Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| e94cbc7952 |
@@ -208,20 +208,6 @@ vault::disable_mlock: false
|
|||||||
profiles::dns::base::nameservers:
|
profiles::dns::base::nameservers:
|
||||||
- 198.18.19.16
|
- 198.18.19.16
|
||||||
profiles::dns::master::basedir: '/var/named/sources'
|
profiles::dns::master::basedir: '/var/named/sources'
|
||||||
|
|
||||||
# dns record publishing. During the k8s cutover both methods run; set
|
|
||||||
# manage_export false once k8s is authoritative.
|
|
||||||
# - export: legacy exported-resources -> puppet DNS master
|
|
||||||
# - nsupdate: RFC2136 to the k8s bind-authoritative write endpoint (.9),
|
|
||||||
# inert until the TSIG key is set in eyaml:
|
|
||||||
# profiles::dns::updater::key_secret: ENC[...]
|
|
||||||
# (must match the key the bind-authoritative zones allow-update
|
|
||||||
# with; algorithm hmac-sha256)
|
|
||||||
profiles::dns::updater::manage_export: true
|
|
||||||
profiles::dns::updater::manage_nsupdate: true
|
|
||||||
profiles::dns::updater::server: '198.18.200.9'
|
|
||||||
profiles::dns::updater::key_name: 'client-update'
|
|
||||||
profiles::dns::updater::key_algorithm: 'hmac-sha256'
|
|
||||||
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
#profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
|
||||||
#profiles::dns::base::use_ns: 'region'
|
#profiles::dns::base::use_ns: 'region'
|
||||||
profiles::consul::server::members_role: roles::infra::storage::consul
|
profiles::consul::server::members_role: roles::infra::storage::consul
|
||||||
|
|||||||
@@ -55,18 +55,6 @@ rke2::registries:
|
|||||||
rewrite:
|
rewrite:
|
||||||
"^(.*)$": "gcr/$1"
|
"^(.*)$": "gcr/$1"
|
||||||
disable-default-registry-endpoint: true
|
disable-default-registry-endpoint: true
|
||||||
docker.litellm.ai:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "litellm/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
public.ecr.aws:
|
|
||||||
endpoint:
|
|
||||||
- "https://artifactapi.k8s.syd1.au.unkin.net"
|
|
||||||
rewrite:
|
|
||||||
"^(.*)$": "ecr-public/$1"
|
|
||||||
disable-default-registry-endpoint: true
|
|
||||||
rke2::config_hash:
|
rke2::config_hash:
|
||||||
bind-address: "%{hiera('networking_loopback0_ip')}"
|
bind-address: "%{hiera('networking_loopback0_ip')}"
|
||||||
node-ip: "%{hiera('networking_loopback0_ip')}"
|
node-ip: "%{hiera('networking_loopback0_ip')}"
|
||||||
|
|||||||
@@ -1,88 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
# lib/facter/dns_records.rb
|
|
||||||
#
|
|
||||||
# Reports this host's expected DNS records (assembled by profiles::dns::updater
|
|
||||||
# into its records file) versus what is currently deployed on the authoritative
|
|
||||||
# server, so puppet can detect drift and re-apply.
|
|
||||||
#
|
|
||||||
# Structured value:
|
|
||||||
# { server, count, expected => [{zone,fqdn,type,ttl,value}], in_sync,
|
|
||||||
# drift => [{...,deployed => [...]}] }
|
|
||||||
|
|
||||||
# Helpers for the dns_records fact.
|
|
||||||
module DnsRecordsFact
|
|
||||||
RECORDS_FILE = '/var/lib/dns-updater/records'
|
|
||||||
SERVER_FILE = '/var/lib/dns-updater/server'
|
|
||||||
|
|
||||||
module_function
|
|
||||||
|
|
||||||
# normalise a value for comparison: strip, drop trailing dot, downcase
|
|
||||||
def norm(value)
|
|
||||||
value.to_s.strip.chomp('.').downcase
|
|
||||||
end
|
|
||||||
|
|
||||||
def server
|
|
||||||
File.exist?(SERVER_FILE) ? File.read(SERVER_FILE).strip : nil
|
|
||||||
end
|
|
||||||
|
|
||||||
# a name relative to a zone (or @) as a fully-qualified name
|
|
||||||
def to_fqdn(name, zone)
|
|
||||||
return "#{zone}." if name.to_s.empty? || name == '@'
|
|
||||||
|
|
||||||
"#{name}.#{zone}."
