Refactor adns variables

Firstly, my understanding of "adns" is that it's short for
authoritative-dns; i.e. things related to our main non-recursive DNS
servers for the zones we manage.  The "a" is useful to distinguish
this from any sort of other dns services we might run for CI, etc.

The way we do this is with a "hidden" server that applies updates from
config management, which then notifies secondary public servers which
do a zone transfer from the primary.  They're all "authoritative" in
the sense they're not for general recursive queries.

As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we
currently have 3 groups

 adns : the hidden primary bind server
 ns : the secondary public authoratitive servers
 dns : both of the above

This proposes a refactor into the following 3 groups

 adns-primary : hidden primary bind server
 adns-secondary : the secondary public authoritative servers
 adns : both of the above

This is meant to be a no-op; I just feel like this makes it a bit
clearer as to the "lay of the land" with these servers.  It will need
some considering of the hiera variables on bridge if we merge.

Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a
This commit is contained in:
Ian Wienand 2023-03-09 15:01:45 +11:00
parent 7922eae159
commit b0d27692de
No known key found for this signature in database
14 changed files with 65 additions and 51 deletions

View File

@ -6,18 +6,27 @@ DNS
### ###
The project runs authoritative DNS servers for any constituent The project runs authoritative DNS servers for any constituent
projects that wish to use them. The servers run Bind on a hidden projects that wish to use them.
master which handles automatic DNSSEC zone signing while the public
authoritative servers run NSD. Bind is run on a hidden master (`adns01.opendev.org`) which handles
automatic DNSSEC zone signing. Any changes to the zone files are
deployed here.
Secondary public authoritative servers run NSD and take zone transfers
from the hidden primary. These are published in the NS records for
the managed zones.
At a Glance At a Glance
=========== ===========
:Hosts: :Hosts:
* adns01.opendev.org
* ns1.opendev.org * ns1.opendev.org
* ns2.opendev.org * ns2.opendev.org
:Ansible: :Ansible:
* :git_file:`inventory/service/group_vars/dns.yaml` * :git_file:`inventory/service/group_vars/adns.yaml`
* :git_file:`inventory/service/group_vars/adns-primary.yaml`
* :git_file:`inventory/service/group_vars/adns-secondary.yaml`
:Projects: :Projects:
* https://www.nlnetlabs.nl/projects/nsd/ * https://www.nlnetlabs.nl/projects/nsd/
* https://www.isc.org/downloads/bind/doc/ * https://www.isc.org/downloads/bind/doc/

View File

@ -0,0 +1,17 @@
dns_repos:
- name: zone-opendev.org
url: https://opendev.org/opendev/zone-opendev.org
- name: zone-zuul-ci.org
url: https://opendev.org/opendev/zone-zuul-ci.org
- name: zone-gating.dev
url: https://opendev.org/opendev/zone-gating.dev
dns_notify:
- 104.239.140.165
- 162.253.55.16
iptables_extra_allowed_hosts:
- protocol: tcp
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org

View File

@ -1,17 +1,12 @@
dns_repos: dns_zones:
- name: zone-opendev.org - name: gating.dev
url: https://opendev.org/opendev/zone-opendev.org source: zone-gating.dev/zones/gating.dev/
- name: zone-zuul-ci.org - name: opendev.org
url: https://opendev.org/opendev/zone-zuul-ci.org source: zone-opendev.org/zones/opendev.org/
- name: zone-gating.dev - name: acme.opendev.org
url: https://opendev.org/opendev/zone-gating.dev source: zone-opendev.org/zones/acme.opendev.org/
dns_notify: unmanaged: True
- 104.239.140.165 - name: zuul-ci.org
- 162.253.55.16 source: zone-zuul-ci.org/zones/zuul-ci.org/
iptables_extra_allowed_hosts: - name: zuulci.org
- protocol: tcp source: zone-zuul-ci.org/zones/zuulci.org/
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org

View File

@ -1,12 +0,0 @@
dns_zones:
- name: gating.dev
source: zone-gating.dev/zones/gating.dev/
- name: opendev.org
source: zone-opendev.org/zones/opendev.org/
- name: acme.opendev.org
source: zone-opendev.org/zones/acme.opendev.org/
unmanaged: True
- name: zuul-ci.org
source: zone-zuul-ci.org/zones/zuul-ci.org/
- name: zuulci.org
source: zone-zuul-ci.org/zones/zuulci.org/

