3e807201ee
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Replaces the exported-resources -> puppet DNS master zone-file flow with per-host RFC2136 dynamic updates against the k8s bind-authoritative write endpoint (198.18.200.9), so the master no longer manages zone files. - add profiles::dns::updater: assembles the host's records into a concat file and runs nsupdate via a systemd .path unit that watches it; the dns-update script sends only the delta and deletes removed records - switch profiles::dns::record to write local concat fragments (zone|name|type|ttl|value) instead of exporting to the master - include profiles::dns::updater from profiles::dns::base (all nodes) - inert until profiles::dns::updater::key_secret (TSIG) is set in eyaml - hiera: updater server/key_name/algorithm in common.yaml
112 lines
3.6 KiB
Puppet
112 lines
3.6 KiB
Puppet
# profiles::dns::updater
|
|
#
|
|
# Applies this host's DNS records to the authoritative DNS server via TSIG
|
|
# nsupdate, replacing the old exported-resources -> master zone-file flow.
|
|
#
|
|
# profiles::dns::record fragments are assembled into $records_file; a systemd
|
|
# .path unit watches that file and runs dns-update.service (nsupdate) whenever
|
|
# it changes. nsupdate comes from bind-utils (installed via bind::updater in
|
|
# profiles::dns::base).
|
|
#
|
|
# Inert until $key_secret is set (the shared TSIG key that the k8s
|
|
# bind-authoritative zones allow-update with): the records file is still
|
|
# assembled, but the updater service is not managed, so nodes are safe before
|
|
# the key is provisioned.
|
|
class profiles::dns::updater (
|
|
String $server = '198.18.200.9',
|
|
String $key_name = 'client-update',
|
|
String $key_algorithm = 'hmac-sha256',
|
|
Optional[Sensitive[String]] $key_secret = undef,
|
|
Integer $default_ttl = 300,
|
|
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
|
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
|
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
|
) {
|
|
|
|
$state_file = "${state_dir}/applied"
|
|
$key_file = "${config_dir}/key"
|
|
|
|
file { $state_dir:
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
|
|
# Records file, assembled from profiles::dns::record fragments.
|
|
concat { $records_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
ensure_newline => true,
|
|
warn => false,
|
|
require => File[$state_dir],
|
|
}
|
|
|
|
concat::fragment { 'dns-update-header':
|
|
target => $records_file,
|
|
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
|
order => '00',
|
|
}
|
|
|
|
if $key_secret =~ Undef {
|
|
notify { 'dns-updater-inert':
|
|
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
|
loglevel => 'info',
|
|
}
|
|
} else {
|
|
file { $config_dir:
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
}
|
|
|
|
file { $key_file:
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
show_diff => false,
|
|
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
|
'name' => $key_name,
|
|
'algorithm' => $key_algorithm,
|
|
'secret' => $key_secret.unwrap,
|
|
})),
|
|
}
|
|
|
|
file { '/usr/local/bin/dns-update':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
content => epp('profiles/dns/dns-update.sh.epp', {
|
|
'server' => $server,
|
|
'key_file' => $key_file,
|
|
'records_file' => $records_file,
|
|
'state_file' => $state_file,
|
|
}),
|
|
}
|
|
|
|
systemd::unit_file { 'dns-update.service':
|
|
content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }),
|
|
}
|
|
|
|
# The .path unit watches the records file and triggers the service.
|
|
systemd::unit_file { 'dns-update.path':
|
|
content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }),
|
|
active => true,
|
|
enable => true,
|
|
}
|
|
|
|
# Also apply within the puppet run whenever the records change.
|
|
exec { 'dns-update-apply':
|
|
command => '/usr/local/bin/dns-update',
|
|
refreshonly => true,
|
|
subscribe => Concat[$records_file],
|
|
require => [File['/usr/local/bin/dns-update'], File[$key_file]],
|
|
}
|
|
}
|
|
}
|