Nameservers are now managed with ansible

Remove the puppetry for managing nameservers as we now use ansible
configured name servers without puppet.

We will need to follow this up with deletion of the existing
ns*.openstack.org and adns1.openstack.org servers.

Change-Id: Id7ec8fa58c9e37ce94ec71e4562607914e5c3ea4

hiera/common.yaml

@@ -233,7 +233,7 @@ meetbot_channels:
 - '#tripleo'
 - '#zuul'
 cacti_hosts:
-- adns1.openstack.org
+- adns1.opendev.org
 - afs01.dfw.openstack.org
 - afs02.dfw.openstack.org
 - afs01.ord.openstack.org
@@ -302,8 +302,8 @@ cacti_hosts:
 - nl02.openstack.org
 - nl03.openstack.org
 - nl04.openstack.org
-- ns1.openstack.org
-- ns2.openstack.org
+- ns1.opendev.org
+- ns2.opendev.org
 - openstackid.org
 - paste.openstack.org
 - pbx.openstack.org

inventory/groups.yaml

@@ -35,7 +35,6 @@ groups:
   files: files[0-9]*.open*.org
   firehose: firehose[0-9]*.open*.org
   futureparser:
-    - adns[0-9]*.openstack.org
     - ask-staging[0-9]*.open*.org
     - cacti[0-9]*.open*.org
     - codesearch[0-9]*.open*.org
@@ -62,7 +61,6 @@ groups:
     - mirror[0-9]*.*.*.open*.org
     - nb[0-9]*.open*.org
     - nl[0-9]*.open*.org
-    - ns[0-9]*.openstack.org
     - paste[0-9]*.open*.org
     - pbx*.open*.org
     - planet[0-9]*.open*.org
@@ -122,7 +120,6 @@ groups:
   pbx:
     - pbx*.open*.org
   puppet:
-    - adns1.openstack.org
     - afs[0-9]*.open*.org
     - afsdb[0-9]*.open*.org
     - ask*.open*.org
@@ -152,8 +149,6 @@ groups:
     - mirror[0-9]*.open*.org
     - nb[0-9]*.open*.org
     - nl[0-9]*.open*.org
-    - ns1.openstack.org
-    - ns2.openstack.org
     - openstackid-dev*.open*.org
     - openstackid.org
     - paste[0-9]*.open*.org

inventory/openstack.yaml

@@ -8,14 +8,6 @@ all:
       private_v4: 10.209.134.4
       public_v4: 104.239.146.24
       public_v6: 2001:4800:7819:104:be76:4eff:fe04:43d0
-    adns1.openstack.org:
-      ansible_host: 2001:4801:7824:101:be76:4eff:fe10:c98e
-      location:
-        cloud: openstackci-rax
-        region_name: ORD
-      private_v4: 10.209.103.102
-      public_v4: 23.253.63.149
-      public_v6: 2001:4801:7824:101:be76:4eff:fe10:c98e
     afs01.dfw.openstack.org:
       ansible_host: 2001:4800:7818:103:be76:4eff:fe04:a376
       location:
@@ -768,14 +760,6 @@ all:
       private_v4: 10.209.133.154
       public_v4: 104.239.140.165
       public_v6: 2001:4800:7819:104:be76:4eff:fe04:38f0
-    ns1.openstack.org:
-      ansible_host: 2001:4800:7817:103:be76:4eff:fe04:3fc7
-      location:
-        cloud: openstackci-rax
-        region_name: DFW
-      private_v4: 10.208.160.121
-      public_v4: 23.253.236.219
-      public_v6: 2001:4800:7817:103:be76:4eff:fe04:3fc7
     ns2.opendev.org:
       ansible_host: 2604:e100:1:0:f816:3eff:fe2c:7447
       location:
@@ -784,14 +768,6 @@ all:
       private_v4: ''
       public_v4: 162.253.55.16
       public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447
-    ns2.openstack.org:
-      ansible_host: 2604:e100:1:0:f816:3eff:fe53:ee69
-      location:
-        cloud: openstackci-vexxhost
-        region_name: ca-ymq-1
-      private_v4: ''
-      public_v4: 162.253.55.139
-      public_v6: 2604:e100:1:0:f816:3eff:fe53:ee69
     openstackid-dev.openstack.org:
       ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d
       location:

manifests/site.pp

@@ -696,52 +696,6 @@ node /^survey\d+\.open.*\.org$/ {
   }
 }
 
-# This is a hidden authoritative master nameserver, not publicly
-# accessible.
-# Node-OS: xenial
-node /^adns\d+\.open.*\.org$/ {
-  $group = 'adns'
-
-  class { 'openstack_project::server': }
-
-  class { 'openstack_project::master_nameserver':
-    tsig_key => hiera('tsig_key', {}),
-    dnssec_keys => hiera_hash('dnssec_keys', {}),
-    notifies => concat(dns_a('ns1.openstack.org'), dns_a('ns2.openstack.org')),
-  }
-}
-
-# These are publicly accessible authoritative slave nameservers.
-# Node-OS: xenial
-node /^ns\d+\.open.*\.org$/ {
-  $group = 'ns'
-
-  class { 'openstack_project::server': }
-
-  $tsig_key = hiera('tsig_key', {})
-  if $tsig_key != {} {
-    $tsig_name = 'tsig'
-    nsd::tsig { 'tsig':
-      algo => $tsig_key[algorithm],
-      data => $tsig_key[secret],
-    }
-  } else {
-    $tsig_name = undef
-  }
-
-  class { '::nsd':
-    ip_addresses => [ $::ipaddress, $::ipaddress6 ],
-    zones => {
-      'adns1_zones' => {
-        allow_notify => dns_a('adns1.openstack.org'),
-        masters => dns_a('adns1.openstack.org'),
-        zones => ['zuul-ci.org', 'zuulci.org'],
-        tsig_name => $tsig_name,
-      }
-    }
-  }
-}
-
 # Node-OS: xenial
 node /^nl\d+\.open.*\.org$/ {
   $group = 'nodepool'

