From 64f5f18124e50213c997d95daf1e7d8e0924721f Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 27 Oct 2023 12:39:21 +0900
Subject: [PATCH] Use native puppet-dns interface to inject additional options

... instead of directly manipulating the file using concat::fragment.

Depends-on: https://review.opendev.org/899447
Change-Id: Id50e6df7df7af307ea6845d08b442adbb0e0cb3c
---
 manifests/backend/bind9.pp                   | 33 +++++++++-----------
 spec/classes/designate_backend_bind9_spec.rb | 10 +++---
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/manifests/backend/bind9.pp b/manifests/backend/bind9.pp
index 2bd4dfb8..359ca6cf 100644
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@@ -73,26 +73,23 @@ class designate::backend::bind9 (
   include designate::params
 
   if $configure_bind {
-    if $rndc_controls {
-      class { 'dns':
-        controls => $rndc_controls,
-      }
-    } else {
-      include dns
-    }
-    concat::fragment { 'dns allow-new-zones':
-      target  => $::dns::optionspath,
-      content => 'allow-new-zones yes;',
-      order   => '20',
+    $dns_additional_options = {
+      'allow-new-zones'   => 'yes',
+      # Recommended by Designate docs as a mitigation for potential cache
+      # poisoning attacks:
+      # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
+      'minimal-responses' => 'yes',
     }
 
-    # Recommended by Designate docs as a mitigation for potential cache
-    # poisoning attacks:
-    # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
-    concat::fragment { 'dns minimal-responses':
-      target  => $::dns::optionspath,
-      content => 'minimal-responses yes;',
-      order   => '21',
+    if $rndc_controls {
+      class { 'dns':
+        controls           => $rndc_controls,
+        additional_options => $dns_additional_options,
+      }
+    } else {
+      class { 'dns':
+        additional_options => $dns_additional_options,
+      }
     }
 
     # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
diff --git a/spec/classes/designate_backend_bind9_spec.rb b/spec/classes/designate_backend_bind9_spec.rb
index 040d5972..5287b28d 100644
--- a/spec/classes/designate_backend_bind9_spec.rb
+++ b/spec/classes/designate_backend_bind9_spec.rb
@@ -11,9 +11,11 @@ describe 'designate::backend::bind9' do
         {}
       end
       it 'configures named and pool' do
-        is_expected.to contain_concat_fragment('dns allow-new-zones').with(
-          :target => platform_params[:dns_optionspath],
-          :content => 'allow-new-zones yes;'
+        is_expected.to contain_class('dns').with(
+          :additional_options => {
+            'allow-new-zones'   => 'yes',
+            'minimal-responses' => 'yes'
+          },
         )
         is_expected.to contain_file('/etc/designate/pools.yaml').with(
           :ensure => 'present',
@@ -36,7 +38,7 @@ describe 'designate::backend::bind9' do
         { :configure_bind => false }
       end
       it 'does not configure named' do
-        is_expected.not_to contain_concat_fragment('dns allow-new-zones')
+        is_expected.to_not contain_class('dns')
       end
     end