Skip to content
This repository was archived by the owner on Aug 29, 2018. It is now read-only.

Commit e40f338

Browse files
detiberdetiber
committed
Bug 1162901 - ensure correct dns key algo used
https://bugzilla.redhat.com/show_bug.cgi?id=1162901 - Previously register_dns.pp used pick to choose between bind_key_algorithm and dns_infrastructure_key_algorithm, but since they both had default values of HMAC-MD5, dns_infrastructure_key_algorithm was always used. - show list of skipped hostnames in nsupdate command (debug output) - fail if bind_key is not set and dns_infrastructure_zone is not set - fail if dns_infrastructure_key is not set and dns_infrastructure zone is set
1 parent 5a92949 commit e40f338

File tree

3 files changed

+47
-23
lines changed

3 files changed

+47
-23
lines changed

manifests/plugins/dns/nsupdate.pp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,5 +65,5 @@
6565
mode => '0644',
6666
notify => Service['openshift-broker'],
6767
require => $nsupdate_requirements
68-
}
68+
}
6969
}

manifests/register_dns.pp

Lines changed: 21 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,27 @@
1919
ensure => present,
2020
require => Class['openshift_origin::install_method'],
2121
}
22-
$key_algorithm=pick($::openshift_origin::dns_infrastructure_key_algorithm,
23-
$::openshift_origin::bind_key_algorithm)
24-
$key_secret=pick($::openshift_origin::dns_infrastructure_key,
25-
$::openshift_origin::bind_key)
26-
$key_domain=pick($::openshift_origin::dns_infrastructure_zone,
27-
$::openshift_origin::domain)
28-
$key_argument="${key_algorithm}:${key_domain}:${key_secret}"
22+
23+
if $::openshift_origin::dns_infrastructure_zone == '' {
24+
$key_domain = $::openshift_origin::domain
25+
$key_algorithm = $::openshift_origin::bind_key_algorithm
26+
27+
if $::openshift_origin::bind_key == '' {
28+
fail 'bind_key is required when setting register_host_with_nameserver to true.'
29+
}
30+
$key_secret = $::openshift_origin::bind_key
31+
}
32+
else {
33+
$key_domain = $::openshift_origin::dns_infrastructure_zone
34+
$key_algorithm = $::openshift_origin::dns_infrastructure_key_algorithm
35+
36+
if $::openshift_origin::dns_infrastructure_key == '' {
37+
fail 'dns_infrastructure_key is required when setting register_host_with_nameserver to true when using the dns_infrastructure_zone parameter.'
38+
}
39+
$key_secret = $::openshift_origin::dns_infrastructure_key
40+
}
41+
42+
$key_argument = "${key_algorithm}:${key_domain}:${key_secret}"
2943

3044
exec { "Attempting to register host dns" :
3145
command => template('openshift_origin/register_dns.erb'),

templates/register_dns.erb

Lines changed: 25 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,30 @@
1-
(
2-
echo server <%= scope.lookupvar('::openshift_origin::nameserver_ip_addr') %>
3-
<% role_hostnames = Array.new -%>
1+
<% hosts_to_check = Array.new -%>
2+
<% hosts_to_register = Array.new -%>
3+
<% hosts_to_skip = Array.new -%>
4+
<% node_ip = scope.lookupvar('::openshift_origin::node_ip_addr') -%>
45
<% scope.lookupvar('::openshift_origin::roles').each do |role|
5-
role_hostname = scope.lookupvar("::openshift_origin::#{role}_hostname")
6-
if role_hostname.gsub(/^[^.]*./, '') == @key_domain
7-
role_hostnames << role_hostname
8-
end -%>
9-
<% end -%>
10-
<% role_hostnames.uniq.each do |role_hostname| -%>
11-
echo update delete <%= role_hostname %> A
12-
echo update add <%= role_hostname %> 180 A <%= scope.lookupvar('::openshift_origin::node_ip_addr') %>
6+
hosts_to_check << scope.lookupvar("::openshift_origin::#{role}_hostname")
7+
end -%>
8+
<% if scope.lookupvar('::openshift_origin::load_balancer_master') and scope.lookupvar('::openshift_origin::broker_virtual_ip_address')
9+
hosts_to_check << scope.lookupvar('::openshift_origin::broker_virtual_hostname')
10+
end -%>
11+
<% hosts_to_check.uniq.each do |h|
12+
h.gsub(/^[^.]*./, '') == @key_domain ? hosts_to_register << h :
13+
hosts_to_skip << h
14+
end -%>
15+
<% unless hosts_to_skip.empty? -%>
16+
echo "The following hosts will not be registered with DNS (not a member of <%= @key_domain %>):"
17+
<% hosts_to_skip.sort.each do |h| -%>
18+
echo "<%= h %>"
19+
<% end -%>
1320
<% end -%>
14-
<% if scope.lookupvar('::openshift_origin::load_balancer_master') and scope.lookupvar('::openshift_origin::broker_virtual_ip_address') and scope.lookupvar('::openshift_origin::broker_virtual_hostname').gsub(/^[^.]*./, '') == @key_domain -%>
21+
<% unless hosts_to_register.empty? -%>
1522
(
16-
echo update delete <%= scope.lookupvar('::openshift_origin::broker_virtual_hostname') %> A
17-
echo update add <%= scope.lookupvar('::openshift_origin::broker_virtual_hostname') %> 180 A <%= scope.lookupvar('::openshift_origin::broker_virtual_ip_address') %>
18-
<% end -%>
23+
echo server <%= scope.lookupvar('::openshift_origin::nameserver_ip_addr') %>
24+
<% hosts_to_register.each do |h| -%>
25+
echo update delete <%= h %> A
26+
echo update add <%= h %> 180 A <%= node_ip %>
27+
<% end -%>
1928
echo send
2029
) | nsupdate -y <%= @key_argument %>
30+
<% end -%>

0 commit comments

Comments
 (0)