Refactor adns variables
Firstly, my understanding of "adns" is that it's short for authoritative-dns; i.e. things related to our main non-recursive DNS servers for the zones we manage. The "a" is useful to distinguish this from any sort of other dns services we might run for CI, etc. The way we do this is with a "hidden" server that applies updates from config management, which then notifies secondary public servers which do a zone transfer from the primary. They're all "authoritative" in the sense they're not for general recursive queries. As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we currently have 3 groups adns : the hidden primary bind server ns : the secondary public authoratitive servers dns : both of the above This proposes a refactor into the following 3 groups adns-primary : hidden primary bind server adns-secondary : the secondary public authoritative servers adns : both of the above This is meant to be a no-op; I just feel like this makes it a bit clearer as to the "lay of the land" with these servers. It will need some considering of the hiera variables on bridge if we merge. Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a
This commit is contained in:
parent
7922eae159
commit
b0d27692de
@ -6,18 +6,27 @@ DNS
|
|||||||
###
|
###
|
||||||
|
|
||||||
The project runs authoritative DNS servers for any constituent
|
The project runs authoritative DNS servers for any constituent
|
||||||
projects that wish to use them. The servers run Bind on a hidden
|
projects that wish to use them.
|
||||||
master which handles automatic DNSSEC zone signing while the public
|
|
||||||
authoritative servers run NSD.
|
Bind is run on a hidden master (`adns01.opendev.org`) which handles
|
||||||
|
automatic DNSSEC zone signing. Any changes to the zone files are
|
||||||
|
deployed here.
|
||||||
|
|
||||||
|
Secondary public authoritative servers run NSD and take zone transfers
|
||||||
|
from the hidden primary. These are published in the NS records for
|
||||||
|
the managed zones.
|
||||||
|
|
||||||
At a Glance
|
At a Glance
|
||||||
===========
|
===========
|
||||||
|
|
||||||
:Hosts:
|
:Hosts:
|
||||||
|
* adns01.opendev.org
|
||||||
* ns1.opendev.org
|
* ns1.opendev.org
|
||||||
* ns2.opendev.org
|
* ns2.opendev.org
|
||||||
:Ansible:
|
:Ansible:
|
||||||
* :git_file:`inventory/service/group_vars/dns.yaml`
|
* :git_file:`inventory/service/group_vars/adns.yaml`
|
||||||
|
* :git_file:`inventory/service/group_vars/adns-primary.yaml`
|
||||||
|
* :git_file:`inventory/service/group_vars/adns-secondary.yaml`
|
||||||
:Projects:
|
:Projects:
|
||||||
* https://www.nlnetlabs.nl/projects/nsd/
|
* https://www.nlnetlabs.nl/projects/nsd/
|
||||||
* https://www.isc.org/downloads/bind/doc/
|
* https://www.isc.org/downloads/bind/doc/
|
||||||
|
17
inventory/service/group_vars/adns-primary.yaml
Normal file
17
inventory/service/group_vars/adns-primary.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
dns_repos:
|
||||||
|
- name: zone-opendev.org
|
||||||
|
url: https://opendev.org/opendev/zone-opendev.org
|
||||||
|
- name: zone-zuul-ci.org
|
||||||
|
url: https://opendev.org/opendev/zone-zuul-ci.org
|
||||||
|
- name: zone-gating.dev
|
||||||
|
url: https://opendev.org/opendev/zone-gating.dev
|
||||||
|
dns_notify:
|
||||||
|
- 104.239.140.165
|
||||||
|
- 162.253.55.16
|
||||||
|
iptables_extra_allowed_hosts:
