charm-k8s-bind

Merge ~barryprice/charm-k8s-bind/+git/charm-k8s-bind:master into charm-k8s-bind:master

  1. Git
  2. lp:~barryprice/charm-k8s-bind/+git/charm-k8s-bind
  3. master
  4. Merge into master
Proposed by Barry Price
Status: Merged
Approved by: Barry Price
Approved revision: 658e953c529625d5098d04e6c2ff18ddc581e323
Merged at revision: 215704a032cea6cd5de965483218d231066153c1
Proposed branch: ~barryprice/charm-k8s-bind/+git/charm-k8s-bind:master
Merge into: charm-k8s-bind:master
Diff against target: 199 lines (+79/-15)
6 files modified
Dockerfile (+2/-0)
config.yaml (+7/-0)
image-scripts/docker-wrapper.sh (+21/-12)
image-scripts/recursion.patch (+8/-0)
src/charm.py (+3/-0)
tests/unit/test_charm.py (+38/-3)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+403763@code.launchpad.net

Commit message

Add a charm option to allow recursion by default, and streamline the wrapper script.

These changes backported from (and compatible with) the WIP sidecar branch.

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote (last edit ):

LGTM

Alternatively, you could use bind's `include` to include a file with the `allow-recursion` rather than patch and unpatch.

The file will be empty/emptied to disable.

