8bfd768764
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Sets DNS_UPDATER_DENY_RANGES so the daemon never publishes records whose address is in the k8s pod CIDR (10.42.0.0/16), service CIDR (10.43.0.0/16), the LB VIP pool (198.18.200.0/24) or 198.18.199.0/24 — keeping kube-lb0/flannel/etc. and their reverse PTRs out of the authoritative zones and stopping NOTAUTH updates for zones we do not host. Exposes deny/allow ranges+domains as class params. Also bumps package_ensure to 'latest' so hosts pick up the filter release (rpm-internal metadata_expire is 1h).
174 lines
6.3 KiB
Puppet
174 lines
6.3 KiB
Puppet
# profiles::dns::updater
|
|
#
|
|
# Publishes this host's DNS records. Two methods, independently toggled so both
|
|
# can run during the k8s cutover (profiles::dns::record honours the same flags):
|
|
#
|
|
# - nsupdate ($manage_nsupdate): assemble the records into a local file and
|
|
# nsupdate them to the k8s authoritative write endpoint via a systemd .path
|
|
# unit that watches the file. Inert until $key_secret (TSIG) is set.
|
|
# - export ($manage_export): the legacy exported-resources flow to the puppet
|
|
# DNS master. Kept during cutover; disable once k8s is authoritative.
|
|
#
|
|
# nsupdate comes from bind-utils (installed via bind::updater in
|
|
# profiles::dns::base).
|
|
class profiles::dns::updater (
|
|
Boolean $manage_nsupdate = true,
|
|
Boolean $manage_export = true,
|
|
String $server = '198.18.200.9',
|
|
String $key_name = 'client-update',
|
|
String $key_algorithm = 'hmac-sha256',
|
|
Optional[Sensitive[String]] $key_secret = undef,
|
|
Integer $default_ttl = 300,
|
|
Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records',
|
|
Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater',
|
|
Stdlib::AbsolutePath $config_dir = '/etc/dns-updater',
|
|
Stdlib::AbsolutePath $master_basedir = lookup('profiles::dns::master::basedir'),
|
|
# dns-updater daemon (replaces the dns-update shell script). 'latest' so hosts
|
|
# pick up new releases (e.g. the record filter); rpm-internal metadata_expire
|
|
# is 1h so this does not thrash.
|
|
String $package_ensure = 'latest',
|
|
Stdlib::AbsolutePath $api_socket = '/run/dns-updater/api.sock',
|
|
String $resync = '10m',
|
|
Enum['debug', 'info', 'warn', 'error'] $log_level = 'info',
|
|
Boolean $watch_interfaces = true,
|
|
# Never publish records whose address falls in these ranges: the k8s pod CIDR
|
|
# (10.42.0.0/16) and service CIDR (10.43.0.0/16), the LB VIP pool
|
|
# (198.18.200.0/24) and 198.18.199.0/24. Keeps kube-lb0/flannel/etc. out of
|
|
# the authoritative zones and stops NOTAUTH updates for zones we do not host.
|
|
Array[String] $deny_ranges = ['198.18.199.0/24', '198.18.200.0/24', '10.42.0.0/16', '10.43.0.0/16'],
|
|
Array[String] $allow_ranges = [],
|
|
Array[String] $deny_domains = [],
|
|
Array[String] $allow_domains = [],
|
|
) {
|
|
|
|
$state_file = "${state_dir}/applied"
|
|
$server_file = "${state_dir}/server"
|
|
$key_file = "${config_dir}/key"
|
|
|
|
if $manage_nsupdate {
|
|
|
|
file { $state_dir:
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
|
|
# Server address, read by the dns_records fact for drift detection.
|
|
file { $server_file:
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => "${server}\n",
|
|
require => File[$state_dir],
|
|
}
|
|
|
|
# Records file, assembled from profiles::dns::record fragments.
|
|
concat { $records_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
ensure_newline => true,
|
|
warn => false,
|
|
require => File[$state_dir],
|
|
}
|
|
|
|
concat::fragment { 'dns-update-header':
|
|
target => $records_file,
|
|
content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n",
|
|
order => '00',
|
|
}
|
|
|
|
if $key_secret =~ Undef {
|
|
notify { 'dns-updater-inert':
|
|
message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.',
|
|
loglevel => 'info',
|
|
}
|
|
} else {
|
|
file { $config_dir:
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
}
|
|
|
|
file { $key_file:
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
show_diff => false,
|
|
content => Sensitive(epp('profiles/dns/tsig-key.epp', {
|
|
'name' => $key_name,
|
|
'algorithm' => $key_algorithm,
|
|
'secret' => $key_secret.unwrap,
|
|
})),
|
|
}
|
|
|
|
# dns-updater daemon: watches the records file (inotify) and network
|
|
# interfaces, pushes TSIG-signed RFC2136 updates to $server natively.
|
|
package { 'dns-updater':
|
|
ensure => $package_ensure,
|
|
}
|
|
|
|
$deny_ranges_str = join($deny_ranges, ',')
|
|
$allow_ranges_str = join($allow_ranges, ',')
|
|
$deny_domains_str = join($deny_domains, ',')
|
|
$allow_domains_str = join($allow_domains, ',')
|
|
|
|
$env_content = @("ENV")
|
|
# Managed by puppet (profiles::dns::updater).
|
|
DNS_UPDATER_SERVER=${server}
|
|
DNS_UPDATER_KEY_FILE=${key_file}
|
|
DNS_UPDATER_RECORDS_FILE=${records_file}
|
|
DNS_UPDATER_STATE_FILE=${state_file}
|
|
DNS_UPDATER_API=${api_socket}
|
|
DNS_UPDATER_RESYNC=${resync}
|
|
DNS_UPDATER_WATCH_INTERFACES=${watch_interfaces}
|
|
DNS_UPDATER_LOG_LEVEL=${log_level}
|
|
DNS_UPDATER_DENY_RANGES=${deny_ranges_str}
|
|
DNS_UPDATER_ALLOW_RANGES=${allow_ranges_str}
|
|
DNS_UPDATER_DENY_DOMAINS=${deny_domains_str}
|
|
DNS_UPDATER_ALLOW_DOMAINS=${allow_domains_str}
|
|
| ENV
|
|
|
|
file { "${config_dir}/env":
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $env_content,
|
|
require => [File[$config_dir], Package['dns-updater']],
|
|
}
|
|
|
|
# Restart only on config/key change; records-file changes are picked up by
|
|
# the daemon's own inotify watch, so no service churn on record edits.
|
|
service { 'dns-updater':
|
|
ensure => running,
|
|
enable => true,
|
|
subscribe => [File["${config_dir}/env"], File[$key_file]],
|
|
require => [Package['dns-updater'], Concat[$records_file], File[$key_file]],
|
|
}
|
|
|
|
# Retire the previous shell-based mechanism.
|
|
file { '/usr/local/bin/dns-update':
|
|
ensure => absent,
|
|
}
|
|
|
|
systemd::unit_file { 'dns-update.service':
|
|
ensure => absent,
|
|
active => false,
|
|
enable => false,
|
|
}
|
|
|
|
systemd::unit_file { 'dns-update.path':
|
|
ensure => absent,
|
|
active => false,
|
|
enable => false,
|
|
}
|
|
}
|
|
}
|
|
}
|