From e4d718209d4eead770598025886f73c791c6b753 Mon Sep 17 00:00:00 2001
From: Ben Nemec <bnemec@redhat.com>
Date: Wed, 18 Jul 2018 16:19:56 +0000
Subject: [PATCH] Pass in rndc key to Designate deployment

We can't let puppet generate the key because then we end up with a
different key on each system and they can't talk to each other.

Depends-On: https://review.openstack.org/582366
Depends-On: https://review.openstack.org/583658
Change-Id: Id3dfc9f28e4d204716328eaa9650ab0053d2fdd4
---
 docker/services/designate-worker.yaml |  5 ++++-
 puppet/services/designate-worker.yaml | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/docker/services/designate-worker.yaml b/docker/services/designate-worker.yaml
index e342a7b17a..1aa4b1e174 100644
--- a/docker/services/designate-worker.yaml
+++ b/docker/services/designate-worker.yaml
@@ -86,7 +86,7 @@ outputs:
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: designate
-        puppet_tags: designate_config,dns_config,exec
+        puppet_tags: designate_config,dns_config
         step_config:
           list_join:
             - "\n"
@@ -124,6 +124,9 @@ outputs:
             - path: /var/named-persistent
               owner: root:named
               perm: '0770'
+            - path: /etc/rndc.key
+              owner: root:named
+              perm: '0640'
       docker_config:
         step_4:
           designate_worker:
diff --git a/puppet/services/designate-worker.yaml b/puppet/services/designate-worker.yaml
index b49d3f625d..cbcbe8cedc 100644
--- a/puppet/services/designate-worker.yaml
+++ b/puppet/services/designate-worker.yaml
@@ -41,6 +41,10 @@ parameters:
     default: 0
     description: Number of workers for Designate services.
     type: number
+  DesignateRndcKey:
+    description: The rndc key secret for communication with BIND.
+    type: string
+    hidden: true
 
 conditions:
   designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
@@ -69,8 +73,16 @@ outputs:
         map_merge:
         - get_attr: [DesignateBase, role_data, config_settings]
         - designate::worker::worker_notify: true
+          designate_rndc_key: {get_param: DesignateRndcKey}
           dns::vardir: /var/named-persistent
           dns::recursion: 'no'
+          # Because we generate the key locally and don't want the puppet
+          # module to do it, we set its path to /dev/null.  This means we need
+          # to explicitly include /etc/rndc.key though since the default config
+          # will just include /dev/null.
+          dns::rndckeypath: /dev/null
+          dns::additional_directives:
+            - include "/etc/rndc.key";
           dns::additional_options:
             listen-on:
               str_replace: