foundation/preflight/checks/dns.sh

59 lines
2.5 KiB
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
# -----------------------------------------------------------------------------
# checks/dns.sh — OPTIONAL / GATED: DNS resolution of the configured hosts.*.
# PLAN-002 §9.4: forge.olsitec.de (+ vault/s3) MUST resolve to the VM before
# TLS/handover — but NOT necessarily at scaffold time. So: if the host names
# are not configured in the Pulumi stack yet, SKIP with a WARNING. When they
# ARE configured, attempt resolution; a miss is a WARNING (DNS may not be set
# up this early), never a hard failure. This check never fails preflight alone.
# -----------------------------------------------------------------------------
set -euo pipefail
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
# shellcheck source=../lib/common.sh
. "$PF_DIR/lib/common.sh"
BOOTSTRAP_DIR=$(cd "$PF_DIR/.." && pwd)/bootstrap
echo "[dns] (gated) DNS resolution of configured hosts.*"
pf_pulumi_config() {
pf_have pulumi || { printf ''; return; }
[ -d "$BOOTSTRAP_DIR" ] || { printf ''; return; }
( cd "$BOOTSTRAP_DIR" 2>/dev/null && pulumi config get "$1" 2>/dev/null ) || printf ''
}
# pf_resolve <name> : true if name resolves to at least one address.
# Tries the tools likely present on macOS/Linux without requiring any one.
pf_resolve() {
n="$1"
if pf_have getent; then getent hosts "$n" >/dev/null 2>&1 && return 0; fi
if pf_have dscacheutil; then dscacheutil -q host -a name "$n" 2>/dev/null | grep -q ip_address && return 0; fi
if pf_have host; then host "$n" >/dev/null 2>&1 && return 0; fi
if pf_have dig; then [ -n "$(dig +short "$n" 2>/dev/null)" ] && return 0; fi
if pf_have nslookup; then nslookup "$n" >/dev/null 2>&1 && return 0; fi
if pf_have python3; then python3 -c "import socket,sys; socket.gethostbyname(sys.argv[1])" "$n" >/dev/null 2>&1 && return 0; fi
return 1
}
if ! pf_have pulumi || [ ! -d "$BOOTSTRAP_DIR" ]; then
pf_warn "no pulumi stack config available yet -> SKIPPING dns resolution (expected pre-Phase-0)"
pf_summary "dns"; exit $?
fi
any=0
for key in foundation:hosts.forge foundation:hosts.vault foundation:hosts.s3; do
name=$(pf_pulumi_config "$key")
[ -n "$name" ] || continue
any=1
if pf_resolve "$name"; then
pf_pass "DNS: $name resolves"
else
pf_warn "DNS: $name does NOT resolve yet (required before TLS/handover, PLAN-002 §9.4) — not failing"
fi
done
if [ "$any" -eq 0 ]; then
pf_warn "no hosts.* configured in stack yet -> SKIPPING dns resolution"
fi
pf_summary "dns"