charm-k8s-bind

Merge ~barryprice/charm-k8s-bind/+git/charm-k8s-bind:master into charm-k8s-bind:master

  1. Git
  2. lp:~barryprice/charm-k8s-bind/+git/charm-k8s-bind
  3. master
  4. Merge into master
Proposed by Barry Price
Status: Merged
Approved by: Barry Price
Approved revision: 658e953c529625d5098d04e6c2ff18ddc581e323
Merged at revision: 215704a032cea6cd5de965483218d231066153c1
Proposed branch: ~barryprice/charm-k8s-bind/+git/charm-k8s-bind:master
Merge into: charm-k8s-bind:master
Diff against target: 199 lines (+79/-15)
6 files modified
Dockerfile (+2/-0)
config.yaml (+7/-0)
image-scripts/docker-wrapper.sh (+21/-12)
image-scripts/recursion.patch (+8/-0)
src/charm.py (+3/-0)
tests/unit/test_charm.py (+38/-3)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+403763@code.launchpad.net

Commit message

Add a charm option to allow recursion by default, and streamline the wrapper script.

These changes backported from (and compatible with) the WIP sidecar branch.

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote (last edit ):

LGTM

Alternatively, you could use bind's `include` to include a file with the `allow-recursion` rather than patch and unpatch.

The file will be empty/emptied to disable.

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 215704a032cea6cd5de965483218d231066153c1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/Dockerfile b/Dockerfile
index 94856fb..81bc645 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,8 +21,10 @@ RUN apt-get update && apt-get -y dist-upgrade \
2121
22# wrapper script will configure Bind based on env variables and run it22# wrapper script will configure Bind based on env variables and run it
23# dns-check script will provide a readinessProbe23# dns-check script will provide a readinessProbe
24# recursion.patch will allow traffic from local (RFC1918) networks
24COPY ./image-scripts/docker-wrapper.sh /usr/local/bin/25COPY ./image-scripts/docker-wrapper.sh /usr/local/bin/
25COPY ./image-scripts/dns-check.sh /usr/local/bin/26COPY ./image-scripts/dns-check.sh /usr/local/bin/
27COPY ./image-scripts/recursion.patch /usr/local/share/
26RUN chmod 0755 /usr/local/bin/docker-wrapper.sh28RUN chmod 0755 /usr/local/bin/docker-wrapper.sh
27RUN chmod 0755 /usr/local/bin/dns-check.sh29RUN chmod 0755 /usr/local/bin/dns-check.sh
2830
diff --git a/config.yaml b/config.yaml
index 214ab0c..fcad409 100644
--- a/config.yaml
+++ b/config.yaml
@@ -35,6 +35,13 @@ options:
35 If unset, bind will be deployed with the package defaults.35 If unset, bind will be deployed with the package defaults.
36 e.g. http://github.com/foo/my-custom-bind-config36 e.g. http://github.com/foo/my-custom-bind-config
37 default: ""37 default: ""
38 enable_rfc1918_recursion:
39 type: boolean
40 description: |
41 Enable recursive queries from hosts on RFC1918 networks.
42
43 Ignored if custom_config_repo is set.
44 default: True
38 https_proxy:45 https_proxy:
39 type: string46 type: string
40 description: |47 description: |
diff --git a/image-scripts/docker-wrapper.sh b/image-scripts/docker-wrapper.sh
index 4f807e1..97c4997 100644
--- a/image-scripts/docker-wrapper.sh
+++ b/image-scripts/docker-wrapper.sh
@@ -1,25 +1,34 @@
1#!/bin/bash1#!/bin/bash
2
2set -eu3set -eu
34
5echo "Fresh wrapper run at $(date)";
6
4if [ -z "${BIND_CONFDIR-}" ]; then7if [ -z "${BIND_CONFDIR-}" ]; then
5 # If BIND_CONFDIR wasn't set, use the package default8 # If BIND_CONFDIR wasn't set, use the package default
6 BIND_CONFDIR="/etc/bind";9 BIND_CONFDIR="/etc/bind";
7fi10fi
811
9if [ -z "${CUSTOM_CONFIG_REPO-}" ]; then12if [ -z "${CUSTOM_CONFIG_REPO-}" ]; then
10 echo "No custom repo set, will fall back to package default config";13 echo "No custom repo set, will fall back to package default config";
14 if [ -z "${ENABLE_RFC1918_RECURSION-}" ]; then
15 echo "RFC1918 network recursion disabled, using stock config";
16 apt-get install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" bind9
17 else
18 echo "Enabling RFC1918 network recursion";
19 patch -p0 -b < /usr/local/share/recursion.patch -d /
20 fi
11else21else
12 echo "Pulling config from $CUSTOM_CONFIG_REPO";22 if [ -d "${BIND_CONFDIR}" ]; then
13 if [ -d "${BIND_CONFDIR}" ]; then23 echo "Backing up old config";
14 mv "${BIND_CONFDIR}" "${BIND_CONFDIR}_$(date +"%Y-%m-%d_%H-%M-%S")";24 mv "${BIND_CONFDIR}" "${BIND_CONFDIR}_$(date +"%Y-%m-%d_%H-%M-%S")";
15 fi25 fi
16 git clone "$CUSTOM_CONFIG_REPO" "$BIND_CONFDIR";26 echo "Pulling config from $CUSTOM_CONFIG_REPO";
27 git clone "$CUSTOM_CONFIG_REPO" "$BIND_CONFDIR";
17fi28fi
1829
19if [ -d "${BIND_CONFDIR}" ]; then30if [ ! -d "${BIND_CONFDIR}" ]; then
20 exec "$@"31 echo "Something went wrong, ${BIND_CONFDIR} does not exist, not starting";
21else
22 echo "Something went wrong, ${BIND_CONFDIR} does not exist, not starting";
23fi32fi
2433
25/usr/sbin/named -g -u bind -c /etc/bind/named.conf34/usr/sbin/named -g -u bind -c /etc/bind/named.conf
diff --git a/image-scripts/recursion.patch b/image-scripts/recursion.patch
26new file mode 10064435new file mode 100644
index 0000000..7af8b38
--- /dev/null
+++ b/image-scripts/recursion.patch
@@ -0,0 +1,8 @@
1--- /etc/bind/named.conf.options.orig 2021-05-28 07:45:55.746342836 +0000
2+++ /etc/bind/named.conf.options 2021-05-28 07:48:07.884023912 +0000
3@@ -21,4 +21,5 @@
4 dnssec-validation auto;
5
6 listen-on-v6 { any; };
7+ allow-recursion { 127.0.0.1; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
8 };
diff --git a/src/charm.py b/src/charm.py
index 14198c7..964922c 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -85,6 +85,9 @@ class BindK8sCharm(CharmBase):
85 if config["custom_config_repo"].strip():85 if config["custom_config_repo"].strip():
86 pod_config["CUSTOM_CONFIG_REPO"] = config["custom_config_repo"]86 pod_config["CUSTOM_CONFIG_REPO"] = config["custom_config_repo"]
8787
88 if config["enable_rfc1918_recursion"]:
89 pod_config["ENABLE_RFC1918_RECURSION"] = 1
90
88 if config["https_proxy"].strip():91 if config["https_proxy"].strip():
89 pod_config["http_proxy"] = config["https_proxy"]92 pod_config["http_proxy"] = config["https_proxy"]
90 pod_config["https_proxy"] = config["https_proxy"]93 pod_config["https_proxy"] = config["https_proxy"]
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
index 3938f12..c9834d1 100644
--- a/tests/unit/test_charm.py
+++ b/tests/unit/test_charm.py
@@ -38,6 +38,17 @@ CONFIG_VALID = {
38 'https_proxy': '',38 'https_proxy': '',
39}39}
4040
41CONFIG_VALID_WITHOUT_RECURSION = {
42 'bind_image_path': 'example.com/bind:v1',
43 'bind_image_username': '',
44 'bind_image_password': '',
45 'enable_rfc1918_recursion': False,
46 'container_config': '',
47 'container_secrets': '',
48 'custom_config_repo': '',
49 'https_proxy': '',
50}
51
41CONFIG_VALID_WITH_CREDS = {52CONFIG_VALID_WITH_CREDS = {
42 'bind_image_path': 'secure.example.com/bind:v1',53 'bind_image_path': 'secure.example.com/bind:v1',
43 'bind_image_username': 'test-user',54 'bind_image_username': 'test-user',
@@ -123,6 +134,26 @@ class TestBindK8s(unittest.TestCase):
123 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},134 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
124 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},135 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
125 ],136 ],
137 'config': {'ENABLE_RFC1918_RECURSION': 1},
138 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
139 }
140 ],
141 }
142 self.assertEqual(self.harness.charm.make_pod_spec(), expected)
143
144 def test_make_pod_spec_without_recursion(self):
145 """Confirm that we generate the expected pod spec from config disabling recursion."""
146 self.harness.update_config(CONFIG_VALID_WITHOUT_RECURSION)
147 expected = {
148 'version': 2,
149 'containers': [
150 {
151 'name': 'bind-k8s',
152 'imageDetails': {'imagePath': 'example.com/bind:v1'},
153 'ports': [
154 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
155 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
156 ],
126 'config': {},157 'config': {},
127 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},158 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
128 }159 }
@@ -147,7 +178,7 @@ class TestBindK8s(unittest.TestCase):
147 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},178 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
148 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},179 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
149 ],180 ],
150 'config': {},181 'config': {'ENABLE_RFC1918_RECURSION': 1},
151 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},182 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
152 }183 }
153 ],184 ],
@@ -167,7 +198,10 @@ class TestBindK8s(unittest.TestCase):
167 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},198 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
168 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},199 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
169 ],200 ],
170 'config': {'magic_number': 123},201 'config': {
202 'ENABLE_RFC1918_RECURSION': 1,
203 'magic_number': 123,
204 },
171 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},205 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
172 }206 }
173 ],207 ],
@@ -187,7 +221,7 @@ class TestBindK8s(unittest.TestCase):
187 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},221 {'containerPort': 53, 'name': 'domain-tcp', 'protocol': 'TCP'},
188 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},222 {'containerPort': 53, 'name': 'domain-udp', 'protocol': 'UDP'},
189 ],223 ],
190 'config': {'magic_number': 123, 'secret_password': 'xyzzy'},224 'config': {'ENABLE_RFC1918_RECURSION': 1, 'magic_number': 123, 'secret_password': 'xyzzy'},
191 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},225 'kubernetes': {'readinessProbe': {'exec': {'command': ['/usr/local/bin/dns-check.sh']}}},
192 }226 }
193 ],227 ],
@@ -209,6 +243,7 @@ class TestBindK8s(unittest.TestCase):
209 ],243 ],
210 'config': {244 'config': {
211 'CUSTOM_CONFIG_REPO': 'https://git.example.com/example-bind-config.git',245 'CUSTOM_CONFIG_REPO': 'https://git.example.com/example-bind-config.git',
246 'ENABLE_RFC1918_RECURSION': 1,
212 'http_proxy': 'http://webproxy.example.com:3128/',247 'http_proxy': 'http://webproxy.example.com:3128/',
213 'https_proxy': 'http://webproxy.example.com:3128/',248 'https_proxy': 'http://webproxy.example.com:3128/',
214 },249 },

Subscribers

People subscribed via source and target branches

to all changes: