82 changes: 12 additions & 70 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,79 +1,21 @@
---
name: CI

on:
pull_request:
schedule:
- cron: '4 4 * * *'

jobs:
setup_matrix:
if: github.event_name != 'schedule' || github.repository_owner == 'theforeman'
name: 'Setup Test Matrix'
runs-on: ubuntu-latest
outputs:
beaker_setfiles: ${{ steps.get_outputs.outputs.beaker_setfiles }}
puppet_major_versions: ${{ steps.get_outputs.outputs.puppet_major_versions }}
puppet_unit_test_matrix: ${{ steps.get_outputs.outputs.puppet_unit_test_matrix }}
env:
BUNDLE_WITHOUT: development:system_tests:release
steps:
- uses: actions/checkout@v2
- name: Setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7'
bundler-cache: true
- name: Run rake check
run: bundle exec rake check
- name: Run rake validate
run: bundle exec rake validate
- name: Run rake lint
run: bundle exec rake lint
- name: Setup Test Matrix
id: get_outputs
run: bundle exec metadata2gha --use-fqdn --pidfile-workaround CentOS

unit:
needs: setup_matrix
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include: ${{fromJson(needs.setup_matrix.outputs.puppet_unit_test_matrix)}}
env:
BUNDLE_WITHOUT: development:system_tests:release
PUPPET_VERSION: "${{ matrix.puppet }}.0"
name: Unit / Puppet ${{ matrix.puppet }} (Ruby ${{ matrix.ruby }})
steps:
- uses: actions/checkout@v2
- name: Setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
- name: Run tests
run: bundle exec rake parallel_spec
concurrency:
group: ${{ github.ref_name }}
cancel-in-progress: true

acceptance:
needs: setup_matrix
runs-on: ubuntu-latest
env:
BUNDLE_WITHOUT: development:test:release
strategy:
fail-fast: false
matrix:
setfile: ${{fromJson(needs.setup_matrix.outputs.beaker_setfiles)}}
puppet: ${{fromJson(needs.setup_matrix.outputs.puppet_major_versions)}}
name: Acceptance / ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }}
steps:
- uses: actions/checkout@v2
- name: Setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7'
bundler-cache: true
- name: Run tests
run: bundle exec rake beaker
env:
BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }}
BEAKER_setfile: ${{ matrix.setfile.value }}
jobs:
puppet:
name: Puppet
uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1
with:
pidfile_workaround: 'CentOS'
rubocop: false
cache-version: '1'
15 changes: 15 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,20 @@
# Changelog

## [9.3.0](https://github.com/theforeman/puppet-dns/tree/9.3.0) (2022-04-19)

[Full Changelog](https://github.com/theforeman/puppet-dns/compare/9.2.0...9.3.0)

**Implemented enhancements:**

- Handle dnssec-enable config option removal [\#210](https://github.com/theforeman/puppet-dns/pull/210) ([ekohl](https://github.com/ekohl))
- Add support for defining custom dnssec-policies [\#206](https://github.com/theforeman/puppet-dns/pull/206) ([smortex](https://github.com/smortex))
- Add support for `dnssec-policy` [\#205](https://github.com/theforeman/puppet-dns/pull/205) ([smortex](https://github.com/smortex))
- Update the specified bind version on FreeBSD to 9.16. [\#204](https://github.com/theforeman/puppet-dns/pull/204) ([rtprio](https://github.com/rtprio))

**Closed issues:**

- dnssec-enable no longer a valid configuration item. [\#207](https://github.com/theforeman/puppet-dns/issues/207)

## [9.2.0](https://github.com/theforeman/puppet-dns/tree/9.2.0) (2022-02-03)

[Full Changelog](https://github.com/theforeman/puppet-dns/compare/9.1.0...9.2.0)
Expand Down
4 changes: 2 additions & 2 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

source 'https://rubygems.org'

gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5', groups: ['development', 'test']
gem 'puppet', ENV['PUPPET_GEM_VERSION'] || '>= 5.5', groups: ['development', 'test']
gem 'rake'

