From d0ca6d9d26fe4a4db7f84f9c4acdcf8b1c91a701 Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Mon, 27 Jun 2022 10:30:25 -0230 Subject: [PATCH] Designate: support configuring non-ooo-deployed binds Colloquially referred to as "bring your own bind", this allows designate to be configured with external bind instances. Note: also adds missing linkage between unbound and deployed bind instances. Change-Id: I707bc151dfc9dafe1017f839c90a2051e4310301 (cherry picked from commit 1123931f6d6c3f19675fd47b5137616cb82416e1) --- .../designate_bind_pool/defaults/main.yml | 1 + .../templates/pools.yaml.j2 | 32 ++++++++++++------- .../designate_rndc_config/defaults/main.yml | 1 + .../tasks/worker_config.yml | 23 ++++++++++--- .../templates/rndc.conf.j2 | 2 +- .../roles/tripleo_unbound/defaults/main.yml | 1 + .../tripleo-forwarder-unbound.conf.j2 | 11 +++++++ 7 files changed, 53 insertions(+), 18 deletions(-) diff --git a/tripleo_ansible/roles/designate_bind_pool/defaults/main.yml b/tripleo_ansible/roles/designate_bind_pool/defaults/main.yml index 7c1b159e7..8808a457d 100644 --- a/tripleo_ansible/roles/designate_bind_pool/defaults/main.yml +++ b/tripleo_ansible/roles/designate_bind_pool/defaults/main.yml @@ -2,3 +2,4 @@ designate_pool_config_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate/pools.yaml' designate_bind_pool_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate/private' pool_zone_domain: 'example.org' +tripleo_external_bind_servers: [] diff --git a/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2 b/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2 index 043f4ffc1..63dd108d4 100644 --- a/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2 +++ b/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2 @@ -15,8 +15,6 @@ priority: {{ loop.index }} {% endfor %} - # List out the nameservers for this pool. These are the actual BIND servers. - # We use these to verify changes have propagated to all nameservers. nameservers: {% for nameserver in groups.designate_bind -%} @@ -24,21 +22,11 @@ port: 53 {% endfor %} - # List out the targets for this pool. For BIND there will be one - # entry for each BIND server, as we have to run rndc command on each server targets: {% for server in groups.designate_bind -%} - type: bind9 description: BIND9 Server {{ loop.index }} - # List out the designate-mdns servers from which BIND servers should - # request zone transfers (AXFRs) from. - # This should be the IP of the controller node. - # If you have multiple controllers you can add multiple masters - # by running designate-mdns on them, and adding them here. - # XXX(beagles): these are just internal API atm but there really needs to - # be a public VIP endpoint for each and will be addressed in a followup - # patch. masters: {% for minidns_server in designate_mdns_node_ips -%} - host: {{ net_vip_map[service_net_map['public_network']] }} @@ -54,3 +42,23 @@ rndc_config_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.conf {% endfor %} + + # Configure targets for user provided bind servers. + {% for server in tripleo_external_bind_servers -%} + - type: bind9 + description: External BIND9 Server {{ loop.index }} + + masters: + {% for minidns_server in designate_mdns_node_ips -%} + - host: {{ net_vip_map[service_net_map['public_network']] }} + port: {{ minidns_proxy_base_port + loop.index -1 }} + {% endfor %} + + # BIND options: + options: + host: {{ server.host }} + port: {{ server.port|default(53) }} + rndc_host: {{ server.rndc_host|default(server.host) }} + rndc_port: {{ server.rndc_port|default(953) }} + rndc_config_file: {{ keyfile_base_path|default('/etc/designate/private/xbind') }}{{ loop.index }}.conf + {% endfor %} diff --git a/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml b/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml index 3824500a4..cb20adbe3 100644 --- a/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml +++ b/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml @@ -1,3 +1,4 @@ --- designate_rndc_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc' designate_worker_config_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate' +tripleo_external_bind_servers: [] diff --git a/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml b/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml index ad77e6b9f..0b6581e6f 100644 --- a/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml +++ b/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml @@ -2,12 +2,25 @@ - name: ensure rndc configuration path exists become: true file: - path: "{{ designate_worker_config_file_path }}/private" - state: directory + path: "{{ designate_worker_config_file_path }}/private" + state: directory - name: create rndc configurations for each bind instance become: true template: - src: rndc.conf.j2 - dest: "{{ designate_worker_config_file_path }}/private/bind{{ item.0|int + 1 }}.conf" - with_indexed_items: "{{ designate_bind_node_ips }}" + src: rndc.conf.j2 + dest: "{{ designate_worker_config_file_path }}/private/bind{{ index|int + 1 }}.conf" + loop: "{{ designate_bind_node_ips|flatten(levels=1) }}" + loop_control: + index_var: index + +- name: create rndc configurations for each external bind instance + become: true + template: + src: rndc.conf.j2 + dest: "{{ designate_worker_config_file_path }}/private/xbind{{ index|int + 1 }}.conf" + vars: + server_rndc_key: "{{ item.rndc_key }}" + loop: "{{ tripleo_external_bind_servers|flatten(levels=1) }}" + loop_control: + index_var: index diff --git a/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2 b/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2 index f4a9f28dc..a481d4103 100644 --- a/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2 +++ b/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2 @@ -1,6 +1,6 @@ key "rndc-key" { algorithm hmac-sha256; - secret "{{ designate_rndc_key }}"; + secret "{{ server_rndc_key|default(designate_rndc_key) }}"; }; options { diff --git a/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml b/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml index d769eaaed..e7ca4dfb6 100644 --- a/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml @@ -26,5 +26,6 @@ tripleo_unbound_allowed_cidrs: [] tripleo_unbound_log_queries: false tripleo_unbound_security_harden: true tripleo_unbound_forward_resolvers: [] +tripleo_external_bind_servers: [] tripleo_unbound_allow_recursion: true tripleo_unbound_forward_fallback: true diff --git a/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 index efae8494c..ceb6277ea 100644 --- a/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 +++ b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 @@ -15,9 +15,20 @@ distribution. forward-zone: name: "." + {% for forwarder in tripleo_unbound_forward_resolvers %} forward-addr: {{ forwarder }} {% endfor %} +{% if tripleo_unbound_forward_resolvers|length == 0 %} +{% if groups.designate_bind is defined %} +{% for server in groups.designate_bind %} + forward-addr: {{ hostvars[server].tripleo_dns_listen_interfaces[0] }} +{% endfor %} +{% endif %} +{% for server in tripleo_external_bind_servers %} + forward-addr: {{ server.host }} +{% endfor %} +{% endif %} {% if tripleo_unbound_forward_fallback and tripleo_unbound_allow_recursion %} forward-first: yes {% else %}