View File

@ -1,6 +1,10 @@
plugin: yamlgroup plugin: yamlgroup
groups: groups:
adns: adns*.open*.org adns:
- adns*.opendev.org
- ns*.opendev.org
adns-primary: adns*.opendev.org
adns-secondary: ns*.opendev.org
afs-server-common: afs-server-common:
- afs[0-9]*.openstack.org - afs[0-9]*.openstack.org
- afsdb[0-9]*.openstack.org - afsdb[0-9]*.openstack.org
@ -51,9 +55,6 @@ groups:
control-plane-clouds: control-plane-clouds:
- bridge*.open*.org - bridge*.open*.org
disabled: [] disabled: []
dns:
- adns*.opendev.org
- ns*.opendev.org
eavesdrop: eavesdrop[0-9]*.opendev.org eavesdrop: eavesdrop[0-9]*.opendev.org
etherpad: etherpad[0-9]*.open*.org etherpad: etherpad[0-9]*.open*.org
gitea: gitea:
@ -123,8 +124,6 @@ groups:
- nb[0-9]*.opendev.org - nb[0-9]*.opendev.org
nodepool-launcher: nodepool-launcher:
- nl[0-9]*.open*.org - nl[0-9]*.open*.org
ns:
- ns[0-9]*.open*.org
paste: paste:
- paste[0-9]*.opendev.org - paste[0-9]*.opendev.org
puppet: puppet:

View File

@ -9,7 +9,7 @@
roles: roles:
- letsencrypt-acme-sh-install - letsencrypt-acme-sh-install
- letsencrypt-request-certs - letsencrypt-request-certs
- hosts: "adns:!disabled" - hosts: "adns-primary:!disabled"
name: "Install txt records" name: "Install txt records"
roles: roles:
- letsencrypt-install-txt-record - letsencrypt-install-txt-record

View File

@ -5,7 +5,11 @@ results:
adns1.opendev.org: adns1.opendev.org:
- adns - adns
- dns - adns-primary
ns1.opendev.org:
- adns
- adns-secondary
afs01.dfw.openstack.org: afs01.dfw.openstack.org:
- afs-server-common - afs-server-common

View File

@ -1,11 +1,11 @@
- hosts: adns:!disabled - hosts: adns-primary:!disabled
name: "Base: configure adns server" name: "Base: configure primary authoritative nameserver"
roles: roles:
- iptables - iptables
- master-nameserver - master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" - hosts: "adns-secondary:!disabled"
name: "Base: configure authoritative nameservers" name: "Base: configure secondary authoritative nameservers"
roles: roles:
- iptables - iptables
- nameserver - nameserver

View File

@ -114,11 +114,11 @@
dest: "/etc/ansible/hosts/{{ item }}" dest: "/etc/ansible/hosts/{{ item }}"
loop: loop:
- group_vars/all.yaml - group_vars/all.yaml
- group_vars/adns.yaml - group_vars/adns-primary.yaml
- group_vars/adns-secondary.yaml
- group_vars/bastion.yaml - group_vars/bastion.yaml
- group_vars/eavesdrop.yaml - group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml - group_vars/nodepool.yaml
- group_vars/ns.yaml
- group_vars/registry.yaml - group_vars/registry.yaml
- group_vars/gitea.yaml - group_vars/gitea.yaml
- group_vars/gitea-lb.yaml - group_vars/gitea-lb.yaml

View File

@ -152,7 +152,8 @@
- inventory/base - inventory/base
- playbooks/service-nameserver.yaml - playbooks/service-nameserver.yaml
- inventory/service/group_vars/adns.yaml - inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/ns.yaml - inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/ - playbooks/roles/nameserver/
- playbooks/roles/iptables/ - playbooks/roles/iptables/

View File

@ -440,10 +440,11 @@
'/var/lib/bind/zones': logs '/var/lib/bind/zones': logs
files: files:
- playbooks/bootstrap-bridge.yaml - playbooks/bootstrap-bridge.yaml
- inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- inventory/service/group_vars/adns.yaml - inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/dns.yaml - playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
- playbooks/zuul/templates/group_vars/adns.yaml.j2 - playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
- playbooks/zuul/templates/group_vars/ns.yaml.j2
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/ - playbooks/roles/nameserver/
- testinfra/test_adns.py - testinfra/test_adns.py