gem 'kafo_module_lint', {"groups"=>["test"]}
Expand All @@ -15,7 +15,7 @@ gem 'puppet-lint-strict_indent-check', {"groups"=>["test"]}
gem 'puppet-lint-undef_in_function-check', {"groups"=>["test"]}
gem 'voxpupuli-test', '~> 1.4', {"groups"=>["test"]}
gem 'github_changelog_generator', '>= 1.15.0', {"groups"=>["development"]}
gem 'puppet_metadata', '~> 0.3'
gem 'puppet_metadata', '~> 1.3'
gem 'puppet-blacksmith', '>= 6.0.0', {"groups"=>["development"]}
gem 'voxpupuli-acceptance', '~> 1.0', {"groups"=>["system_tests"]}
gem 'puppetlabs_spec_helper', {"groups"=>["system_tests"]}
Expand Down
80 changes: 80 additions & 0 deletions manifests/dnssec_policy.pp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Manage custom DNSSEC policies
#
# @param dnskey_ttl
# This indicates the TTL to use when generating DNSKEY resource records.
# @param keys
# This is a list specifying the algorithms and roles to use when generating
# keys and signing the zone. Entries in this list do not represent specific
# DNSSEC keys, which may be changed on a regular basis, but the roles that
# keys play in the signing policy.
# @param max_zone_ttl
# This specifies the maximum permissible TTL value in seconds for the zone.
# @param parent_ds_ttl
# This is the TTL of the DS RRset that the parent zone uses.
# @param parent_propagation_delay
# This is the expected propagation delay from the time when the parent zone is
# updated to the time when the new version is served by all of the parent
# zone’s name servers.
# @param publish_safety
# This is a margin that is added to the pre-publication interval in rollover
# timing calculations, to give some extra time to cover unforeseen events.
# This increases the time between when keys are published and they become
# active.
# @param retire_safety
# This is a margin that is added to the post-publication interval in rollover
# timing calculations, to give some extra time to cover unforeseen events.
# This increases the time a key remains published after it is no longer
# active.
# @param signatures_refresh
# This determines how frequently an RRSIG record needs to be refreshed. The
# signature is renewed when the time until the expiration time is closer than
# the specified interval.
# @param signatures_validity
# This indicates the validity period of an RRSIG record (subject to inception
# offset and jitter).
# @param signatures_validity_dnskey
# This is similar to signatures-validity, but for DNSKEY records.
# @param zone_propagation_delay
# This is the expected propagation delay from the time when a zone is first
# updated to the time when the new version of the zone is served by all
# secondary servers.
define dns::dnssec_policy (
Optional[Integer] $dnskey_ttl = undef,
Array[Dns::Dnssec_policy_key] $keys = [],
Optional[Integer] $max_zone_ttl = undef,
Optional[Integer] $parent_ds_ttl = undef,
Optional[String[1]] $parent_propagation_delay = undef,
Optional[String[1]] $publish_safety = undef,
Optional[String[1]] $retire_safety = undef,
Optional[String[1]] $signatures_refresh = undef,
Optional[String[1]] $signatures_validity = undef,
Optional[String[1]] $signatures_validity_dnskey = undef,
Optional[String[1]] $zone_propagation_delay = undef,
) {
if $name == 'none' or $name == 'default' {
fail("The name \"${name}\" is reserved and cannot be used")
}

concat::fragment { "dnssec-policy-${name}":
target => $dns::publicviewpath,
order => '0',
content => epp('dns/named.dnssec_policy.epp',
{
name => $name,
keys => $keys,
options => {
'dnskey-ttl' => $dnskey_ttl,
'max-zone-ttl' => $max_zone_ttl,
'parent-ds-ttl' => $parent_ds_ttl,
'parent-propagation-delay' => $parent_propagation_delay,
'publish-safety' => $publish_safety,
'retire-safety' => $retire_safety,
'signatures-refresh' => $signatures_refresh,
'signatures-validity' => $signatures_validity,
'signatures-validity-dnskey' => $signatures_validity_dnskey,
'zone-propagation-delay' => $zone_propagation_delay,
},
}
),
}
}
5 changes: 3 additions & 2 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@
# @param dns_notify
# The notify option in named.conf
# @param dnssec_enable
# The dnssec-enable option
# The dnssec-enable option. This option is deprecated and has no effect since
# BIND 9.15. It's been removed in BIND 9.18.
# @param dnssec_validation
# The dnssec-validation option
# @param namedconf_template
Expand Down Expand Up @@ -157,7 +158,7 @@
Array[String] $allow_query = ['any'],
Enum['yes', 'no'] $empty_zones_enable = 'yes',
Optional[Enum['yes', 'no', 'explicit']] $dns_notify = undef,
Enum['yes', 'no'] $dnssec_enable = 'yes',
Optional[Enum['yes', 'no']] $dnssec_enable = $dns::params::dnssec_enable,
Enum['yes', 'no', 'auto'] $dnssec_validation = 'yes',
String $namedconf_template = 'dns/named.conf.erb',
Hash[String, Array[String]] $acls = {},
Expand Down
13 changes: 12 additions & 1 deletion manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@