|
|
||||||
end
|
|
||||||
|
|
||||||
# parse one "zone|name|type|ttl|value" line into a record hash (nil to skip)
|
|
||||||
def parse_line(line)
|
|
||||||
line = line.strip
|
|
||||||
return nil if line.empty? || line.start_with?('#')
|
|
||||||
|
|
||||||
zone, name, type, ttl, value = line.split('|', 5)
|
|
||||||
return nil unless zone && type && value
|
|
||||||
|
|
||||||
{ 'zone' => zone, 'fqdn' => to_fqdn(name, zone), 'type' => type, 'ttl' => ttl, 'value' => value }
|
|
||||||
end
|
|
||||||
|
|
||||||
# parse the records file into record hashes
|
|
||||||
def expected
|
|
||||||
return [] unless File.exist?(RECORDS_FILE)
|
|
||||||
|
|
||||||
File.readlines(RECORDS_FILE).filter_map { |line| parse_line(line) }
|
|
||||||
end
|
|
||||||
|
|
||||||
# the values currently deployed for a record, per the authoritative server
|
|
||||||
def deployed(record, srv)
|
|
||||||
cmd = ['dig', '+short', '+time=2', '+tries=1']
|
|
||||||
cmd << "@#{srv}" if srv && !srv.empty?
|
|
||||||
cmd += [record['fqdn'], record['type']]
|
|
||||||
out = Facter::Core::Execution.execute(cmd.join(' '), on_fail: '')
|
|
||||||
out.to_s.split("\n").map { |line| norm(line) }.reject(&:empty?)
|
|
||||||
end
|
|
||||||
|
|
||||||
def report
|
|
||||||
srv = server
|
|
||||||
exp = expected
|
|
||||||
drift = exp.filter_map do |record|
|
|
||||||
dep = deployed(record, srv)
|
|
||||||
record.merge('deployed' => dep) unless dep.include?(norm(record['value']))
|
|
||||||
end
|
|
||||||
{ 'server' => srv, 'count' => exp.length, 'expected' => exp, 'in_sync' => drift.empty?, 'drift' => drift }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
Facter.add(:dns_records) do
|
|
||||||
confine kernel: 'Linux'
|
|
||||||
setcode do
|
|
||||||
File.exist?(DnsRecordsFact::RECORDS_FILE) ? DnsRecordsFact.report : nil
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Convenience boolean for `if $facts['dns_records_insync']` guards.
|
|
||||||
Facter.add(:dns_records_insync) do
|
|
||||||
confine kernel: 'Linux'
|
|
||||||
setcode do
|
|
||||||
v = Facter.value(:dns_records)
|
|
||||||
v.nil? ? nil : v['in_sync']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@@ -11,12 +11,9 @@ class profiles::dns::base (