|
||||||
|
- protocol: tcp
|
||||||
|
port: 53
|
||||||
|
hostname: ns1.opendev.org
|
||||||
|
- protocol: tcp
|
||||||
|
port: 53
|
||||||
|
hostname: ns2.opendev.org
|
@ -1,17 +1,12 @@
|
|||||||
dns_repos:
|
dns_zones:
|
||||||
- name: zone-opendev.org
|
- name: gating.dev
|
||||||
url: https://opendev.org/opendev/zone-opendev.org
|
source: zone-gating.dev/zones/gating.dev/
|
||||||
- name: zone-zuul-ci.org
|
- name: opendev.org
|
||||||
url: https://opendev.org/opendev/zone-zuul-ci.org
|
source: zone-opendev.org/zones/opendev.org/
|
||||||
- name: zone-gating.dev
|
- name: acme.opendev.org
|
||||||
url: https://opendev.org/opendev/zone-gating.dev
|
source: zone-opendev.org/zones/acme.opendev.org/
|
||||||
dns_notify:
|
unmanaged: True
|
||||||
- 104.239.140.165
|
- name: zuul-ci.org
|
||||||
- 162.253.55.16
|
source: zone-zuul-ci.org/zones/zuul-ci.org/
|
||||||
iptables_extra_allowed_hosts:
|
- name: zuulci.org
|
||||||
- protocol: tcp
|
source: zone-zuul-ci.org/zones/zuulci.org/
|
||||||
port: 53
|
|
||||||
hostname: ns1.opendev.org
|
|
||||||
- protocol: tcp
|
|
||||||
port: 53
|
|
||||||
hostname: ns2.opendev.org
|
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
dns_zones:
|
|
||||||
- name: gating.dev
|
|
||||||
source: zone-gating.dev/zones/gating.dev/
|
|
||||||
- name: opendev.org
|
|
||||||
source: zone-opendev.org/zones/opendev.org/
|
|
||||||
- name: acme.opendev.org
|
|
||||||
source: zone-opendev.org/zones/acme.opendev.org/
|
|
||||||
unmanaged: True
|
|
||||||
- name: zuul-ci.org
|
|
||||||
source: zone-zuul-ci.org/zones/zuul-ci.org/
|
|
||||||
- name: zuulci.org
|
|
||||||
source: zone-zuul-ci.org/zones/zuulci.org/
|
|
@ -1,6 +1,10 @@
|
|||||||
plugin: yamlgroup
|
plugin: yamlgroup
|
||||||
groups:
|
groups:
|
||||||
adns: adns*.open*.org
|
adns:
|
||||||
|
- adns*.opendev.org
|
||||||
|
- ns*.opendev.org
|
||||||
|
adns-primary: adns*.opendev.org
|
||||||
|
adns-secondary: ns*.opendev.org
|
||||||
afs-server-common:
|
afs-server-common:
|
||||||
- afs[0-9]*.openstack.org
|
- afs[0-9]*.openstack.org
|
||||||
- afsdb[0-9]*.openstack.org
|
- afsdb[0-9]*.openstack.org
|
||||||
@ -51,9 +55,6 @@ groups:
|
|||||||
control-plane-clouds:
|
control-plane-clouds:
|
||||||
- bridge*.open*.org
|
- bridge*.open*.org
|
||||||
disabled: []
|
disabled: []
|
||||||
dns:
|
|
||||||
- adns*.opendev.org
|
|
||||||
- ns*.opendev.org
|
|
||||||
eavesdrop: eavesdrop[0-9]*.opendev.org
|
eavesdrop: eavesdrop[0-9]*.opendev.org
|
||||||
etherpad: etherpad[0-9]*.open*.org
|
etherpad: etherpad[0-9]*.open*.org
|
||||||
gitea:
|
gitea:
|
||||||
@ -123,8 +124,6 @@ groups:
|
|||||||
- nb[0-9]*.opendev.org
|
- nb[0-9]*.opendev.org
|
||||||
nodepool-launcher:
|
nodepool-launcher:
|
||||||
- nl[0-9]*.open*.org
|
- nl[0-9]*.open*.org
|
||||||
ns:
|
|
||||||
- ns[0-9]*.open*.org
|
|
||||||
paste:
|
paste:
|
||||||
- paste[0-9]*.opendev.org
|
- paste[0-9]*.opendev.org
|
||||||
puppet:
|
puppet:
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
roles:
|
roles:
|
||||||
- letsencrypt-acme-sh-install
|
- letsencrypt-acme-sh-install
|
||||||
- letsencrypt-request-certs
|
- letsencrypt-request-certs
|
||||||
- hosts: "adns:!disabled"
|
- hosts: "adns-primary:!disabled"
|
||||||
name: "Install txt records"
|
name: "Install txt records"
|
||||||
roles:
|
roles:
|
||||||
- letsencrypt-install-txt-record
|
- letsencrypt-install-txt-record
