Merge "Support additional IP so bind and unbound can collocate"

2021-05-30 04:31:50 +00:00 · 2021-05-30 04:31:50 +00:00 · 22f728b180
parent c021edbea9 807d5a6e5b
commit 22f728b180
1 changed files with 45 additions and 1 deletions
--- a/deployment/unbound/unbound-container-ansible.yaml
+++ b/deployment/unbound/unbound-container-ansible.yaml
@ -51,6 +51,21 @@ parameters:
    description: When true, Unbound will block certain queries that could
                 have security implications to the Unbound service.
    type: boolean
+  UnboundDesignateIntegration:
+    default: true
+    description: When true, Unbound will be configured to listen on an
+                 unique IP so it can co-exist with bind on same host. Set
+                 to false to run unbound independently of designate
+    type: boolean
+
+
+conditions:
+
+  public_net_is_ctlplane:
+    equals:
+      - {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
+      - {get_param: [ServiceData, net_vip_map, ctlplane]}
+

 resources:
  ContainersCommon:
@ -116,9 +131,36 @@ outputs:
          with_items:
            - { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
+      external_deploy_tasks:
+        - name: Handle a bind and unbound collocated on the same host
+          when:
+            - step|int == 1
+          block:
+            - name: Create a neutron port for a new address
+              os_port:
+                state: present
+                network:
+                  if:
+                    - public_net_is_ctlplane
+                    - 'ctlplane'
+                    - { get_param: [ServiceNetMap, PublicNetwork] }
+                no_security_groups: True
+                name: "unbound-designate-{{ item }}-integration-port"
+              register: _unbound_designate_ports
+              with_items:
+                - "{{ groups.unbound }}"
+
+            - name: Set the unbound host ip fact
+              set_fact:
+                tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
+              delegate_to: "{{ item.item }}"
+              delegate_facts: true
+              with_items:
+                - "{{ _unbound_designate_ports.results }}"
+
      deploy_steps_tasks:
        - name: Configure Unbound
-          when: step|int == 0
+          when: step|int == 1
          import_role:
            name: tripleo_unbound
          vars:
@ -129,3 +171,5 @@ outputs:
            tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
            tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
            tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
+            tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
+            tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}