Designate: specify source address when using rndc

This patch switches the bind pool configuration from using a bind key per target to a configuration file per target, allowing us to specify a source address which is required to make sure the source address matches the rndc allow config on the target bind host when using rndc from a multi-homed host. Also cleans up some shared bind/worker/central configuration that gets in the way of configuring things sensibly. Change-Id: I2da71650d0566386df76ab16d6ad1aeabe716504 (cherry picked from commit 891828a6de)
2022-05-09 09:53:59 -02:30 · 2022-05-09 09:53:59 -02:30 · 8c71243526
parent 718ad5a6db
commit 8c71243526
13 changed files with 69 additions and 27 deletions
--- a/tripleo_ansible/roles/designate_bind_config/defaults/main.yml
+++ b/tripleo_ansible/roles/designate_bind_config/defaults/main.yml
@ -1,3 +1,2 @@
 ---
 designate_named_conf_path: '/var/lib/config-data/ansible-generated/designate/etc'
-rndc_allowed_addresses: ['127.0.0.1']
--- a/tripleo_ansible/roles/designate_bind_config/molecule/default/converge.yml
+++ b/tripleo_ansible/roles/designate_bind_config/molecule/default/converge.yml
@ -17,10 +17,10 @@

 - name: Converge
  hosts: all
-  tasks:
-    - name: Configure bind
-      include_role:
-        name: designate_bind_config
+  roles:
+    - role: designate_bind_config
      vars:
        designate_named_conf_path: "/etc"
-        tripleo_dns_listen_interfaces: ['127.0.0.1']
+        designate_rndc_key: "dummy-rndc-key"
+        rndc_allowed_addresses: ["172.17.2.0/24"]
+        tripleo_dns_listen_interfaces: ["172.168.10.99"]
--- a/tripleo_ansible/roles/designate_bind_config/tasks/main.yml
+++ b/tripleo_ansible/roles/designate_bind_config/tasks/main.yml
@ -28,3 +28,8 @@
  template:
    src: named.conf.j2
    dest: "{{ designate_named_conf_path}}/named.conf"
+
+- include_tasks: configure_interfaces.yml
+  when:
+    - tripleo_designate_bind_network is defined
+    - tripleo_dns_listen_interfaces is defined
--- a/tripleo_ansible/roles/designate_bind_config/templates/named.conf.j2
+++ b/tripleo_ansible/roles/designate_bind_config/templates/named.conf.j2
@ -1,5 +1,4 @@
 include "/etc/named/rndc.conf";
-include "/etc/rndc.key";
 include "/etc/named/options.conf";
 include "/etc/named.rfc1912.zones";
 include "/etc/named/logging.conf";
--- a/tripleo_ansible/roles/designate_bind_config/templates/rndc.conf.j2
+++ b/tripleo_ansible/roles/designate_bind_config/templates/rndc.conf.j2
@ -1,3 +1,8 @@
+key "rndc-key" {
+        algorithm hmac-sha256;
+        secret "{{ designate_rndc_key }}";
+};
+
 controls {
 	inet {{ tripleo_dns_listen_interfaces[0] }} allow { {{ rndc_allowed_addresses|join(';') }}; } keys { "rndc-key"; };
 };
--- a/tripleo_ansible/roles/designate_bind_pool/tasks/main.yml
+++ b/tripleo_ansible/roles/designate_bind_pool/tasks/main.yml
@ -5,16 +5,3 @@
  template:
      src: pools.yaml.j2
      dest: "{{ designate_pool_config_file_path }}"
-
- name: ensure rndc key path exists
-  become: true
-  file:
-      path: "{{ designate_bind_pool_key_file_path }}"
-      state: directory
-
- name: create rndc key files for each bind instance
-  become: true
-  template:
-      src: rndc.key.j2
-      dest: "{{ designate_bind_pool_key_file_path }}/bind{{ item.0|int + 1 }}.key"
-  with_indexed_items: "{{ designate_bind_node_ips  }}"
--- a/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2
+++ b/tripleo_ansible/roles/designate_bind_pool/templates/pools.yaml.j2
@ -51,6 +51,6 @@
        port: 53
        rndc_host: {{ hostvars[server].tripleo_dns_listen_interfaces[0] }}
        rndc_port:  953
-        rndc_key_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.key
+        rndc_config_file: {{ keyfile_base_path|default('/etc/designate/private/bind') }}{{ loop.index }}.conf