# This option is not relevant for Debian
$sysconfig_disable_zone_checking = undef

$dnssec_enable = $facts['os']['name'] ? {
'Debian' => if versioncmp($facts['os']['release']['major'], '11') >= 0 { undef } else { 'yes' },
'Ubuntu' => if versioncmp($facts['os']['release']['major'], '20.04') >= 0 { undef } else { 'yes' },
default => undef,
}
}
'RedHat': {
$dnsdir = '/etc'
Expand All @@ -47,6 +53,8 @@

# This option is not relevant for RedHat
$sysconfig_resolvconf_integration = undef

$dnssec_enable = 'yes'
}
/^(FreeBSD|DragonFly)$/: {
$dnsdir = '/usr/local/etc/namedb'
Expand All @@ -57,7 +65,7 @@
$defaultzonepath = 'unmanaged'
$publicviewpath = "${dnsdir}/zones.conf"
$viewconfigpath = "${dnsdir}/named/views"
$dns_server_package = 'bind910'
$dns_server_package = 'bind916'
$namedservicename = 'named'
$user = 'bind'
$group = 'bind'
Expand All @@ -69,6 +77,7 @@
$sysconfig_startup_options = undef
$sysconfig_disable_zone_checking = undef
$sysconfig_resolvconf_integration = undef
$dnssec_enable = undef
}
'Archlinux': {
$dnsdir = '/etc'
Expand All @@ -91,6 +100,8 @@
$sysconfig_startup_options = undef
$sysconfig_disable_zone_checking = undef
$sysconfig_resolvconf_integration = undef

$dnssec_enable = undef
}
default: {
fail ("Unsupported operating system family ${facts['os']['family']}")
Expand Down
3 changes: 3 additions & 0 deletions manifests/zone.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@
# @param inline_signing
# @param dnssec_secure_to_insecure
# @param auto_dnssec
# @param dnssec_policy
# Causes the zone to be signed and turns on automatic maintenance for the zone.
#
define dns::zone (
Array[String] $target_views = [],
Expand Down Expand Up @@ -80,6 +82,7 @@
Optional[Enum['yes', 'no']] $inline_signing = undef,
Optional[Enum['yes', 'no']] $dnssec_secure_to_insecure = undef,
Optional[Enum['allow', 'maintain', 'off']] $auto_dnssec = undef,
Optional[String[1]] $dnssec_policy = undef,
) {

$_contact = pick($contact, "root.${zone}.")
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "theforeman-dns",
"version": "9.2.0",
"version": "9.3.0",
"author": "theforeman",
"summary": "Manage the ISC BIND daemon",
"license": "Apache-2.0",
Expand Down
13 changes: 11 additions & 2 deletions spec/classes/dns_init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
when 'Debian'
'bind9'
when 'FreeBSD'
'bind910'
'bind916'
else
'bind'
end
Expand Down Expand Up @@ -100,17 +100,26 @@

it { should contain_concat(options_path) }
it do
has_dnssec_enable = case facts[:os]['family']
when 'Debian'
['9', '10', '18.04'].include?(facts[:os]['release']['major'])
when 'RedHat'
true
else
false
end
expected = [
"directory \"#{var_path}\";",
'recursion yes;',
'allow-query { any; };',
'dnssec-enable yes;',
'dnssec-validation yes;',
'empty-zones-enable yes;',
'listen-on-v6 { any; };',
'allow-recursion { localnets; localhost; };'
]

expected << 'dnssec-enable yes;' if has_dnssec_enable

if facts[:os]['family'] == 'FreeBSD'
expected << 'pid-file "/var/run/named/pid";'
end
Expand Down
Loading