openstack
/
puppet-designate
Code Issues Proposed changes

Merge "Use native puppet-dns interface to inject additional options"

This commit is contained in:
Zuul 2023-10-30 19:39:55 +00:00 committed by Gerrit Code Review
parent 76238eade8 64f5f18124
commit 82e5f88ad1
2 changed files with 21 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
manifests/backend/bind9.pp
View File

@ -79,26 +79,23 @@ class designate::backend::bind9 (
include designate::params include designate::params
if $configure_bind { if $configure_bind {
if $rndc_controls { $dns_additional_options = {
class { 'dns': 'allow-new-zones' => 'yes',
controls => $rndc_controls, # Recommended by Designate docs as a mitigation for potential cache
} # poisoning attacks:
} else { # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
include dns 'minimal-responses' => 'yes',
}
concat::fragment { 'dns allow-new-zones':
target => $::dns::optionspath,
content => 'allow-new-zones yes;',
order => '20',
} }
# Recommended by Designate docs as a mitigation for potential cache if $rndc_controls {
# poisoning attacks: class { 'dns':
# https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation controls => $rndc_controls,
concat::fragment { 'dns minimal-responses': additional_options => $dns_additional_options,
target => $::dns::optionspath, }
content => 'minimal-responses yes;', } else {
order => '21', class { 'dns':
additional_options => $dns_additional_options,
}
} }
# /var/named is root:named on RedHat and /var/cache/bind is root:bind on # /var/named is root:named on RedHat and /var/cache/bind is root:bind on

10
spec/classes/designate_backend_bind9_spec.rb
View File

@ -11,9 +11,11 @@ describe 'designate::backend::bind9' do
{} {}
end end
it 'configures named and pool' do it 'configures named and pool' do
is_expected.to contain_concat_fragment('dns allow-new-zones').with( is_expected.to contain_class('dns').with(
:target => platform_params[:dns_optionspath], :additional_options => {
:content => 'allow-new-zones yes;' 'allow-new-zones' => 'yes',
'minimal-responses' => 'yes'
},
) )
is_expected.to contain_file('/etc/designate/pools.yaml').with( is_expected.to contain_file('/etc/designate/pools.yaml').with(
:ensure => 'present', :ensure => 'present',
@ -36,7 +38,7 @@ describe 'designate::backend::bind9' do
{ :configure_bind => false } { :configure_bind => false }
end end
it 'does not configure named' do it 'does not configure named' do
is_expected.not_to contain_concat_fragment('dns allow-new-zones') is_expected.to_not contain_class('dns')
end end
end end