# profiles::dns::updater # # Publishes this host's DNS records. Two methods, independently toggled so both # can run during the k8s cutover (profiles::dns::record honours the same flags): # # - nsupdate ($manage_nsupdate): assemble the records into a local file and # nsupdate them to the k8s authoritative write endpoint via a systemd .path # unit that watches the file. Inert until $key_secret (TSIG) is set. # - export ($manage_export): the legacy exported-resources flow to the puppet # DNS master. Kept during cutover; disable once k8s is authoritative. # # nsupdate comes from bind-utils (installed via bind::updater in # profiles::dns::base). class profiles::dns::updater ( Boolean $manage_nsupdate = true, Boolean $manage_export = true, String $server = '198.18.200.9', String $key_name = 'client-update', String $key_algorithm = 'hmac-sha256', Optional[Sensitive[String]] $key_secret = undef, Integer $default_ttl = 300, Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records', Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater', Stdlib::AbsolutePath $config_dir = '/etc/dns-updater', Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'), ) { $state_file = "${state_dir}/applied" $server_file = "${state_dir}/server" $key_file = "${config_dir}/key" if $manage_nsupdate { file { $state_dir: ensure => directory, owner => 'root', group => 'root', mode => '0755', } # Server address, read by the dns_records fact for drift detection. file { $server_file: ensure => file, owner => 'root', group => 'root', mode => '0644', content => "${server}\n", require => File[$state_dir], } # Records file, assembled from profiles::dns::record fragments. concat { $records_file: ensure => present, owner => 'root', group => 'root', mode => '0644', ensure_newline => true, warn => false, require => File[$state_dir], } concat::fragment { 'dns-update-header': target => $records_file, content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n", order => '00', } if $key_secret =~ Undef { notify { 'dns-updater-inert': message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.', loglevel => 'info', } } else { file { $config_dir: ensure => directory, owner => 'root', group => 'root', mode => '0700', } file { $key_file: ensure => file, owner => 'root', group => 'root', mode => '0600', show_diff => false, content => Sensitive(epp('profiles/dns/tsig-key.epp', { 'name' => $key_name, 'algorithm' => $key_algorithm, 'secret' => $key_secret.unwrap, })), } file { '/usr/local/bin/dns-update': ensure => file, owner => 'root', group => 'root', mode => '0755', content => epp('profiles/dns/dns-update.sh.epp', { 'server' => $server, 'key_file' => $key_file, 'records_file' => $records_file, 'state_file' => $state_file, }), } systemd::unit_file { 'dns-update.service': content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }), } # The .path unit watches the records file and triggers the service. systemd::unit_file { 'dns-update.path': content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }), active => true, enable => true, } # Also apply within the puppet run whenever the records change. exec { 'dns-update-apply': command => '/usr/local/bin/dns-update', refreshonly => true, subscribe => Concat[$records_file], require => [File['/usr/local/bin/dns-update'], File[$key_file]], } } } }