|
|||||||
Optional[String] $ns_role = undef,
|
Optional[String] $ns_role = undef,
|
||||||
){
|
){
|
||||||
|
|
||||||
# install bind_utils (provides nsupdate)
|
# install bind_utils
|
||||||
include bind::updater
|
include bind::updater
|
||||||
|
|
||||||
# assemble the host's DNS records and nsupdate them to the authoritative server
|
|
||||||
include profiles::dns::updater
|
|
||||||
|
|
||||||
# if ns_role is set, find all hosts matching that enc_role
|
# if ns_role is set, find all hosts matching that enc_role
|
||||||
$nameserver_array = $ns_role ? {
|
$nameserver_array = $ns_role ? {
|
||||||
undef => $nameservers,
|
undef => $nameservers,
|
||||||
|
|||||||
@@ -1,10 +1,4 @@
|
|||||||
# profiles::dns::record
|
# defines the base record that will be exported
|
||||||
#
|
|
||||||
# Declares a DNS record for this host. Publishes it via either or both methods,
|
|
||||||
# controlled by profiles::dns::updater's toggles (both on during cutover):
|
|
||||||
# - nsupdate: a local concat fragment consumed by profiles::dns::updater,
|
|
||||||
# which nsupdates it to the authoritative server.
|
|
||||||
# - export: the legacy @@concat::fragment exported to the puppet DNS master.
|
|
||||||
define profiles::dns::record (
|
define profiles::dns::record (
|
||||||
String $record,
|
String $record,
|
||||||
Enum[
|
Enum[
|
||||||
@@ -19,26 +13,11 @@ define profiles::dns::record (
|
|||||||
String $value,
|
String $value,
|
||||||
String $zone,
|
String $zone,
|
||||||
Integer $order,
|
Integer $order,
|
||||||
Integer $ttl = 300,
|
Stdlib::AbsolutePath $basedir = lookup('profiles::dns::master::basedir'),
|
||||||
) {
|
) {
|
||||||
include profiles::dns::updater
|
@@concat::fragment { "${zone}_${name}":
|
||||||
|
target => "${basedir}/${zone}.conf",
|
||||||
# new: local records file consumed by the nsupdate service
|
content => "${record} IN ${type} ${value}\n",
|
||||||
if $profiles::dns::updater::manage_nsupdate {
|
order => $order,
|
||||||
# zone|name|type|ttl|value (parsed by the dns-update script)
|
|
||||||
concat::fragment { "dns-record-${name}":
|
|
||||||
target => $profiles::dns::updater::records_file,
|
|
||||||
content => "${zone}|${record}|${type}|${ttl}|${value}\n",
|
|
||||||
order => sprintf('%03d', $order),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# legacy: export the fragment to the puppet DNS master
|
|
||||||
if $profiles::dns::updater::manage_export {
|
|
||||||
@@concat::fragment { "${zone}_${name}":
|
|
||||||
target => "${profiles::dns::updater::master_basedir}/${zone}.conf",
|
|
||||||
content => "${record} IN ${type} ${value}\n",
|
|
||||||
order => $order,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,127 +0,0 @@
|
|||||||
# profiles::dns::updater
|
|
||||||
#
|
|
||||||
# Publishes this host's DNS records. Two methods, independently toggled so both
|
|
||||||
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
|
||||||
#
|
|
||||||
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
|
||||||
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
|
||||||
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
|
||||||
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
|
||||||
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
|
||||||
#
|
|
||||||
# nsupdate comes from bind-utils (installed via bind::updater in
|
|
||||||
# profiles::dns::base).
|
|
||||||
class profiles::dns::updater (
|
|
||||||
Boolean $manage_nsupdate = true,
|
|
||||||
Boolean $manage_export = true,
|
|
||||||
String $server = '198.18.200.9',
|
|
||||||
String $key_name = 'client-update',
|
|
||||||
String $key_algorithm = 'hmac-sha256',
|
|
||||||
Optional[Sensitive[String]] $key_secret = undef,
|
|
||||||
Integer $default_ttl = 300,
|
|
||||||
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
|
||||||
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
|
||||||
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
|
||||||
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
|
||||||
) {
|
|
||||||
|
|
||||||
$state_file = "${state_dir}/applied"
|
|
||||||
$server_file = "${state_dir}/server"
|
|
||||||
$key_file = "${config_dir}/key"
|
|
||||||
|
|
||||||
if $manage_nsupdate {
|
|
||||||
|
|
||||||
file { $state_dir:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
}
|
|
||||||
|
|
||||||
# Server address, read by the dns_records fact for drift detection.
|
|
||||||
file { $server_file:
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
content => "${server}\n",
|
|
||||||
require => File[$state_dir],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Records file, assembled from profiles::dns::record fragments.
|
|
||||||
concat { $records_file:
|
|
||||||
ensure => present,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
ensure_newline => true,
|
|
||||||
warn => false,
|
|
||||||
require => File[$state_dir],
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { 'dns-update-header':
|
|
||||||
target => $records_file,
|
|
||||||
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
|
||||||
order => '00',
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_secret =~ Undef {
|
|
||||||
notify { 'dns-updater-inert':
|
|
||||||
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
|
||||||
loglevel => 'info',
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
file { $config_dir:
|
|
||||||
ensure => directory,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0700',
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $key_file:
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0600',
|
|
||||||
show_diff => false,
|
|
||||||
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
|
||||||
'name' => $key_name,
|
|
||||||
'algorithm' => $key_algorithm,
|
|
||||||
'secret' => $key_secret.unwrap,
|
|
||||||
})),
|
|
||||||
}
|
|
||||||
|
|
||||||
file { '/usr/local/bin/dns-update':
|
|
||||||
ensure => file,
|
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0755',
|
|
||||||
content => epp('profiles/dns/dns-update.sh.epp', {
|
|
||||||
'server' => $server,
|
|
||||||
'key_file' => $key_file,
|
|
||||||
'records_file' => $records_file,
|
|
||||||
'state_file' => $state_file,
|
|
||||||
}),
|
|
||||||
}
|
|
||||||
|
|
||||||
systemd::unit_file { 'dns-update.service':
|
|
||||||
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
|
||||||
}
|
|
||||||
|
|
||||||
# The .path unit watches the records file and triggers the service.
|
|
||||||
systemd::unit_file { 'dns-update.path':
|
|
||||||
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
|
||||||
active => true,
|
|
||||||
enable => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Also apply within the puppet run whenever the records change.