|
||||||
|
@ -5,7 +5,11 @@ results:
|
|||||||
|
|
||||||
adns1.opendev.org:
|
adns1.opendev.org:
|
||||||
- adns
|
- adns
|
||||||
- dns
|
- adns-primary
|
||||||
|
|
||||||
|
ns1.opendev.org:
|
||||||
|
- adns
|
||||||
|
- adns-secondary
|
||||||
|
|
||||||
afs01.dfw.openstack.org:
|
afs01.dfw.openstack.org:
|
||||||
- afs-server-common
|
- afs-server-common
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
- hosts: adns:!disabled
|
- hosts: adns-primary:!disabled
|
||||||
name: "Base: configure adns server"
|
name: "Base: configure primary authoritative nameserver"
|
||||||
roles:
|
roles:
|
||||||
- iptables
|
- iptables
|
||||||
- master-nameserver
|
- master-nameserver
|
||||||
|
|
||||||
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
|
- hosts: "adns-secondary:!disabled"
|
||||||
name: "Base: configure authoritative nameservers"
|
name: "Base: configure secondary authoritative nameservers"
|
||||||
roles:
|
roles:
|
||||||
- iptables
|
- iptables
|
||||||
- nameserver
|
- nameserver
|
||||||
|
@ -114,11 +114,11 @@
|
|||||||
dest: "/etc/ansible/hosts/{{ item }}"
|
dest: "/etc/ansible/hosts/{{ item }}"
|
||||||
loop:
|
loop:
|
||||||
- group_vars/all.yaml
|
- group_vars/all.yaml
|
||||||
- group_vars/adns.yaml
|
- group_vars/adns-primary.yaml
|
||||||
|
- group_vars/adns-secondary.yaml
|
||||||
- group_vars/bastion.yaml
|
- group_vars/bastion.yaml
|
||||||
- group_vars/eavesdrop.yaml
|
- group_vars/eavesdrop.yaml
|
||||||
- group_vars/nodepool.yaml
|
- group_vars/nodepool.yaml
|
||||||
- group_vars/ns.yaml
|
|
||||||
- group_vars/registry.yaml
|
- group_vars/registry.yaml
|
||||||
- group_vars/gitea.yaml
|
- group_vars/gitea.yaml
|
||||||
- group_vars/gitea-lb.yaml
|
- group_vars/gitea-lb.yaml
|
||||||
|
@ -152,7 +152,8 @@
|
|||||||
- inventory/base
|
- inventory/base
|
||||||
- playbooks/service-nameserver.yaml
|
- playbooks/service-nameserver.yaml
|
||||||
- inventory/service/group_vars/adns.yaml
|
- inventory/service/group_vars/adns.yaml
|
||||||
- inventory/service/group_vars/ns.yaml
|
- inventory/service/group_vars/adns-primary.yaml
|
||||||
|
- inventory/service/group_vars/adns-secondary.yaml
|
||||||
- playbooks/roles/master-nameserver/
|
- playbooks/roles/master-nameserver/
|
||||||
- playbooks/roles/nameserver/
|
- playbooks/roles/nameserver/
|
||||||
- playbooks/roles/iptables/
|
- playbooks/roles/iptables/
|
||||||
|
@ -440,10 +440,11 @@
|
|||||||
'/var/lib/bind/zones': logs
|
'/var/lib/bind/zones': logs
|
||||||
files:
|
files:
|
||||||
- playbooks/bootstrap-bridge.yaml
|
- playbooks/bootstrap-bridge.yaml
|
||||||
|
- inventory/service/group_vars/adns-primary.yaml
|
||||||
|
- inventory/service/group_vars/adns-secondary.yaml
|
||||||
- inventory/service/group_vars/adns.yaml
|
- inventory/service/group_vars/adns.yaml
|
||||||
- inventory/service/group_vars/dns.yaml
|
- playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
|
||||||
- playbooks/zuul/templates/group_vars/adns.yaml.j2
|
- playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
|
||||||
- playbooks/zuul/templates/group_vars/ns.yaml.j2
|
|
||||||
- playbooks/roles/master-nameserver/
|
- playbooks/roles/master-nameserver/
|
||||||
- playbooks/roles/nameserver/
|
- playbooks/roles/nameserver/
|
||||||
- testinfra/test_adns.py
|
- testinfra/test_adns.py
|
||||||
|
Loading…
Reference in New Issue
Block a user