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 215704a032cea6cd5de965483218d231066153c1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/Dockerfile b/Dockerfile
2index 94856fb..81bc645 100644
3--- a/Dockerfile
4+++ b/Dockerfile
5@@ -21,8 +21,10 @@ RUN apt-get update && apt-get -y dist-upgrade \
6
7 # wrapper script will configure Bind based on env variables and run it
8 # dns-check script will provide a readinessProbe
9+# recursion.patch will allow traffic from local (RFC1918) networks
10 COPY ./image-scripts/docker-wrapper.sh /usr/local/bin/
11 COPY ./image-scripts/dns-check.sh /usr/local/bin/
12+COPY ./image-scripts/recursion.patch /usr/local/share/
13 RUN chmod 0755 /usr/local/bin/docker-wrapper.sh
14 RUN chmod 0755 /usr/local/bin/dns-check.sh
15
16diff --git a/config.yaml b/config.yaml
17index 214ab0c..fcad409 100644
18--- a/config.yaml
19+++ b/config.yaml
20@@ -35,6 +35,13 @@ options:
21 If unset, bind will be deployed with the package defaults.
22 e.g. http://github.com/foo/my-custom-bind-config
23 default: ""
24+ enable_rfc1918_recursion:
25+ type: boolean
26+ description: |
27+ Enable recursive queries from hosts on RFC1918 networks.
28+
29+ Ignored if custom_config_repo is set.
30+ default: True
31 https_proxy:
32 type: string
33 description: |
34diff --git a/image-scripts/docker-wrapper.sh b/image-scripts/docker-wrapper.sh
35index 4f807e1..97c4997 100644
36--- a/image-scripts/docker-wrapper.sh
37+++ b/image-scripts/docker-wrapper.sh
38@@ -1,25 +1,34 @@
39 #!/bin/bash
40+
41 set -eu
42
43+echo "Fresh wrapper run at $(date)";
44+
45 if [ -z "${BIND_CONFDIR-}" ]; then
46- # If BIND_CONFDIR wasn't set, use the package default
47- BIND_CONFDIR="/etc/bind";
48+ # If BIND_CONFDIR wasn't set, use the package default
49+ BIND_CONFDIR="/etc/bind";
50 fi
51
52 if [ -z "${CUSTOM_CONFIG_REPO-}" ]; then
53- echo "No custom repo set, will fall back to package default config";
54+ echo "No custom repo set, will fall back to package default config";
55+ if [ -z "${ENABLE_RFC1918_RECURSION-}" ]; then
56+ echo "RFC1918 network recursion disabled, using stock config";
57+ apt-get install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" bind9
58+ else
59+ echo "Enabling RFC1918 network recursion";
60+ patch -p0 -b < /usr/local/share/recursion.patch -d /
61+ fi
62 else
63- echo "Pulling config from $CUSTOM_CONFIG_REPO";
64- if [ -d "${BIND_CONFDIR}" ]; then
65- mv "${BIND_CONFDIR}" "${BIND_CONFDIR}_$(date +"%Y-%m-%d_%H-%M-%S")";
66- fi
67- git clone "$CUSTOM_CONFIG_REPO" "$BIND_CONFDIR";
68+ if [ -d "${BIND_CONFDIR}" ]; then
69+ echo "Backing up old config";
70+ mv "${BIND_CONFDIR}" "${BIND_CONFDIR}_$(date +"%Y-%m-%d_%H-%M-%S")";
71+ fi
72+ echo "Pulling config from $CUSTOM_CONFIG_REPO";
73+ git clone "$CUSTOM_CONFIG_REPO" "$BIND_CONFDIR";
74 fi
75
76-if [ -d "${BIND_CONFDIR}" ]; then
77- exec "$@"
78-else
79- echo "Something went wrong, ${BIND_CONFDIR} does not exist, not starting";
80+if [ ! -d "${BIND_CONFDIR}" ]; then
81+ echo "Something went wrong, ${BIND_CONFDIR} does not exist, not starting";
82 fi
83
84 /usr/sbin/named -g -u bind -c /etc/bind/named.conf
85diff --git a/image-scripts/recursion.patch b/image-scripts/recursion.patch
86new file mode 100644
87index 0000000..7af8b38
88--- /dev/null
89+++ b/image-scripts/recursion.patch
90@@ -0,0 +1,8 @@
91+--- /etc/bind/named.conf.options.orig 2021-05-28 07:45:55.746342836 +0000
92++++ /etc/bind/named.conf.options 2021-05-28 07:48:07.884023912 +0000
93+@@ -21,4 +21,5 @@
94+ dnssec-validation auto;
95+
96+ listen-on-v6 { any; };
97++ allow-recursion { 127.0.0.1; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
98+ };
99diff --git a/src/charm.py b/src/charm.py
100index 14198c7..964922c 100755
101--- a/src/charm.py
102+++ b/src/charm.py
103@@ -85,6 +85,9 @@ class BindK8sCharm(CharmBase):
104 if config["custom_config_repo"].strip():
105 pod_config["CUSTOM_CONFIG_REPO"] = config["custom_config_repo"]
106
107+ if config["enable_rfc1918_recursion"]:
108+ pod_config["ENABLE_RFC1918_RECURSION"] = 1
109+
110 if config["https_proxy"].strip():
111 pod_config["http_proxy"] = config["https_proxy"]
112 pod_config["https_proxy"] = config["https_proxy"]
113diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
114index 3938f12..c9834d1 100644
115--- a/tests/unit/test_charm.py
116+++ b/tests/unit/test_charm.py
117@@ -38,6 +38,17 @@ CONFIG_VALID = {
118 'https_proxy': '',
119 }
120
121+CONFIG_VALID_WITHOUT_RECURSION = {
122+ 'bind_image_path': 'example.com/bind:v1',
123+ 'bind_image_username': '',
124+ 'bind_image_password': '',
125+ 'enable_rfc1918_recursion': False,
126+ 'container_config': '',
127+ 'container_secrets': '',
128+ 'custom_config_repo': '',
129+ 'https_proxy': '',
130+}
131+
132 CONFIG_VALID_WITH_CREDS = {
133 'bind_image_path': 'secure.example.com/bind:v1',
134 'bind_image_username': 'test-user',
135@@ -123,6 +134,26 @@ class TestBindK8s(unittest.TestCase):
136 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
137 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
138 ],
139+ 'config': {'ENABLE_RFC1918_RECURSION': 1},
140+ 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
141+ }
142+ ],
143+ }
144+ self.assertEqual(self.harness.charm.make_pod_spec(), expected)
145+
146+ def test_make_pod_spec_without_recursion(self):
147+ """Confirm that we generate the expected pod spec from config disabling recursion."""
148+ self.harness.update_config(CONFIG_VALID_WITHOUT_RECURSION)
149+ expected = {
150+ 'version': 2,
151+ 'containers': [
152+ {
153+ 'name': 'bind-k8s',
154+ 'imageDetails': {'imagePath': 'example.com/bind:v1'},
155+ 'ports': [
156+ {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
157+ {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
158+ ],
159 'config': {},
160 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
161 }
162@@ -147,7 +178,7 @@ class TestBindK8s(unittest.TestCase):
163 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
164 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
165 ],
166- 'config': {},
167+ 'config': {'ENABLE_RFC1918_RECURSION': 1},
168 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
169 }
170 ],
171@@ -167,7 +198,10 @@ class TestBindK8s(unittest.TestCase):
172 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
173 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
174 ],
175- 'config': {'magic_number': 123},
176+ 'config': {
177+ 'ENABLE_RFC1918_RECURSION': 1,
178+ 'magic_number': 123,
179+ },
180 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
181 }
182 ],
183@@ -187,7 +221,7 @@ class TestBindK8s(unittest.TestCase):
184 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
185 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
186 ],
187- 'config': {'magic_number': 123, 'secret_password': 'xyzzy'},
188+ 'config': {'ENABLE_RFC1918_RECURSION': 1, 'magic_number': 123, 'secret_password': 'xyzzy'},
189 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
190 }
191 ],
192@@ -209,6 +243,7 @@ class TestBindK8s(unittest.TestCase):
193 ],
194 'config': {
195 'CUSTOM_CONFIG_REPO': 'https://git.example.com/example-bind-config.git',
196+ 'ENABLE_RFC1918_RECURSION': 1,
197 'http_proxy': 'http://webproxy.example.com:3128/',
198 'https_proxy': 'http://webproxy.example.com:3128/',
199 },

Subscribers

People subscribed via source and target branches

to all changes: