opendev/system-config
Code Issues Proposed changes

Merge "Refactor adns variables"

Browse Source
This commit is contained in:
Zuul 2023-04-13 02:31:48 +00:00 committed by Gerrit Code Review
commit 4a101da52a
14 changed files with 65 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/source/dns.rst
View File

@ -6,18 +6,27 @@ DNS
### ###
The project runs authoritative DNS servers for any constituent The project runs authoritative DNS servers for any constituent
projects that wish to use them. The servers run Bind on a hidden projects that wish to use them.
master which handles automatic DNSSEC zone signing while the public
authoritative servers run NSD. Bind is run on a hidden master (`adns01.opendev.org`) which handles
automatic DNSSEC zone signing. Any changes to the zone files are
deployed here.
Secondary public authoritative servers run NSD and take zone transfers
from the hidden primary. These are published in the NS records for
the managed zones.
At a Glance At a Glance
=========== ===========
:Hosts: :Hosts:
* adns01.opendev.org
* ns1.opendev.org * ns1.opendev.org
* ns2.opendev.org * ns2.opendev.org
:Ansible: :Ansible:
* :git_file:`inventory/service/group_vars/dns.yaml` * :git_file:`inventory/service/group_vars/adns.yaml`
* :git_file:`inventory/service/group_vars/adns-primary.yaml`
* :git_file:`inventory/service/group_vars/adns-secondary.yaml`
:Projects: :Projects:
* https://www.nlnetlabs.nl/projects/nsd/ * https://www.nlnetlabs.nl/projects/nsd/
* https://www.isc.org/downloads/bind/doc/ * https://www.isc.org/downloads/bind/doc/

17
inventory/service/group_vars/adns-primary.yaml Normal file
View File

@ -0,0 +1,17 @@
dns_repos:
- name: zone-opendev.org
url: https://opendev.org/opendev/zone-opendev.org
- name: zone-zuul-ci.org
url: https://opendev.org/opendev/zone-zuul-ci.org
- name: zone-gating.dev
url: https://opendev.org/opendev/zone-gating.dev
dns_notify:
- 104.239.140.165
- 162.253.55.16
iptables_extra_allowed_hosts:
- protocol: tcp
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org

0
inventory/service/group_vars/ns.yaml → inventory/service/group_vars/adns-secondary.yaml
View File

29
inventory/service/group_vars/adns.yaml
View File

@ -1,17 +1,12 @@
dns_repos: dns_zones:
- name: zone-opendev.org - name: gating.dev
url: https://opendev.org/opendev/zone-opendev.org source: zone-gating.dev/zones/gating.dev/
- name: zone-zuul-ci.org - name: opendev.org
url: https://opendev.org/opendev/zone-zuul-ci.org source: zone-opendev.org/zones/opendev.org/
- name: zone-gating.dev - name: acme.opendev.org
url: https://opendev.org/opendev/zone-gating.dev source: zone-opendev.org/zones/acme.opendev.org/
dns_notify: unmanaged: True
- 104.239.140.165 - name: zuul-ci.org
- 162.253.55.16 source: zone-zuul-ci.org/zones/zuul-ci.org/
iptables_extra_allowed_hosts: - name: zuulci.org
- protocol: tcp source: zone-zuul-ci.org/zones/zuulci.org/
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org

12
inventory/service/group_vars/dns.yaml
View File

@ -1,12 +0,0 @@
dns_zones:
- name: gating.dev
source: zone-gating.dev/zones/gating.dev/
- name: opendev.org
source: zone-opendev.org/zones/opendev.org/
- name: acme.opendev.org
source: zone-opendev.org/zones/acme.opendev.org/
unmanaged: True
- name: zuul-ci.org
source: zone-zuul-ci.org/zones/zuul-ci.org/
- name: zuulci.org
source: zone-zuul-ci.org/zones/zuulci.org/

