Merge "Use native puppet-dns interface to inject additional options"

2023-10-30 19:39:55 +00:00 · 2023-10-30 19:39:55 +00:00 · 82e5f88ad1
parent 76238eade8 64f5f18124
commit 82e5f88ad1
2 changed files with 21 additions and 22 deletions
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@ -79,26 +79,23 @@ class designate::backend::bind9 (
  include designate::params

  if $configure_bind {
-    if $rndc_controls {
-      class { 'dns':
-        controls => $rndc_controls,
-      }
-    } else {
-      include dns
-    }
-    concat::fragment { 'dns allow-new-zones':
-      target  => $::dns::optionspath,
-      content => 'allow-new-zones yes;',
-      order   => '20',
+    $dns_additional_options = {
+      'allow-new-zones'   => 'yes',
+      # Recommended by Designate docs as a mitigation for potential cache
+      # poisoning attacks:
+      # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
+      'minimal-responses' => 'yes',
    }

-    # Recommended by Designate docs as a mitigation for potential cache
-    # poisoning attacks:
-    # https://docs.openstack.org/designate/latest/admin/production-guidelines.html#bind9-mitigation
-    concat::fragment { 'dns minimal-responses':
-      target  => $::dns::optionspath,
-      content => 'minimal-responses yes;',
-      order   => '21',
+    if $rndc_controls {
+      class { 'dns':
+        controls           => $rndc_controls,
+        additional_options => $dns_additional_options,
+      }
+    } else {
+      class { 'dns':
+        additional_options => $dns_additional_options,
+      }
    }

    # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
--- a/spec/classes/designate_backend_bind9_spec.rb
+++ b/spec/classes/designate_backend_bind9_spec.rb
@ -11,9 +11,11 @@ describe 'designate::backend::bind9' do
        {}
      end
      it 'configures named and pool' do
-        is_expected.to contain_concat_fragment('dns allow-new-zones').with(
-          :target => platform_params[:dns_optionspath],
-          :content => 'allow-new-zones yes;'
+        is_expected.to contain_class('dns').with(
+          :additional_options => {
+            'allow-new-zones'   => 'yes',
+            'minimal-responses' => 'yes'
+          },
        )
        is_expected.to contain_file('/etc/designate/pools.yaml').with(
          :ensure => 'present',
@ -36,7 +38,7 @@ describe 'designate::backend::bind9' do
        { :configure_bind => false }
      end
      it 'does not configure named' do
-        is_expected.not_to contain_concat_fragment('dns allow-new-zones')
+        is_expected.to_not contain_class('dns')
      end
    end