modules.env

@@ -44,7 +44,6 @@ SOURCE_MODULES["https://github.com/dalen/puppet-dnsquery"]="2.0.1"
 SOURCE_MODULES["https://github.com/deric/puppet-zookeeper"]="v0.5.5"
 SOURCE_MODULES["https://github.com/duritong/puppet-sysctl"]="v0.0.11"
 # initfact is a dep of biemond-wildfly
-SOURCE_MODULES["https://github.com/icann-dns/puppet-nsd"]="0.1.10"
 SOURCE_MODULES["https://github.com/jethrocarr/puppet-initfact"]="1.0.1"
 SOURCE_MODULES["https://github.com/jfryman/puppet-selinux"]="v0.2.5"
 SOURCE_MODULES["https://github.com/maestrodev/puppet-wget"]="v1.6.0"

modules/openstack_project/manifests/master_nameserver.pp

@@ -1,130 +0,0 @@
-define openstack_project::master_zone (
-  $source = undef,
-) {
-  concat::fragment { "dns_zones+10_${name}.dns":
-    target  => $::dns::publicviewpath,
-    content => template('openstack_project/nameserver/bind.zone.erb'),
-    order   => "10-${name}",
-  }
-  file { "/var/lib/bind/zones/${name}":
-    ensure  => directory,
-    owner   => 'bind',
-    group   => 'bind',
-    mode    => 'u+rwX,g+rX,o+rX',
-    source  => $source,
-    recurse => remote,
-    require => File['/var/lib/bind/zones'],
-    notify  => Exec['rndc_reload'],
-  }
-  file { "/etc/bind/keys/${name}":
-    require => File['/etc/bind/keys'],
-    ensure  => directory,
-    owner   => 'root',
-    group   => 'bind',
-    mode    => '0750',
-  }
-}
-
-define openstack_project::dnssec_key (
-  $public = undef,
-  $private = undef,
-  $zone = undef,
-) {
-  file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
-    ensure  => present,
-    content => $public,
-    owner   => 'root',
-    group   => 'bind',
-    mode    => '0440',
-    require => File["/etc/bind/keys/${zone}"],
-  }
-  file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
-    ensure  => present,
-    content => $private,
-    owner   => 'root',
-    group   => 'bind',
-    mode    => '0440',
-    require => File["/etc/bind/keys/${zone}"],
-  }
-}
-
-define openstack_project::bind_key (
-  $key = undef,
-) {
-  file { "/etc/bind/${name}.key":
-    require => Package[$::dns::dns_server_package],
-    owner   => 'root',
-    group   => 'bind',
-    mode    => '0440',
-    content => template('openstack_project/nameserver/bind.key.erb'),
-  }
-}
-
-class openstack_project::master_nameserver (
-  $tsig_key = undef,
-  $dnssec_keys = undef,
-  $notifies = undef,
-) {
-
-  $also_notify = join($notifies, ';')
-
-  class { '::haveged': }
-
-  class { '::dns':
-    dns_notify         => yes,
-    listen_on_v6       => "${::ipaddress6}",
-    additional_directives => [
-      'include "/etc/bind/tsig.key";',
-    ],
-    additional_options => {
-      'listen-on' => "{ ${::ipaddress}; }",
-      # Notify requests can also be TSIG signed, but the current version
-      # of the NSD puppet module doesn't let us configure that easily.
-      'also-notify' => "{ ${also_notify}; }",
-      # Bind doesn't make it easy (or possible?) to restrict transfers by
-      # ip address and TSIG, so we only use the TSIG key here.
-      'allow-transfer' => "{ key tsig; }",
-    }
-  }
-
-  file { '/etc/bind/keys':
-    require => Package[$::dns::dns_server_package],
-    ensure  => directory,
-    owner   => 'root',
-    group   => 'bind',
-    mode    => '0750',
-  }
-  file { '/var/lib/bind/zones':
-    require => Package[$::dns::dns_server_package],
-    ensure  => directory,
-  }
-
-  openstack_project::bind_key { 'tsig':
-    key => $tsig_key,
-  }
-
-  create_resources(openstack_project::dnssec_key, $dnssec_keys)
-
-  # Per zone configuration
-  vcsrepo { '/opt/zone-zuul-ci.org':
-    ensure   => latest,
-    provider => git,
-    revision => 'master',
-    source   => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
-  }
-  openstack_project::master_zone { 'zuul-ci.org':
-    source  => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
-    require => Vcsrepo['/opt/zone-zuul-ci.org'],
-  }
-  openstack_project::master_zone { 'zuulci.org':
-    source  => 'file:///opt/zone-zuul-ci.org/zones/zuulci.org',
-    require => Vcsrepo['/opt/zone-zuul-ci.org'],
-  }
-
-  exec { 'rndc_reload' :
-    command     => 'rndc reload',
-    path        => '/sbin:/usr/sbin:/bin:/usr/bin',
-    refreshonly => true,
-  }
-
-}

playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml

@@ -3,10 +3,9 @@
 
 results:
 
-  adns1.openstack.org:
+  adns1.opendev.org:
     - adns
-    - puppet
-    - futureparser
+    - dns
 
   afs01.dfw.openstack.org:
     - afs