    {% endfor %}
--- a/tripleo_ansible/roles/designate_bind_pool/templates/rndc.conf.j2
+++ b/tripleo_ansible/roles/designate_bind_pool/templates/rndc.conf.j2
@ -0,0 +1,11 @@
+key "rndc-key" {
+        algorithm hmac-sha256;
+        secret "{{ designate_rndc_key }}";
+};
+
+options {
+{% if defined designate_worker_source_address %}
+    default-source-address {{ designate_worker_source_address }};
+{% endif %}
+    default-key "rndc-key";
+};
--- a/tripleo_ansible/roles/designate_bind_pool/templates/rndc.key.j2
+++ b/tripleo_ansible/roles/designate_bind_pool/templates/rndc.key.j2
@ -1,4 +0,0 @@
-key "rndc-key" {
-        algorithm hmac-sha256;
-        secret "{{ designate_rndc_key }}";
-};
--- a/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml
+++ b/tripleo_ansible/roles/designate_rndc_config/defaults/main.yml
@ -1,2 +1,3 @@
 ---
-designate_rndc_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate/private'
+designate_rndc_key_file_path: '/var/lib/config-data/puppet-generated/designate/etc'
+designate_worker_config_file_path: '/var/lib/config-data/puppet-generated/designate/etc/designate'
--- a/tripleo_ansible/roles/designate_rndc_config/tasks/main.yml
+++ b/tripleo_ansible/roles/designate_rndc_config/tasks/main.yml
@ -1,5 +1,6 @@
 ---
-# XXX (beagles) which permissions?
+# TODO(beagles): this should probably just move to the bind config role
+# because the worker is writing rndc conf files instead.
 - name: ensure rndc key path exists
  become: true
  file:
@ -11,3 +12,8 @@
  template:
      src: rndc.key.j2
      dest: "{{ designate_rndc_key_file_path }}/rndc.key"
+
+# TODO(beagles): This is run here to deal with a a dependency issue, but
+# should be removed when the partner heat template patch lands.
+- name: included the rndc conf file generation if enabled
+  include_tasks: worker_config.yml
--- a/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml
+++ b/tripleo_ansible/roles/designate_rndc_config/tasks/worker_config.yml
@ -0,0 +1,13 @@
+---
+- name: ensure rndc configuration path exists
+  become: true
+  file:
+      path: "{{ designate_worker_config_file_path }}/private"
+      state: directory
+
+- name: create rndc configurations for each bind instance
+  become: true
+  template:
+      src: rndc.conf.j2
+      dest: "{{ designate_worker_config_file_path }}/private/bind{{ item.0|int + 1 }}.conf"
+  with_indexed_items: "{{ designate_bind_node_ips  }}"
--- a/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2
+++ b/tripleo_ansible/roles/designate_rndc_config/templates/rndc.conf.j2
@ -0,0 +1,20 @@
+key "rndc-key" {
+        algorithm hmac-sha256;
+        secret "{{ designate_rndc_key }}";
+};
+
+options {
+{% if designate_worker_network is defined %}
+{% set designate_worker_source_address = hostvars[inventory_hostname][designate_worker_network + "_ip"] %}
+{% elif 'internal_api_ip' in hostvars[inventory_hostname] %}
+{% set designate_worker_source_address = hostvars[inventory_hostname]['internal_api_ip'] %}
+{% else %}
+{% set designate_worker_source_address = hostvars[inventory_hostname]['ctlplane_ip'] %}
+{% endif %}
+{% if designate_worker_source_address|ipv4 %}
+    default-source-address {{ designate_worker_source_address }};
+{% elif designate_worker_source_address|ipv6 %}
+    default-source-address-v6 {{ designate_worker_source_address }};
+{% endif %}
+    default-key "rndc-key";
+};