From 0a0ca77f3b092ac7995267219acd72b59009e3c9 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 17 Apr 2023 16:27:56 +1000
Subject: [PATCH] dns: abstract names

Switch the DNS testing names to "99" which helps disambiguate testing
from production, and makes you think harder about ensuring references
are abstracted properly.

The LE zone gets installed on the hidden primary, so it should just
use the inventory_hostname rather than hard-coding.  Instead of
hard-coding the secondaries, we grab them from the secondary DNS
group.  This should allow us to start up replacement DNS servers which
will be inactive until they are enabled for the domain.

This requires an update to the LE job, as it currently doesn't have a
secondary nameserver as part of the nodes.  This means the
"adns-secondary" group is blank there.  Even though this node isn't
doing anything, I think it's worth adding to cover this path (I did
consider some sort of dummy host add type thing, but that just makes
things hard to follow).  We also use the 99 suffix in that job just
for consistency.

Change-Id: I1a4be41b70180deab51a3cc8a2b3e83ffd0ff1dc
---
 .../inventory_plugins/test-fixtures/results.yaml     |  4 ++--
 .../templates/zone.db.j2                             |  7 ++++---
 testinfra/test_adns.py                               |  2 +-
 testinfra/test_ns.py                                 |  2 +-
 zuul.d/system-config-run.yaml                        | 12 +++++++-----
 5 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
index fa6babbb27..3929711e34 100644
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@@ -3,11 +3,11 @@
 
 results:
 
-  adns1.opendev.org:
+  adns99.opendev.org:
     - adns
     - adns-primary
 
-  ns1.opendev.org:
+  ns99.opendev.org:
     - adns
     - adns-secondary
 
diff --git a/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2 b/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2
index 168e711636..9bf4aba751 100644
--- a/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2
+++ b/playbooks/roles/letsencrypt-install-txt-record/templates/zone.db.j2
@@ -1,14 +1,15 @@
 ; -*- mode: zone -*-
 $ORIGIN acme.opendev.org.
 $TTL 1m
-@               IN      SOA     adns1.opendev.org. hostmaster.opendev.org. (
+@               IN      SOA     {{ inventory_hostname }}. hostmaster.opendev.org. (
                         {{ lookup('pipe', 'date +%s') }}  ; serial number unixtime
                         1h          ; refresh (secondary checks for updates)
                         10m         ; retry   (secondary retries failed axfr)
                         10d         ; expire  (secondary ends serving old data)
                         5m  )       ; min ttl (cache time for failed lookups)
-@               IN      NS      ns1.opendev.org.
-@               IN      NS      ns2.opendev.org.
+{% for ns in groups['adns-secondary'] %}
+@               IN      NS      {{ ns }}.
+{% endfor %}
 
 ; NOTE: DO NOT HAND EDIT.  THESE KEYS ARE MANAGED BY ANSIBLE
 
diff --git a/testinfra/test_adns.py b/testinfra/test_adns.py
index dfd9db5684..c9405a977c 100644
--- a/testinfra/test_adns.py
+++ b/testinfra/test_adns.py
@@ -13,7 +13,7 @@
 # under the License.
 
 
-testinfra_hosts = ['adns1.opendev.org']
+testinfra_hosts = ['adns99.opendev.org']
 
 
 def test_bind(host):
diff --git a/testinfra/test_ns.py b/testinfra/test_ns.py
index 09303d63c0..82fbfff8a3 100644
--- a/testinfra/test_ns.py
+++ b/testinfra/test_ns.py
@@ -13,7 +13,7 @@
 # under the License.
 
 
-testinfra_hosts = ['ns1.opendev.org']
+testinfra_hosts = ['ns99.opendev.org']
 
 
 def test_nsd(host):
diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml
index 104d5388c5..4e074e18b0 100644
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@@ -225,7 +225,7 @@
     name: system-config-run-letsencrypt
     parent: system-config-run
     description: |
-      Run the playbook for letsencrypt key acquisition.
+      Run the playbook for letsencrypt key acquisition
     nodeset:
       nodes:
         - <<: *bridge_node_x86
@@ -237,7 +237,9 @@
         # it will populate to the test DNS servers.  LE won't actually
         # authenticate those records, but we are validating the path
         # of at least creating and collecting them here.
-        - name: adns-letsencrypt.opendev.org
+        - name: adns99.opendev.org
+          label: ubuntu-jammy
+        - name: ns99.opendev.org
           label: ubuntu-jammy
         - name: letsencrypt01.opendev.org
           label: ubuntu-jammy
@@ -432,9 +434,9 @@
     nodeset:
       nodes:
         - <<: *bridge_node_x86
-        - name: adns1.opendev.org
+        - name: adns99.opendev.org
           label: ubuntu-jammy
-        - name: ns1.opendev.org
+        - name: ns99.opendev.org
           label: ubuntu-jammy
       groups:
         - <<: *bastion_group
@@ -442,7 +444,7 @@
       run_playbooks:
         - playbooks/service-nameserver.yaml
     host-vars:
-      adns1.opendev.org:
+      adns99.opendev.org:
         host_copy_output:
           '/etc/bind/named.conf': logs
           '/var/lib/bind/zones': logs