Puppet Class: profile::dns::auth::update

Defined in:
modules/profile/manifests/dns/auth/update.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • authdns_servers (Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet]) (defaults to: lookup('authdns_servers'))
  • gitrepo (Stdlib::HTTPSUrl) (defaults to: lookup('profile::dns::auth::gitrepo'))
  • netbox_dns_snippets_dir (Stdlib::Unixpath) (defaults to: lookup('profile::dns::auth::update::netbox_dns_snippets_dir'))
  • netbox_exports_domain (Stdlib::Fqdn) (defaults to: lookup('profile::dns::auth::update::netbox_exports_domain'))
  • authdns_servers_ips (Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet]) (defaults to: lookup('profile::dns::auth::authdns_servers_ips'))
  • datacenters (Array[Wmflib::Sites]) (defaults to: lookup('datacenters'))
  • advertise_vips (Hash[String, Wmflib::Advertise_vip]) (defaults to: lookup('profile::bird::advertise_vips', {'merge' => hash}))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# File 'modules/profile/manifests/dns/auth/update.pp', line 2

class profile::dns::auth::update (
    Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet] $authdns_servers = lookup('authdns_servers'),
    Stdlib::HTTPSUrl $gitrepo = lookup('profile::dns::auth::gitrepo'),
    Stdlib::Unixpath $netbox_dns_snippets_dir = lookup('profile::dns::auth::update::netbox_dns_snippets_dir'),
    Stdlib::Fqdn $netbox_exports_domain = lookup('profile::dns::auth::update::netbox_exports_domain'),
    Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet] $authdns_servers_ips = lookup('profile::dns::auth::authdns_servers_ips'),
    Array[Wmflib::Sites] $datacenters = lookup('datacenters'),
    Hash[String, Wmflib::Advertise_vip] $advertise_vips = lookup('profile::bird::advertise_vips', {'merge' => hash}),
) {
    require ::profile::dns::auth::update::account
    require ::profile::dns::auth::update::scripts

    $workingdir = '/srv/authdns/git'
    $netbox_dns_snippets_repo = "https://${netbox_exports_domain}/dns.git"
    $netbox_dns_user = 'netboxdns'

    user { $netbox_dns_user:
        ensure  => present,
        comment => 'User for the Netbox generated DNS zonefile snippets',
        system  => true,
        shell   => '/bin/bash',
    }

    file { dirname($netbox_dns_snippets_dir):
        ensure => directory,
        mode   => '0755',
        owner  => 'root',
        group  => 'root',
        before => Exec['authdns-local-update'],
    }

    # safe.directory directive for the two below directories allows
    # authdns-local-update to be run without any permission issues.
    # See CR 888053 for more information.
    git::systemconfig { 'safe.directory-authdns-git':
        settings => {
            'safe' => {
                'directory' => '/srv/authdns/git',
            }
        },
        before   => Exec['authdns-local-update'],

    }
    git::systemconfig { 'safe.directory-netbox-snippets':
        settings => {
            'safe' => {
                'directory' => '/srv/git/netbox_dns_snippets',
            }
        },
        before   => Exec['authdns-local-update'],
    }

    $authdns_conf = '/etc/wikimedia-authdns.conf'

    $authdns_update_watch_keys = $datacenters.map |$dc| { "/pools/${dc}/dnsbox/authdns-update" }
    confd::file { $authdns_conf:
        ensure     => present,
        watch_keys => $authdns_update_watch_keys,
        content    => template('profile/dns/auth/wikimedia-authdns.conf.tpl.erb'),
        before     => Exec['authdns-local-update'],
    }

    $host_state_dir = '/var/lib/dnsbox'
    file { $host_state_dir:
        ensure => directory,
        mode   => '0755',
        owner  => 'root',
        group  => 'root',
    }
    # Manage service depooling via confd. This means iterating over the
    # services defined in advertise_vips and creating state files for them,
    # using their respective healthchecks.
    #
    # Since the basic wrapper is the same for all services, we use that and
    # template it, instead of duplicating the code.
    $advertise_vips.map |$vip_fqdn, $vip_params| {
        $service_type = $vip_params['service_type']
        $service_name = regsubst($service_type, '-', '_', 'G')

        $state_file = "${host_state_dir}/${service_name}.state"
        file { "/usr/local/bin/check_${service_name}_state":
            ensure  => present,
            mode    => '0755',
            content => template('profile/dns/auth/check_state.erb'),
            before  => Confd::File[$state_file],
        }

        $service_watch_keys = [ "/pools/${::site}/dnsbox/${service_type}/${::fqdn}" ]
        confd::file { $state_file:
            ensure     => present,
            watch_keys => $service_watch_keys,
            content    => template('profile/dns/auth/state.tpl.erb'),
            reload     => "/usr/local/bin/check_${service_name}_state",
            before     => Exec['authdns-local-update'],
        }
    }

    ferm::service { 'authdns_update_ssh_rule':
        proto  => 'tcp',
        port   => '22',
        srange => "(${authdns_servers_ips.values().join(' ')})",
    }

    # The clones and exec below are only for the initial puppetization of a
    # fresh host, ensuring that the data and configuration are fully present
    # *before* the daemon is ever started for the first time (which can only be
    # gauranteed by doing it before the package is even installed).  Most other
    # daemon configuration needs a "before => Exec['authdns-local-update']" to
    # ensure it is also a part of this process.

    git::clone { $workingdir:
        directory => $workingdir,
        origin    => $gitrepo,
        branch    => 'master',
        owner     => 'authdns',
        group     => 'authdns',
        notify    => Exec['authdns-local-update'],
    }

    # Clone the Netbox exported DNS snippet zonefiles with automatically generated
    # DNS records from Netbox data.
    git::clone { $netbox_dns_snippets_dir:
        directory => $netbox_dns_snippets_dir,
        origin    => $netbox_dns_snippets_repo,
        branch    => 'master',
        owner     => $netbox_dns_user,
        group     => $netbox_dns_user,
        timeout   => 600,   # 10 minutes
        notify    => Exec['authdns-local-update'],
    }

    exec { 'authdns-local-update':
        command     => '/usr/local/sbin/authdns-local-update --skip-review --initial',
        user        => root,
        refreshonly => true,
        timeout     => 60,
        # we prepare the config even before the package gets installed, leaving
        # no window where service would be started and answer with REFUSED
        before      => Package['gdnsd'],
    }
}