns::updater::key_secret: ENC[...]
# (must match the key the bind-authoritative zones allow-update
# with; algorithm hmac-sha256)
profiles::dns::updater::manage_export: true
profiles::dns::updater::manage_nsupdate: true
profiles::dns::updater::server: '198.18.200.9'
profiles::dns::updater::key_name: 'client-update'
profiles::dns::updater::key_algorithm: 'hmac-sha256'
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver' #profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
#profiles::dns::base::use_ns: 'region' #profiles::dns::base::use_ns: 'region'
profiles::consul::server::members_role: roles::infra::storage::consul profiles::consul::server::members_role: roles::infra::storage::consul
+55
View File
@@ -12,6 +12,61 @@ hiera_include:
rke2::bootstrap_node: prodnxsr0001.main.unkin.net rke2::bootstrap_node: prodnxsr0001.main.unkin.net
rke2::join_url: https://join-k8s.service.consul:9345 rke2::join_url: https://join-k8s.service.consul:9345
rke2::manage_registries: true rke2::manage_registries: true
rke2::registries:
docker.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "dockerhub/$1"
disable-default-registry-endpoint: true
ghcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "ghcr/$1"
disable-default-registry-endpoint: true
quay.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "quay/$1"
disable-default-registry-endpoint: true
registry.k8s.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "k8s-registry/$1"
disable-default-registry-endpoint: true
registry.gitlab.com:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gitlab/$1"
disable-default-registry-endpoint: true
docker.elastic.co:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "elastic/$1"
disable-default-registry-endpoint: true
gcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gcr/$1"
disable-default-registry-endpoint: true
docker.litellm.ai:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "litellm/$1"
disable-default-registry-endpoint: true
public.ecr.aws:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "ecr-public/$1"
disable-default-registry-endpoint: true
rke2::config_hash: rke2::config_hash:
bind-address: "%{hiera('networking_loopback0_ip')}" bind-address: "%{hiera('networking_loopback0_ip')}"
node-ip: "%{hiera('networking_loopback0_ip')}" node-ip: "%{hiera('networking_loopback0_ip')}"
+88
View File
@@ -0,0 +1,88 @@
# frozen_string_literal: true
# lib/facter/dns_records.rb
#
# Reports this host's expected DNS records (assembled by profiles::dns::updater
# into its records file) versus what is currently deployed on the authoritative
# server, so puppet can detect drift and re-apply.
#
# Structured value:
# { server, count, expected => [{zone,fqdn,type,ttl,value}], in_sync,
# drift => [{...,deployed => [...]}] }
# Helpers for the dns_records fact.
module DnsRecordsFact
RECORDS_FILE = '/var/lib/dns-updater/records'
SERVER_FILE = '/var/lib/dns-updater/server'
module_function
# normalise a value for comparison: strip, drop trailing dot, downcase
def norm(value)
value.to_s.strip.chomp('.').downcase
end
def server
File.exist?(SERVER_FILE) ? File.read(SERVER_FILE).strip : nil
end
# a name relative to a zone (or @) as a fully-qualified name
def to_fqdn(name, zone)
return "#{zone}." if name.to_s.empty? || name == '@'
"#{name}.#{zone}."
end
# parse one "zone|name|type|ttl|value" line into a record hash (nil to skip)
def parse_line(line)
line = line.strip
return nil if line.empty? || line.start_with?('#')
zone, name, type, ttl, value = line.split('|', 5)
return nil unless zone && type && value
{ 'zone' => zone, 'fqdn' => to_fqdn(name, zone), 'type' => type, 'ttl' => ttl, 'value' => value }
end
# parse the records file into record hashes
def expected
return [] unless File.exist?(RECORDS_FILE)
File.readlines(RECORDS_FILE).filter_map { |line| parse_line(line) }
end
# the values currently deployed for a record, per the authoritative server
def deployed(record, srv)
cmd = ['dig', '+short', '+time=2', '+tries=1']
cmd << "@#{srv}" if srv && !srv.empty?
cmd += [record['fqdn'], record['type']]
out = Facter::Core::Execution.execute(cmd.join(' '), on_fail: '')
out.to_s.split("\n").map { |line| norm(line) }.reject(&:empty?)
