Use native puppet-dns interface to inject additional options

... instead of directly manipulating the file using concat::fragment. Depends-on: https://review.opendev.org/899447 Change-Id: Id50e6df7df7af307ea6845d08b442adbb0e0cb3c
2023-10-27 12:39:21 +09:00 · 2023-10-27 12:39:21 +09:00 · 64f5f18124
parent d11f87554d
commit 64f5f18124
2 changed files with 21 additions and 22 deletions
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@ -73,26 +73,23 @@ class designate::backend::bind9 (
  include designate::params

  if $configure_bind {
-    if $rndc_controls {
-      class { 'dns':
-        controls => $rndc_controls,
-      }
-    } else {
-      include dns
-    }
-    concat::fragment { 'dns allow-new-zones':
-      target  => $::dns::optionspath,
-      content => 'allow-new-zones yes;',
-      order   => '20',
+    $dns_additional_options = {
+      'allow-new-zones'   => 'yes',
+      # Recommended by Designate docs as a mitigation for potential cache
+      # poisoning attacks:
+      # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
+      'minimal-responses' => 'yes',
    }

-    # Recommended by Designate docs as a mitigation for potential cache
-    # poisoning attacks:
-    # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
-    concat::fragment { 'dns minimal-responses':
-      target  => $::dns::optionspath,
-      content => 'minimal-responses yes;',
-      order   => '21',
+    if $rndc_controls {
+      class { 'dns':
+        controls           => $rndc_controls,
+        additional_options => $dns_additional_options,
+      }
+    } else {
+      class { 'dns':
+        additional_options => $dns_additional_options,
+      }
    }

    # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
--- a/spec/classes/designate_backend_bind9_spec.rb
+++ b/spec/classes/designate_backend_bind9_spec.rb
@ -11,9 +11,11 @@ describe 'designate::backend::bind9' do
        {}
      end
      it 'configures named and pool' do
-        is_expected.to contain_concat_fragment('dns allow-new-zones').with(
-          :target => platform_params[:dns_optionspath],
-          :content => 'allow-new-zones yes;'
+        is_expected.to contain_class('dns').with(
+          :additional_options => {
+            'allow-new-zones'   => 'yes',
+            'minimal-responses' => 'yes'
+          },
        )
        is_expected.to contain_file('/etc/designate/pools.yaml').with(
          :ensure => 'present',
@ -36,7 +38,7 @@ describe 'designate::backend::bind9' do
        { :configure_bind => false }
      end
      it 'does not configure named' do
-        is_expected.not_to contain_concat_fragment('dns allow-new-zones')
+        is_expected.to_not contain_class('dns')
      end
    end