From b0d27692dee1c467073389f46ef260745baf0c66 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 9 Mar 2023 15:01:45 +1100
Subject: [PATCH] Refactor adns variables

Firstly, my understanding of "adns" is that it's short for
authoritative-dns; i.e. things related to our main non-recursive DNS
servers for the zones we manage.  The "a" is useful to distinguish
this from any sort of other dns services we might run for CI, etc.

The way we do this is with a "hidden" server that applies updates from
config management, which then notifies secondary public servers which
do a zone transfer from the primary.  They're all "authoritative" in
the sense they're not for general recursive queries.

As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we
currently have 3 groups

 adns : the hidden primary bind server
 ns : the secondary public authoratitive servers
 dns : both of the above

This proposes a refactor into the following 3 groups

 adns-primary : hidden primary bind server
 adns-secondary : the secondary public authoritative servers
 adns : both of the above

This is meant to be a no-op; I just feel like this makes it a bit
clearer as to the "lay of the land" with these servers.  It will need
some considering of the hiera variables on bridge if we merge.

Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a
---
 doc/source/dns.rst                            | 17 ++++++++---
 .../service/group_vars/adns-primary.yaml      | 17 +++++++++++
 .../{ns.yaml => adns-secondary.yaml}          |  0
 inventory/service/group_vars/adns.yaml        | 29 ++++++++-----------
 inventory/service/group_vars/dns.yaml         | 12 --------
 inventory/service/groups.yaml                 | 11 ++++---
 playbooks/letsencrypt.yaml                    |  2 +-
 .../test-fixtures/results.yaml                |  6 +++-
 playbooks/service-nameserver.yaml             |  8 ++---
 playbooks/zuul/run-base.yaml                  |  4 +--
 .../{adns.yaml.j2 => adns-primary.yaml.j2}    |  0
 .../{ns.yaml.j2 => adns-secondary.yaml.j2}    |  0
 zuul.d/infra-prod.yaml                        |  3 +-
 zuul.d/system-config-run.yaml                 |  7 +++--
 14 files changed, 65 insertions(+), 51 deletions(-)
 create mode 100644 inventory/service/group_vars/adns-primary.yaml
 rename inventory/service/group_vars/{ns.yaml => adns-secondary.yaml} (100%)
 delete mode 100644 inventory/service/group_vars/dns.yaml
 rename playbooks/zuul/templates/group_vars/{adns.yaml.j2 => adns-primary.yaml.j2} (100%)
 rename playbooks/zuul/templates/group_vars/{ns.yaml.j2 => adns-secondary.yaml.j2} (100%)

diff --git a/doc/source/dns.rst b/doc/source/dns.rst
index 4427523144..23be238633 100644
--- a/doc/source/dns.rst
+++ b/doc/source/dns.rst
@@ -6,18 +6,27 @@ DNS
 ###
 
 The project runs authoritative DNS servers for any constituent
-projects that wish to use them.  The servers run Bind on a hidden
-master which handles automatic DNSSEC zone signing while the public
-authoritative servers run NSD.
+projects that wish to use them.
+
+Bind is run on a hidden master (`adns01.opendev.org`) which handles
+automatic DNSSEC zone signing.  Any changes to the zone files are
+deployed here.
+
+Secondary public authoritative servers run NSD and take zone transfers
+from the hidden primary.  These are published in the NS records for
+the managed zones.
 
 At a Glance
 ===========
 
 :Hosts:
+  * adns01.opendev.org
   * ns1.opendev.org
   * ns2.opendev.org
 :Ansible:
-  * :git_file:`inventory/service/group_vars/dns.yaml`
+  * :git_file:`inventory/service/group_vars/adns.yaml`
+  * :git_file:`inventory/service/group_vars/adns-primary.yaml`
+  * :git_file:`inventory/service/group_vars/adns-secondary.yaml`
 :Projects:
   * https://www.nlnetlabs.nl/projects/nsd/
   * https://www.isc.org/downloads/bind/doc/
diff --git a/inventory/service/group_vars/adns-primary.yaml b/inventory/service/group_vars/adns-primary.yaml
new file mode 100644
index 0000000000..a6c401a82c
--- /dev/null
+++ b/inventory/service/group_vars/adns-primary.yaml
@@ -0,0 +1,17 @@
+dns_repos:
+  - name: zone-opendev.org
+    url: https://opendev.org/opendev/zone-opendev.org
+  - name: zone-zuul-ci.org
+    url: https://opendev.org/opendev/zone-zuul-ci.org
+  - name: zone-gating.dev
+    url: https://opendev.org/opendev/zone-gating.dev
+dns_notify:
+  - 104.239.140.165
+  - 162.253.55.16
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 53
+    hostname: ns1.opendev.org
+  - protocol: tcp
+    port: 53
+    hostname: ns2.opendev.org
diff --git a/inventory/service/group_vars/ns.yaml b/inventory/service/group_vars/adns-secondary.yaml
similarity index 100%
rename from inventory/service/group_vars/ns.yaml
rename to inventory/service/group_vars/adns-secondary.yaml
diff --git a/inventory/service/group_vars/adns.yaml b/inventory/service/group_vars/adns.yaml
index a6c401a82c..27e0cdf358 100644
--- a/inventory/service/group_vars/adns.yaml
+++ b/inventory/service/group_vars/adns.yaml
@@ -1,17 +1,12 @@
-dns_repos:
-  - name: zone-opendev.org
-    url: https://opendev.org/opendev/zone-opendev.org
-  - name: zone-zuul-ci.org
-    url: https://opendev.org/opendev/zone-zuul-ci.org
-  - name: zone-gating.dev
-    url: https://opendev.org/opendev/zone-gating.dev
-dns_notify:
-  - 104.239.140.165
-  - 162.253.55.16
-iptables_extra_allowed_hosts:
-  - protocol: tcp
-    port: 53
-    hostname: ns1.opendev.org
-  - protocol: tcp
-    port: 53
-    hostname: ns2.opendev.org
+dns_zones:
+  - name: gating.dev
+    source: zone-gating.dev/zones/gating.dev/
+  - name: opendev.org
+    source: zone-opendev.org/zones/opendev.org/
+  - name: acme.opendev.org
+    source: zone-opendev.org/zones/acme.opendev.org/
+    unmanaged: True
+  - name: zuul-ci.org
+    source: zone-zuul-ci.org/zones/zuul-ci.org/
+  - name: zuulci.org
+    source: zone-zuul-ci.org/zones/zuulci.org/
diff --git a/inventory/service/group_vars/dns.yaml b/inventory/service/group_vars/dns.yaml
deleted file mode 100644
index 27e0cdf358..0000000000
--- a/inventory/service/group_vars/dns.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-dns_zones:
-  - name: gating.dev
-    source: zone-gating.dev/zones/gating.dev/
-  - name: opendev.org
-    source: zone-opendev.org/zones/opendev.org/
-  - name: acme.opendev.org
-    source: zone-opendev.org/zones/acme.opendev.org/
-    unmanaged: True
-  - name: zuul-ci.org
-    source: zone-zuul-ci.org/zones/zuul-ci.org/
-  - name: zuulci.org
-    source: zone-zuul-ci.org/zones/zuulci.org/
diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index c94cf958e2..352f2b706c 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -1,6 +1,10 @@
 plugin: yamlgroup
 groups:
-  adns: adns*.open*.org
+  adns:
+    - adns*.opendev.org
+    - ns*.opendev.org
+  adns-primary: adns*.opendev.org
+  adns-secondary: ns*.opendev.org
   afs-server-common:
     - afs[0-9]*.openstack.org
     - afsdb[0-9]*.openstack.org
@@ -51,9 +55,6 @@ groups:
   control-plane-clouds:
     - bridge*.open*.org
   disabled: []
-  dns:
-    - adns*.opendev.org
-    - ns*.opendev.org
   eavesdrop: eavesdrop[0-9]*.opendev.org
   etherpad: etherpad[0-9]*.open*.org
   gitea:
@@ -123,8 +124,6 @@ groups:
     - nb[0-9]*.opendev.org
   nodepool-launcher:
     - nl[0-9]*.open*.org
-  ns:
-    - ns[0-9]*.open*.org
   paste:
     - paste[0-9]*.opendev.org
   puppet:
diff --git a/playbooks/letsencrypt.yaml b/playbooks/letsencrypt.yaml
index a002728603..f6633323ca 100644
--- a/playbooks/letsencrypt.yaml
+++ b/playbooks/letsencrypt.yaml
@@ -9,7 +9,7 @@
   roles:
     - letsencrypt-acme-sh-install
     - letsencrypt-request-certs
-- hosts: "adns:!disabled"
+- hosts: "adns-primary:!disabled"
   name: "Install txt records"
   roles:
     - letsencrypt-install-txt-record
diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
index 88bc092886..fa6babbb27 100644
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@@ -5,7 +5,11 @@ results:
 
