Description of problem: puppet register dns with incorrect key algorithm Version-Release number of selected component (if applicable): openshift-openshift_origin (v4.0.12) How reproducible: 100% Steps to Reproduce: Install broker according the following configuration: $bind_key = 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=' $install_method = 'none' $mongodb_replicasets = false $msgserver_cluster = false $ose_version = '2.2' $register_host_with_nameserver = true $domain_name = 'ose-test.com.cn' node /^broker/ { class { 'openshift_origin': roles => ['broker','msgserver','datastore'], bind_key => $bind_key, install_method => $install_method, bind_key_algorithm => 'HMAC-SHA256', nameserver_ip_addr => '10.66.79.121', ose_version => $ose_version, register_host_with_nameserver => $register_host_with_nameserver, domain => $domain_name, conf_nameserver_upstream_dns => ['10.66.127.17'], node_ip_addr => '10.66.79.159', broker_ip_addr => '10.66.79.159' } } Actual results: ( echo server 10.66.79.121 echo update delete broker.ose-test.com.cn A echo update add broker.ose-test.com.cn 180 A 10.66.79.159 echo update delete msgserver.ose-test.com.cn A echo update add msgserver.ose-test.com.cn 180 A 10.66.79.159 echo update delete mongodb.ose-test.com.cn A echo update add mongodb.ose-test.com.cn 180 A 10.66.79.159 echo send ) | nsupdate -y HMAC-MD5:ose-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE= Expected results: Should register dns with $bind_key_algorithm, not $dns_infrastructure_key_algorithm Additional info: We set the default value of $dns_infrastructure_key_algorithm in 'openshift_origin' class, the following code will pick the value of $dns_infrastructure_key_algorithm #vim manifests/register_dns.pp $key_algorithm=pick($::openshift_origin::dns_infrastructure_key_algorithm, $::openshift_origin::bind_key_algorithm) $key_secret=pick($::openshift_origin::dns_infrastructure_key, $::openshift_origin::bind_key) $key_argument="${key_algorithm}:${::openshift_origin::domain}:${key_secret}"
Indeed, pick is choosing the dns_infrastructure_key, since it defaults to 'HMAC-MD5'. Instead of pick, would probably use an inline template to test if $::openshift_origin::dns_infrastructure_key is set to determine which variable to use for the $key_algorithm
https://github.com/openshift/puppet-openshift_origin/pull/340
You can verify with: git clone https://github.com/openshift/puppet-openshift_origin.git cd puppet-openshift_origin git checkout -b detiber-bz1162093 master git pull https://github.com/detiber/puppet-openshift_origin.git bz1162093 puppet module build puppet module install pkg/openshift-openshift_origin-4.1.1.tar.gz --force
Check on openshift-openshift_origin-4.1.1.tar.gz node /^broker/ { class { 'openshift_origin': roles => ["broker", "nameserver", "datastore", "msgserver"], bind_key_algorithm => 'HMAC-SHA256', domain => 'ose22-test.com.cn', bind_key => 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=', register_host_with_nameserver => true, install_method => 'none', node_ip_addr => '10.66.79.150', nameserver_ip_addr => '10.66.79.150', ose_version => '2.2', conf_nameserver_upstream_dns => ['10.66.127.17'], development_mode => true, } } run log: Debug: Exec[Attempting to register host dns](provider=shell): Executing '["/bin/sh", "-c", " (\n echo server 10.66.79.150\n echo send\n) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=\n"]' Debug: Executing '/bin/sh -c ( echo server 10.66.79.150 echo send ) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE= ' Notice: /Stage[main]/Openshift_origin::Register_dns/Exec[Attempting to register host dns]/returns: executed successfully Debug: /Stage[main]/Openshift_origin::Register_dns/Exec[Attempting to register host dns]: The container Class[Openshift_origin::Register_dns] will propagate my refresh event Fail to add any record to the DNS.
It looks like when I rebased, I managed to remove all references to the key_domain variable in the template, so no hosts were being registered. I updated the PR: https://github.com/openshift/puppet-openshift_origin/pull/340 with this fix, and also added some additional output to say which hosts are skipped because they do not belong to the dns_infrastructure_zone if set (domain if not set). Additionally, there is now some error checking in the puppet module if register_host_with_nameserver is set. The module will now fail if register_host_with_nameserver is set and the associated nsupdate key is not set (bind_key if using domain, dns_infrastructure_key if using dns_infrastructure_zone). You can verify with: git clone https://github.com/openshift/puppet-openshift_origin.git cd puppet-openshift_origin git checkout -b detiber-bz1162093 master git pull https://github.com/detiber/puppet-openshift_origin.git bz1162093 puppet module build puppet module install pkg/openshift-openshift_origin-4.1.1.tar.gz --force
Check on version 4.1.1 node /^broker/ { class { 'openshift_origin': roles => ["broker", "nameserver", "datastore", "msgserver"], #dns_infrastructure_names => [{hostname=>"broker", ipaddr=>"10.66.79.150"}, {hostname=>"datastore", ipaddr=>"10.66.79.150"}, {hostname=>"msgserver", ipaddr=>"10.66.79.150"}, {hostname=>"node1", ipaddr=>"10.66.79.132"}, {hostname=>"node2", ipaddr=>"10.66.79.152"}], bind_key_algorithm => 'HMAC-SHA256', domain => 'ose22-test.com.cn', bind_key => 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=', register_host_with_nameserver => true, install_method => 'none', node_ip_addr => '10.66.79.150', nameserver_ip_addr => '10.66.79.150', ose_version => '2.2', conf_nameserver_upstream_dns => ['10.66.127.17'], development_mode => true, #dns_infrastructure_zone => 'ose-infrastructure.com.cn', #dns_infrastructure_key => 'oZmVeXEiAi3foJ5GPG/11aaliaw1Wm7hccODfqBDfKRluO8bUfHK08mFMxpBnSW2bNJb+567Mc2sOwWyg7a1AA==', } } echo server 10.66.79.150 echo update delete broker.ose22-test.com.cn A echo update add broker.ose22-test.com.cn 180 A 10.66.79.150 echo update delete ns1.ose22-test.com.cn A echo update add ns1.ose22-test.com.cn 180 A 10.66.79.150 echo update delete mongodb.ose22-test.com.cn A echo update add mongodb.ose22-test.com.cn 180 A 10.66.79.150 echo update delete msgserver.ose22-test.com.cn A echo update add msgserver.ose22-test.com.cn 180 A 10.66.79.150 echo send ) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE= Register with correct key type and vaules.
Version 4.1.2 of the puppet module has been released resolving this bug.