Add bind9 backend parameter to allow bypassing bind configuration

Adds designate::backedn::bind9::configure_bind parameter to allow bypassing the dns puppet module. This is necessary when bind is not installed on same host as designate. Change-Id: I3e94e3846fb97f0a0a5d25b2f5a1ef02e88a84b2 (cherry picked from commit d68a16c853)
2021-02-18 15:32:50 -03:30 · 2021-02-18 15:32:50 -03:30 · a6244026a4
parent 6b2b21876f
commit a6244026a4
3 changed files with 57 additions and 30 deletions
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@ -24,22 +24,55 @@
 #  (optional) Hash defining controls configuration for rndc.
 #  Defaults to undef, which uses the puppet-dns default
 #
+# [*configure_bind*]
+#  (optional) Enables running named configuration for hosts where designate and
+#  designate bind services are collocated.
+#  Defaults to true
+#
 class designate::backend::bind9 (
  $rndc_host           = '127.0.0.1',
  $rndc_port           = '953',
  $rndc_config_file    = '/etc/rndc.conf',
  $rndc_key_file       = '/etc/rndc.key',
  $rndc_controls       = undef,
+  $configure_bind      = true,
 ) {

  include designate::deps
  include designate
-  if $rndc_controls {
-    class { 'dns':
-      controls => $rndc_controls,
+  if $configure_bind {
+    if $rndc_controls {
+      class { 'dns':
+        controls => $rndc_controls,
+      }
+    } else {
+      include dns
    }
-  } else {
-    include dns
+    concat::fragment { 'dns allow-new-zones':
+      target  => $::dns::optionspath,
+      content => 'allow-new-zones yes;',
+      order   => '20',
+    }
+
+    # Recommended by Designate docs as a mitigation for potential cache
+    # poisoning attacks:
+    # https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
+    concat::fragment { 'dns minimal-responses':
+      target  => $::dns::optionspath,
+      content => 'minimal-responses yes;',
+      order   => '21',
+    }
+
+    # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
+    # Debian. Both groups only have read access but require write permission in
+    # order to be able to use rndc addzone/delzone commands that Designate uses.
+    # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
+    # removing this from puppet-openstack-integration.  Once that has been done
+    # the ensure_resource wrapper could be removed.
+    ensure_resource('file', $::dns::params::vardir, {
+      mode    => 'g+w',
+      require => Package[$::dns::params::dns_server_package]
+    })
  }

  designate_config {
@ -49,29 +82,4 @@ class designate::backend::bind9 (
    'backend:bind9/rndc_key_file'    : value => $rndc_key_file;
  }

-  concat::fragment { 'dns allow-new-zones':
-    target  => $::dns::optionspath,
-    content => 'allow-new-zones yes;',
-    order   => '20',
-  }
-
-  # Recommended by Designate docs as a mitigation for potential cache
-  # poisoning attacks:
-  # https://docs.openstack.org/designate/queens/admin/production-guidelines.html#bind9-mitigation
-  concat::fragment { 'dns minimal-responses':
-    target  => $::dns::optionspath,
-    content => 'minimal-responses yes;',
-    order   => '21',
-  }
-
-  # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
-  # Debian. Both groups only have read access but require write permission in
-  # order to be able to use rndc addzone/delzone commands that Designate uses.
-  # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
-  # removing this from puppet-openstack-integration.  Once that has been done
-  # the ensure_resource wrapper could be removed.
-  ensure_resource('file', $::dns::params::vardir, {
-    mode    => 'g+w',
-    require => Package[$::dns::params::dns_server_package]
-  })
 }
--- a/releasenotes/notes/add-config-bind-param-bind-backend-506bf4bbde8b6d03.yaml
+++ b/releasenotes/notes/add-config-bind-param-bind-backend-506bf4bbde8b6d03.yaml
@ -0,0 +1,6 @@
+---
+features:
+    - add designate::backend::bind9::configure_bind (defaults to true) to
+      bypass attempts to bind9 configuration in the event that bind9 resides on
+      a different host.
+
--- a/spec/classes/designate_backend_bind9_spec.rb
+++ b/spec/classes/designate_backend_bind9_spec.rb
@ -18,6 +18,19 @@ describe 'designate::backend::bind9' do
      end
    end

+    context 'with named configuration disabled ' do
+      let :params do
+        { :configure_bind => false }
+      end
+      it 'configures designate backend bind9 with default parameters' do
+        is_expected.to contain_designate_config('backend:bind9/rndc_host').with_value('127.0.0.1')
+        is_expected.to contain_designate_config('backend:bind9/rndc_port').with_value('953')
+        is_expected.to contain_designate_config('backend:bind9/rndc_config_file').with_value('/etc/rndc.conf')
+        is_expected.to contain_designate_config('backend:bind9/rndc_key_file').with_value('/etc/rndc.key')
+        is_expected.not_to contain_concat_fragment('dns allow-new-zones')
+      end
+    end
+
    context 'when overriding rndc_config_file' do
      let :params do
        { :rndc_config_file => '/srv/designate/rndc.conf' }