   adns1.opendev.org:
     - adns
-    - dns
+    - adns-primary
+
+  ns1.opendev.org:
+    - adns
+    - adns-secondary
 
   afs01.dfw.openstack.org:
     - afs-server-common
diff --git a/playbooks/service-nameserver.yaml b/playbooks/service-nameserver.yaml
index 508dc93a8f..fbc1ae0a53 100644
--- a/playbooks/service-nameserver.yaml
+++ b/playbooks/service-nameserver.yaml
@@ -1,11 +1,11 @@
-- hosts: adns:!disabled
-  name: "Base: configure adns server"
+- hosts: adns-primary:!disabled
+  name: "Base: configure primary authoritative nameserver"
   roles:
     - iptables
     - master-nameserver
 
-- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
-  name: "Base: configure authoritative nameservers"
+- hosts: "adns-secondary:!disabled"
+  name: "Base: configure secondary authoritative nameservers"
   roles:
     - iptables
     - nameserver
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 808a3450bb..a23c493568 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -114,11 +114,11 @@
         dest: "/etc/ansible/hosts/{{ item }}"
       loop:
         - group_vars/all.yaml
-        - group_vars/adns.yaml
+        - group_vars/adns-primary.yaml
+        - group_vars/adns-secondary.yaml
         - group_vars/bastion.yaml
         - group_vars/eavesdrop.yaml
         - group_vars/nodepool.yaml
-        - group_vars/ns.yaml
         - group_vars/registry.yaml
         - group_vars/gitea.yaml
         - group_vars/gitea-lb.yaml
diff --git a/playbooks/zuul/templates/group_vars/adns.yaml.j2 b/playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
similarity index 100%
rename from playbooks/zuul/templates/group_vars/adns.yaml.j2
rename to playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
diff --git a/playbooks/zuul/templates/group_vars/ns.yaml.j2 b/playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
similarity index 100%
rename from playbooks/zuul/templates/group_vars/ns.yaml.j2
rename to playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index 287e884b53..fef8d46455 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -152,7 +152,8 @@
       - inventory/base
       - playbooks/service-nameserver.yaml
       - inventory/service/group_vars/adns.yaml
-      - inventory/service/group_vars/ns.yaml
+      - inventory/service/group_vars/adns-primary.yaml
+      - inventory/service/group_vars/adns-secondary.yaml
       - playbooks/roles/master-nameserver/
       - playbooks/roles/nameserver/
       - playbooks/roles/iptables/
diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml
index 40ea4bb269..23ee4b5111 100644
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@@ -440,10 +440,11 @@
           '/var/lib/bind/zones': logs
     files:
       - playbooks/bootstrap-bridge.yaml
+      - inventory/service/group_vars/adns-primary.yaml
+      - inventory/service/group_vars/adns-secondary.yaml
       - inventory/service/group_vars/adns.yaml
-      - inventory/service/group_vars/dns.yaml
-      - playbooks/zuul/templates/group_vars/adns.yaml.j2
-      - playbooks/zuul/templates/group_vars/ns.yaml.j2
+      - playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
+      - playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
       - playbooks/roles/master-nameserver/
       - playbooks/roles/nameserver/
       - testinfra/test_adns.py