Designate: specify source address when using rndc
This patch switches the bind pool configuration from using a bind key
per target to a configuration file per target, allowing us to specify a
source address which is required to make sure the source address matches
the rndc allow config on the target bind host when using rndc from a
multi-homed host.
Also cleans up some shared bind/worker/central configuration that gets
in the way of configuring things sensibly.
Change-Id: I2da71650d0566386df76ab16d6ad1aeabe716504
(cherry picked from commit 891828a6de
)
This commit is contained in:
parent
718ad5a6db
commit
8c71243526
|
@ -1,3 +1,2 @@
|
|||
---
|
||||
designate_named_conf_path: '/var/lib/config-data/ansible-generated/designate/etc'
|
||||
rndc_allowed_addresses: ['127.0.0.1']
|
||||
|
|
|
@ -17,10 +17,10 @@
|
|||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: Configure bind
|
||||
include_role:
|
||||
name: designate_bind_config
|
||||
roles:
|
||||
- role: designate_bind_config
|
||||
vars:
|
||||
designate_named_conf_path: "/etc"
|
||||
tripleo_dns_listen_interfaces: ['127.0.0.1']
|
||||
designate_rndc_key: "dummy-rndc-key"
|
||||
rndc_allowed_addresses: ["172.17.2.0/24"]
|
||||
tripleo_dns_listen_interfaces: ["172.168.10.99"]
|
||||
|
|
|
@ -28,3 +28,8 @@
|
|||
template:
|
||||
src: named.conf.j2
|
||||
dest: "{{ designate_named_conf_path}}/named.conf"
|
||||
|
||||
- include_tasks: configure_interfaces.yml
|
||||
when:
|
||||
- tripleo_designate_bind_network is defined
|
||||
- tripleo_dns_listen_interfaces is defined
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
include "/etc/named/rndc.conf";
|
||||
include "/etc/rndc.key";
|
||||
include "/etc/named/options.conf";
|
||||
include "/etc/named.rfc1912.zones";
|
||||
include "/etc/named/logging.conf";
|
||||
|
|
|
@ -1,3 +1,8 @@
|
|||
key "rndc-key" {
|
||||
algorithm hmac-sha256;
|
||||
secret "{{ designate_rndc_key }}";
|
||||
};
|
||||
|
||||
controls {
|
||||
inet {{ tripleo_dns_listen_interfaces[0] }} allow { {{ rndc_allowed_addresses|join(';') }}; } keys { "rndc-key"; };
|
||||
};
|
||||
|
|
|
@ -5,16 +5,3 @@
|
|||
template:
|
||||
src: pools.yaml.j2
|
||||
dest: "{{ designate_pool_config_file_path }}"
|
||||
|
||||
- name: ensure rndc key path exists
|
||||
become: true
|
||||
file:
|
||||
path: "{{ designate_bind_pool_key_file_path }}"
|
||||
state: directory
|
||||
|
||||
- name: create rndc key files for each bind instance
|
||||
become: true
|
||||
template:
|
||||
src: rndc.key.j2
|
||||
dest: "{{ designate_bind_pool_key_file_path }}/bind{{ item.0|int + 1 }}.key"
|
||||
with_indexed_items: "{{ designate_bind_node_ips }}"
|
||||
|
|
|
@ -51,6 +51,6 @@
|
|||
port: 53
|
||||
rndc_host: {{ hostvars[server].tripleo_dns_listen_interfaces[0] }}
|
||||
rndc_port: 953
|
||||
rndc_key_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.key
|
||||
rndc_config_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.conf
|
||||
|
||||
{% endfor %}
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
key "rndc-key" {
|
||||
algorithm hmac-sha256;
|
||||
secret "{{ designate_rndc_key }}";
|
||||
};
|
||||
|
||||
options {
|
||||
{% if defined designate_worker_source_address %}
|
||||
default-source-address {{ designate_worker_source_address }};
|
||||
{% endif %}
|
||||
default-key "rndc-key";
|
||||
};
|
|
@ -1,4 +0,0 @@
|
|||
key "rndc-key" {
|
||||
algorithm hmac-sha256;
|
||||
secret "{{ designate_rndc_key }}";
|
||||
};
|
|
@ -1,2 +1,3 @@
|
|||
---
|
||||
designate_rndc_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate/private'
|
||||
designate_rndc_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc'
|
||||
designate_worker_config_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate'
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
# XXX (beagles) which permissions?
|
||||
# TODO(beagles): this should probably just move to the bind config role
|
||||
# because the worker is writing rndc conf files instead.
|
||||
- name: ensure rndc key path exists
|
||||
become: true
|
||||
file:
|
||||
|
@ -11,3 +12,8 @@
|
|||
template:
|
||||
src: rndc.key.j2
|
||||
dest: "{{ designate_rndc_key_file_path }}/rndc.key"
|
||||
|
||||
# TODO(beagles): This is run here to deal with a a dependency issue, but
|
||||
# should be removed when the partner heat template patch lands.
|
||||
- name: included the rndc conf file generation if enabled
|
||||
include_tasks: worker_config.yml
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: ensure rndc configuration path exists
|
||||
become: true
|
||||
file:
|
||||
path: "{{ designate_worker_config_file_path }}/private"
|
||||
state: directory
|
||||
|
||||
- name: create rndc configurations for each bind instance
|
||||
become: true
|
||||
template:
|
||||
src: rndc.conf.j2
|
||||
dest: "{{ designate_worker_config_file_path }}/private/bind{{ item.0|int + 1 }}.conf"
|
||||
with_indexed_items: "{{ designate_bind_node_ips }}"
|
|
@ -0,0 +1,20 @@
|
|||
key "rndc-key" {
|
||||
algorithm hmac-sha256;
|
||||
secret "{{ designate_rndc_key }}";
|
||||
};
|
||||
|
||||
options {
|
||||
{% if designate_worker_network is defined %}
|
||||
{% set designate_worker_source_address = hostvars[inventory_hostname][designate_worker_network + "_ip"] %}
|
||||
{% elif 'internal_api_ip' in hostvars[inventory_hostname] %}
|
||||
{% set designate_worker_source_address = hostvars[inventory_hostname]['internal_api_ip'] %}
|
||||
{% else %}
|
||||
{% set designate_worker_source_address = hostvars[inventory_hostname]['ctlplane_ip'] %}
|
||||
{% endif %}
|
||||
{% if designate_worker_source_address|ipv4 %}
|
||||
default-source-address {{ designate_worker_source_address }};
|
||||
{% elif designate_worker_source_address|ipv6 %}
|
||||
default-source-address-v6 {{ designate_worker_source_address }};
|
||||
{% endif %}
|
||||
default-key "rndc-key";
|
||||
};
|
Loading…
Reference in New Issue