11
inventory/service/groups.yaml
View File

@ -1,6 +1,10 @@
plugin: yamlgroup plugin: yamlgroup
groups: groups:
adns: adns*.open*.org adns:
- adns*.opendev.org
- ns*.opendev.org
adns-primary: adns*.opendev.org
adns-secondary: ns*.opendev.org
afs-server-common: afs-server-common:
- afs[0-9]*.openstack.org - afs[0-9]*.openstack.org
- afsdb[0-9]*.openstack.org - afsdb[0-9]*.openstack.org
@ -51,9 +55,6 @@ groups:
control-plane-clouds: control-plane-clouds:
- bridge*.open*.org - bridge*.open*.org
disabled: [] disabled: []
dns:
- adns*.opendev.org
- ns*.opendev.org
eavesdrop: eavesdrop[0-9]*.opendev.org eavesdrop: eavesdrop[0-9]*.opendev.org
etherpad: etherpad[0-9]*.opendev.org etherpad: etherpad[0-9]*.opendev.org
gitea: gitea:
@ -123,8 +124,6 @@ groups:
- nb[0-9]*.opendev.org - nb[0-9]*.opendev.org
nodepool-launcher: nodepool-launcher:
- nl[0-9]*.open*.org - nl[0-9]*.open*.org
ns:
- ns[0-9]*.open*.org
paste: paste:
- paste[0-9]*.opendev.org - paste[0-9]*.opendev.org
puppet: puppet:

2
playbooks/letsencrypt.yaml
View File

@ -9,7 +9,7 @@
roles: roles:
- letsencrypt-acme-sh-install - letsencrypt-acme-sh-install
- letsencrypt-request-certs - letsencrypt-request-certs
- hosts: "adns:!disabled" - hosts: "adns-primary:!disabled"
name: "Install txt records" name: "Install txt records"
roles: roles:
- letsencrypt-install-txt-record - letsencrypt-install-txt-record

6
playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
View File

@ -5,7 +5,11 @@ results:
adns1.opendev.org: adns1.opendev.org:
- adns - adns
- dns - adns-primary
ns1.opendev.org:
- adns
- adns-secondary
afs01.dfw.openstack.org: afs01.dfw.openstack.org:
- afs-server-common - afs-server-common

8
playbooks/service-nameserver.yaml
View File

@ -1,11 +1,11 @@
- hosts: adns:!disabled - hosts: adns-primary:!disabled
name: "Base: configure adns server" name: "Base: configure primary authoritative nameserver"
roles: roles:
- iptables - iptables
- master-nameserver - master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" - hosts: "adns-secondary:!disabled"
name: "Base: configure authoritative nameservers" name: "Base: configure secondary authoritative nameservers"
roles: roles:
- iptables - iptables
- nameserver - nameserver

4
playbooks/zuul/run-base.yaml
View File

@ -114,11 +114,11 @@
dest: "/etc/ansible/hosts/{{ item }}" dest: "/etc/ansible/hosts/{{ item }}"
loop: loop:
- group_vars/all.yaml - group_vars/all.yaml
- group_vars/adns.yaml - group_vars/adns-primary.yaml
- group_vars/adns-secondary.yaml
- group_vars/bastion.yaml - group_vars/bastion.yaml
- group_vars/eavesdrop.yaml - group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml - group_vars/nodepool.yaml
- group_vars/ns.yaml
- group_vars/registry.yaml - group_vars/registry.yaml
- group_vars/gitea.yaml - group_vars/gitea.yaml
- group_vars/gitea-lb.yaml - group_vars/gitea-lb.yaml

0
playbooks/zuul/templates/group_vars/adns.yaml.j2 → playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
View File

0
playbooks/zuul/templates/group_vars/ns.yaml.j2 → playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
View File

3
zuul.d/infra-prod.yaml
View File

@ -152,7 +152,8 @@
- inventory/base - inventory/base
- playbooks/service-nameserver.yaml - playbooks/service-nameserver.yaml
- inventory/service/group_vars/adns.yaml - inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/ns.yaml - inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/ - playbooks/roles/nameserver/
- playbooks/roles/iptables/ - playbooks/roles/iptables/

7
zuul.d/system-config-run.yaml
View File

@ -440,10 +440,11 @@
'/var/lib/bind/zones': logs '/var/lib/bind/zones': logs
files: files:
- playbooks/bootstrap-bridge.yaml - playbooks/bootstrap-bridge.yaml
- inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- inventory/service/group_vars/adns.yaml - inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/dns.yaml - playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
- playbooks/zuul/templates/group_vars/adns.yaml.j2 - playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
- playbooks/zuul/templates/group_vars/ns.yaml.j2
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/ - playbooks/roles/nameserver/
- testinfra/test_adns.py - testinfra/test_adns.py