|
|
||||||
exec { 'dns-update-apply':
|
|
||||||
command => '/usr/local/bin/dns-update',
|
|
||||||
refreshonly => true,
|
|
||||||
subscribe => Concat[$records_file],
|
|
||||||
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
<%- | String $records_file | -%>
|
|
||||||
[Unit]
|
|
||||||
Description=Watch the DNS records file and apply changes
|
|
||||||
|
|
||||||
[Path]
|
|
||||||
PathModified=<%= $records_file %>
|
|
||||||
Unit=dns-update.service
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
<%- | String $script | -%>
|
|
||||||
[Unit]
|
|
||||||
Description=Apply host DNS records via nsupdate
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=<%= $script %>
|
|
||||||
@@ -1,56 +0,0 @@
|
|||||||
<%- | String $server, String $key_file, String $records_file, String $state_file | -%>
|
|
||||||
#!/bin/bash
|
|
||||||
# Managed by puppet (profiles::dns::updater). Applies this host's records to the
|
|
||||||
# authoritative DNS server via TSIG nsupdate. Only the delta since the last
|
|
||||||
# successful run is sent; removed records are deleted.
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
SERVER="<%= $server %>"
|
|
||||||
KEYFILE="<%= $key_file %>"
|
|
||||||
RECORDS="<%= $records_file %>"
|
|
||||||
STATE="<%= $state_file %>"
|
|
||||||
|
|
||||||
[ -f "$RECORDS" ] || exit 0
|
|
||||||
touch "$STATE"
|
|
||||||
|
|
||||||
# Format per line: zone|name|type|ttl|value (name is relative to zone, or @).
|
|
||||||
desired="$(grep -vE '^[[:space:]]*(#|$)' "$RECORDS" | sort -u || true)"
|
|
||||||
applied="$(grep -vE '^[[:space:]]*(#|$)' "$STATE" 2>/dev/null | sort -u || true)"
|
|
||||||
|
|
||||||
[ "$desired" = "$applied" ] && exit 0
|
|
||||||
|
|
||||||
fqdn() { # name zone
|
|
||||||
if [ -z "$1" ] || [ "$1" = "@" ]; then printf '%s.' "$2"; else printf '%s.%s.' "$1" "$2"; fi
|
|
||||||
}
|
|
||||||
|
|
||||||
msg="$(mktemp)"
|
|
||||||
trap 'rm -f "$msg"' EXIT
|
|
||||||
printf 'server %s\n' "$SERVER" >> "$msg"
|
|
||||||
|
|
||||||
# Process per zone so each UPDATE message targets a single zone.
|
|
||||||
zones="$(printf '%s\n%s\n' "$desired" "$applied" | cut -d'|' -f1 | sort -u | grep -v '^$' || true)"
|
|
||||||
for zone in $zones; do
|
|
||||||
printf 'zone %s.\n' "$zone" >> "$msg"
|
|
||||||
# Additions/updates: replace the RRset for every desired record in this zone.
|
|
||||||
printf '%s\n' "$desired" | awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
|
||||||
while IFS='|' read -r z name type ttl value; do
|
|
||||||
f="$(fqdn "$name" "$z")"
|
|
||||||
printf 'update delete %s %s\n' "$f" "$type" >> "$msg"
|
|
||||||
printf 'update add %s %s %s %s\n' "$f" "$ttl" "$type" "$value" >> "$msg"
|
|
||||||
done
|
|
||||||
# Deletions: records present last run but gone now.
|
|
||||||
comm -23 <(printf '%s\n' "$applied") <(printf '%s\n' "$desired") | \
|
|
||||||
awk -F'|' -v z="$zone" 'NF>=5 && $1==z' | \
|
|
||||||
while IFS='|' read -r z name type ttl value; do
|
|
||||||
f="$(fqdn "$name" "$z")"
|
|
||||||
printf 'update delete %s %s %s\n' "$f" "$type" "$value" >> "$msg"
|
|
||||||
done
|
|
||||||
printf 'send\n' >> "$msg"
|
|
||||||
done
|
|
||||||
|
|
||||||
if nsupdate -k "$KEYFILE" "$msg"; then
|
|
||||||
printf '%s\n' "$desired" > "$STATE"
|
|
||||||
else
|
|
||||||
echo "dns-update: nsupdate to ${SERVER} failed" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
<%- | String $name, String $algorithm, String $secret | -%>
|
|
||||||
key "<%= $name %>" {
|
|
||||||
algorithm <%= $algorithm %>;
|
|
||||||
secret "<%= $secret %>";
|
|
||||||
};
|
|
||||||
Reference in New Issue
Block a user