Allow access from remote designate units

If allowed_nets is set ensure that the CIDR's for the remote units on the dns-backend relation are also included in the allow-query configuration stanza. This ensures that designate can validate that zone updates have been correctly transferred to all BIND servers. Closes-Bug: 1806485 Depends-On: Icdb525c9886937597e35ab8126237a2850604832 Change-Id: I02ebe63ad2775a00eb0f2d0a9ff2499319940833
2020-07-21 09:01:50 +01:00 · 2020-07-21 09:01:50 +01:00 · 57d034b729
parent 5174ce1201
commit 57d034b729
3 changed files with 32 additions and 3 deletions
--- a/src/lib/charm/openstack/designate_bind.py
+++ b/src/lib/charm/openstack/designate_bind.py
@ -151,6 +151,19 @@ def assess_status():
    DesignateBindCharm.singleton.assess_status()


+@adapters.adapter_property("dns-backend")
+def dns_egress_subnets(dns_backend):
+    """Generate list of CIDR's for remote units
+
+    Generate a BIND formatted string of semi-colon separated
+    CIDR's for all remote units on the dns-backend relation.
+
+    :returns: BIND formatted string of allowed CIDR's for all
+              remote units.
+    """
+    return ';'.join(dns_backend.relation.egress_subnets())
+
+
 class DNSAdapter(adapters.OpenStackRelationAdapter):

    def __init__(self, relation):
--- a/src/templates/named.conf.options
+++ b/src/templates/named.conf.options
@ -1,6 +1,7 @@
 {% if options.allowed_nets -%}
 acl allow_query {
        {{ options.allowed_nets }};
+        {{ dns_backend.dns_egress_subnets }};
 };
 {%- endif %}

@ -17,9 +18,9 @@ options {
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

-        // If your ISP provided one or more IP addresses for stable 
-        // nameservers, you probably want to use them as forwarders.  
-        // Uncomment the following block, and insert the addresses replacing 
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        {% if options.forwarders -%}
--- a/unit_tests/test_lib_charm_openstack_designate_bind.py
+++ b/unit_tests/test_lib_charm_openstack_designate_bind.py
@ -134,6 +134,21 @@ class TestOpenStackDesignateBind(Helper):
        self.render_with_interfaces.assert_called_once_with('interface_list')


+class TestEgressSubnets(Helper):
+
+    def test_egress_subnets(self):
+        dns_backend = mock.MagicMock()
+        dns_backend.relation.egress_subnets.return_value = [
+            "10.5.2.1/32",
+            "10.6.20.1/32",
+            "10.7.20.21/32",
+        ]
+        self.assertEqual(
+            designate_bind.dns_egress_subnets(dns_backend),
+            "10.5.2.1/32;10.6.20.1/32;10.7.20.21/32",
+        )
+
+
 class TestDNSAdapter(Helper):

    def test_control_listen_ip(self):