From ff9a55d5db6860460c009856a4cec007608590f4 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 23 May 2018 20:38:00 +0100 Subject: [PATCH] Create rndc key The deployer can provide an rndc key to authenticate with bind. Change-Id: I7cec53ebaf9fb69fa7116878528fa654dc362f92 --- defaults/main.yml | 8 ++++++++ tasks/designate_post_install.yml | 10 ++++++++++ templates/rndc.key.j2 | 4 ++++ tests/os_designate-overrides.yml | 7 +++++++ tests/templates/named.conf.j2 | 15 ++++++++------- tests/test-install-designate.yml | 5 +++++ 6 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 templates/rndc.key.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d9ac3f1..5d68e67 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -118,6 +118,14 @@ designate_role_name: admin # rndc_host: 127.0.0.1 # rndc_port: 953 +## rndc keys for authenticating with bind9 +# define this to create as many key files as are required +# designate_rndc_keys +# - name: "rndc-key" +# file: /etc/designate/rndc.key +# algorithm: "hmac-md5" +# secret: "" + ## Service Type and Data designate_service_region: RegionOne designate_service_endpoint_type: internalURL diff --git a/tasks/designate_post_install.yml b/tasks/designate_post_install.yml index 8ea12e4..13d42b4 100644 --- a/tasks/designate_post_install.yml +++ b/tasks/designate_post_install.yml @@ -49,6 +49,16 @@ dest: "/etc/designate/pools.yaml" when: designate_pools_yaml is defined +- name: Create Designate rndc key file + template: + src: rndc.key.j2 + dest: "{{ item.file }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0600') }}" + with_items: "{{ designate_rndc_keys }}" + when: designate_rndc_keys is defined + - name: Copy rootwrap filters copy: src: "{{ item }}" diff --git a/templates/rndc.key.j2 b/templates/rndc.key.j2 new file mode 100644 index 0000000..d428be1 --- /dev/null +++ b/templates/rndc.key.j2 @@ -0,0 +1,4 @@ +key "{{ item.name }}" { + algorithm "{{ item.algorithm }}"; + secret "{{ item.secret }}"; +}; diff --git a/tests/os_designate-overrides.yml b/tests/os_designate-overrides.yml index 83fed90..22e9ba0 100644 --- a/tests/os_designate-overrides.yml +++ b/tests/os_designate-overrides.yml @@ -48,6 +48,13 @@ designate_pools_yaml: port: 53 rndc_host: 127.0.0.1 rndc_port: 953 + rndc_key_file: /etc/rndc.key +designate_rndc_keys: + - name: "rndc-key" + file: /etc/rndc.key + algorithm: "hmac-md5" + secret: 'DTngw5O8I5Axx631GjQ9pA==' + mode: "0644" tempest_run: yes diff --git a/tests/templates/named.conf.j2 b/tests/templates/named.conf.j2 index dd43c54..32a44e0 100644 --- a/tests/templates/named.conf.j2 +++ b/tests/templates/named.conf.j2 @@ -41,6 +41,14 @@ options { recursion no; }; +{% if designate_rndc_keys is defined %} +include "/etc/rndc.key"; + +controls { + inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; +}; +{% endif %} + {% if ansible_pkg_mgr in ['yum', 'dnf'] %} logging { channel default_debug { @@ -54,12 +62,6 @@ zone "." IN { file "named.ca"; }; -include "/etc/rndc.key"; - -controls { - inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; -}; - include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; @@ -89,4 +91,3 @@ zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN include "/etc/named.conf.include"; {% endif %} - diff --git a/tests/test-install-designate.yml b/tests/test-install-designate.yml index 3b4a2ff..930c8c6 100644 --- a/tests/test-install-designate.yml +++ b/tests/test-install-designate.yml @@ -53,5 +53,10 @@ bind_service_state: "{{ (ansible_pkg_mgr == 'apt') | ternary('restarted','started') }}" roles: - role: "os_designate" + post_tasks: + - name: Restart bind9, for test purposes the designate role drops a common rndc key to both bind and designate + service: + name: "{{ bind_service_name }}" + state: restarted vars_files: - common/test-vars.yml