end
def report
srv = server
exp = expected
drift = exp.filter_map do |record|
dep = deployed(record, srv)
record.merge('deployed' => dep) unless dep.include?(norm(record['value']))
end
{ 'server' => srv, 'count' => exp.length, 'expected' => exp, 'in_sync' => drift.empty?, 'drift' => drift }
end
end
Facter.add(:dns_records) do
confine kernel: 'Linux'
setcode do
File.exist?(DnsRecordsFact::RECORDS_FILE) ? DnsRecordsFact.report : nil
end
end
# Convenience boolean for `if $facts['dns_records_insync']` guards.
Facter.add(:dns_records_insync) do
confine kernel: 'Linux'
setcode do
v = Facter.value(:dns_records)
v.nil? ? nil : v['in_sync']
end
end
-38
View File
@@ -1,38 +0,0 @@
---
# DO NOT MODIFY - MANAGED BY PUPPET
mirrors:
docker.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "dockerhub/$1"
ghcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "ghcr/$1"
quay.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "quay/$1"
registry.k8s.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "k8s-registry/$1"
registry.gitlab.com:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gitlab/$1"
docker.elastic.co:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "elastic/$1"
gcr.io:
endpoint:
- "https://artifactapi.k8s.syd1.au.unkin.net"
rewrite:
"^(.*)$": "gcr/$1"
+2 -1
View File
@@ -8,6 +8,7 @@ class rke2::config (
String $node_token = $rke2::node_token, String $node_token = $rke2::node_token,
Array[String[1]] $extra_config_files = $rke2::extra_config_files, Array[String[1]] $extra_config_files = $rke2::extra_config_files,
Boolean $manage_registries = $rke2::manage_registries, Boolean $manage_registries = $rke2::manage_registries,
Hash $registries = $rke2::registries,
){ ){
# if its not the bootstrap node, add join path to config # if its not the bootstrap node, add join path to config
@@ -35,7 +36,7 @@ class rke2::config (
owner => 'root', owner => 'root',
group => 'root', group => 'root',
mode => '0644', mode => '0644',
source => 'puppet:///modules/rke2/registries.yaml', content => epp('rke2/registries.yaml.epp', { registries => $registries }),
require => Package["rke2-${node_type}"], require => Package["rke2-${node_type}"],
notify => Service["rke2-${node_type}"], notify => Service["rke2-${node_type}"],
} }
+1
View File
@@ -13,6 +13,7 @@ class rke2 (
Array[String[1]] $extra_config_files = $rke2::params::extra_config_files, Array[String[1]] $extra_config_files = $rke2::params::extra_config_files,
Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source, Stdlib::HTTPUrl $container_archive_source = $rke2::params::container_archive_source,
Boolean $manage_registries = $rke2::params::manage_registries, Boolean $manage_registries = $rke2::params::manage_registries,
Hash $registries = $rke2::params::registries,
) inherits rke2::params { ) inherits rke2::params {
include rke2::install include rke2::install
+1
View File
@@ -13,4 +13,5 @@ class rke2::params (
Array[String[1]] $extra_config_files = [], Array[String[1]] $extra_config_files = [],
Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download', Stdlib::HTTPUrl $container_archive_source = 'https://github.com/rancher/rke2/releases/download',
Boolean $manage_registries = false, Boolean $manage_registries = false,
Hash $registries = {},
) {} ) {}
@@ -0,0 +1,20 @@
<%- | Hash $registries | -%>
---
# DO NOT MODIFY - MANAGED BY PUPPET
mirrors:
<%- $registries.each |$registry, $config| { -%>
<%= $registry %>:
endpoint:
<%- $config['endpoint'].each |$ep| { -%>
- "<%= $ep %>"
<%- } -%>
<%- if $config['rewrite'] { -%>
rewrite:
<%- $config['rewrite'].each |$pattern, $replacement| { -%>
"<%= $pattern %>": "<%= $replacement %>"
<%- } -%>
<%- } -%>
<%- if $config['disable-default-registry-endpoint'] { -%>
disable-default-registry-endpoint: true
<%- } -%>
<%- } -%>
+4 -1
View File
@@ -11,9 +11,12 @@ class profiles::dns::base (
Optional[String] $ns_role = undef, Optional[String] $ns_role = undef,
){ ){
# install bind_utils # install bind_utils (provides nsupdate)
include bind::updater include bind::updater
# assemble the host's DNS records and nsupdate them to the authoritative server
include profiles::dns::updater
# if ns_role is set, find all hosts matching that enc_role # if ns_role is set, find all hosts matching that enc_role
$nameserver_array = $ns_role ? { $nameserver_array = $ns_role ? {
undef => $nameservers, undef => $nameservers,
+24 -3
View File
@@ -1,4 +1,10 @@
# defines the base record that will be exported # profiles::dns::record
#
# Declares a DNS record for this host. Publishes it via either or both methods,
# controlled by profiles::dns::updater's toggles (both on during cutover):
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
# which nsupdates it to the authoritative server.
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
define profiles::dns::record ( define profiles::dns::record (
String $record, String $record,
Enum[ Enum[
@@ -13,11 +19,26 @@ define profiles::dns::record (
String $value, String $value,
String $zone, String $zone,
Integer $order, Integer $order,
Stdlib::AbsolutePath $basedir = lookup('profiles::dns::master::basedir'), Integer $ttl = 300,
) { ) {
include profiles::dns::updater
# new: local records file consumed by the nsupdate service
if $profiles::dns::updater::manage_nsupdate {
# zone|name|type|ttl|value (parsed by the dns-update script)
concat::fragment { "dns-record-${name}":
target => $profiles::dns::updater::records_file,
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
order => sprintf('%03d', $order),
}
}
# legacy: export the fragment to the puppet DNS master
if $profiles::dns::updater::manage_export {
@@concat::fragment { "${zone}_${name}": @@concat::fragment { "${zone}_${name}":
target => "${basedir}/${zone}.conf", target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
content => "${record} IN ${type} ${value}\n", content => "${record} IN ${type} ${value}\n",
order => $order, order => $order,
} }
}
} }
+127
View File
@@ -0,0 +1,127 @@
# profiles::dns::updater
#
# Publishes this host's DNS records. Two methods, independently toggled so both
# can run during the k8s cutover (profiles::dns::record honours the same flags):
#
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
# unit that watches the file. Inert until $key_secret (TSIG) is set.
# - export ($manage_export): the legacy exported-resources flow to the puppet
# DNS master. Kept during cutover; disable once k8s is authoritative.
#
# nsupdate comes from bind-utils (installed via bind::updater in
# profiles::dns::base).
class profiles::dns::updater (
Boolean $manage_nsupdate = true,
Boolean $manage_export = true,
String $server = '198.18.200.9',
String $key_name = 'client-update',
String $key_algorithm = 'hmac-sha256',
Optional[Sensitive[String]] $key_secret = undef,
Integer $default_ttl = 300,
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
) {
$state_file = "${state_dir}/applied"
$server_file = "${state_dir}/server"
$key_file = "${config_dir}/key"
if $manage_nsupdate {
file { $state_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# Server address, read by the dns_records fact for drift detection.
file { $server_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => "${server}\n",
require => File[$state_dir],
}
# Records file, assembled from profiles::dns::record fragments.
concat { $records_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
ensure_newline => true,
warn => false,
require => File[$state_dir],
}
concat::fragment { 'dns-update-header':
target => $records_file,
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
order => '00',
}
if $key_secret =~ Undef {
notify { 'dns-updater-inert':
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
loglevel => 'info',
}
} else {
file { $config_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
file { $key_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
show_diff => false,
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
'name' => $key_name,
'algorithm' => $key_algorithm,
'secret' => $key_secret.unwrap,
})),
}
file { '/usr/local/bin/dns-update':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => epp('profiles/dns/dns-update.sh.epp', {
'server' => $server,
'key_file' => $key_file,
'records_file' => $records_file,
'state_file' => $state_file,
}),
}
systemd::unit_file { 'dns-update.service':
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
}
# The .path unit watches the records file and triggers the service.
systemd::unit_file { 'dns-update.path':
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
active => true,
enable => true,
}
# Also apply within the puppet run whenever the records change.
exec { 'dns-update-apply':
command => '/usr/local/bin/dns-update',
refreshonly => true,
subscribe => Concat[$records_file],
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
}
}
}
}
@@ -0,0 +1,10 @@
<%- | String $records_file | -%>
[Unit]
Description=Watch the DNS records file and apply changes
[Path]
PathModified=<%= $records_file %>
Unit=dns-update.service
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,9 @@
<%- | String $script | -%>
[Unit]
Description=Apply host DNS records via nsupdate
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=<%= $script %>
@@ -0,0 +1,56 @@
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
#!/bin/bash
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
# successful run is sent; removed records are deleted.
set -euo pipefail
SERVER="<%= $server %>"
KEYFILE="<%= $key_file %>"
RECORDS="<%= $records_file %>"
STATE="<%= $state_file %>"
[ -f "$RECORDS" ] || exit 0
touch "$STATE"
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
[ "$desired" = "$applied" ] && exit 0
fqdn() { # name zone
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
}
msg="$(mktemp)"
trap 'rm -f "$msg"' EXIT
printf 'server %s\n' "$SERVER" >> "$msg"
# Process per zone so each UPDATE message targets a single zone.
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
for zone in $zones; do
printf 'zone %s.\n' "$zone" >> "$msg"
# Additions/updates: replace the RRset for every desired record in this zone.
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
while IFS='|' read -r z name type ttl value; do
f="$(fqdn "$name" "$z")"
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
done
# Deletions: records present last run but gone now.
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
while IFS='|' read -r z name type ttl value; do
f="$(fqdn "$name" "$z")"
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
done
printf 'send\n' >> "$msg"
done
if nsupdate -k "$KEYFILE" "$msg"; then
printf '%s\n' "$desired" > "$STATE"
else
echo "dns-update: nsupdate to ${SERVER} failed" >&2
exit 1
fi
+5
View File
@@ -0,0 +1,5 @@
<%- | String $name, String $algorithm, String $secret | -%>
key "<%= $name %>" {
algorithm <%= $algorithm %>;
secret "<%= $secret %>";
};