From 497582342b30b714466cc26f4f31c70f91ea4fb0 Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Tue, 13 Apr 2021 15:37:22 -0230
Subject: [PATCH] Support additional IP so bind and unbound can collocate

Adds support for collocating bind and unbound resolver on the same host.
Also adds handling for standalone deployments.

This is a squashed commit of the original patch plus change
Id17dec07c2aa0a3b080eb05f71c637d6a422ec41 (commit
857807247d8f1a7270fdade30f570bf2f17789ce).  Squashing was necessary
since the original change broke CI.

Depends-On: I445418bb52fa38604c797a9dc69492edb0a41a8c
Depends-On: I398d24406bafdb34dd0cf793ade8e4085d8fd1b0
Change-Id: Icdc6267b92f6272a7f296759e5ce9752dd42fab0
(cherry picked from commit 807d5a6e5b5eccce20262521c1f5d542aab0eeac)
---
 ci/environments/scenario003-standalone.yaml   |  1 +
 .../unbound/unbound-container-ansible.yaml    | 75 ++++++++++++++++++-
 2 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml
index e58d10eb5d..5b37a2099c 100644
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@@ -32,6 +32,7 @@ parameter_defaults:
   RpcPort: 31459
   NotifyPort: 5672
   ContainerCli: podman
+  UnboundListenIPs: ["192.168.24.20"]
   ExtraFirewallRules:
     '301 allow arbitrary tcp rule':
       dport: 12345
diff --git a/deployment/unbound/unbound-container-ansible.yaml b/deployment/unbound/unbound-container-ansible.yaml
index 6cd77786b9..0edcd141e8 100644
--- a/deployment/unbound/unbound-container-ansible.yaml
+++ b/deployment/unbound/unbound-container-ansible.yaml
@@ -52,6 +52,30 @@ parameters:
     description: When true, Unbound will block certain queries that could
                  have security implications to the Unbound service.
     type: boolean
+  UnboundDesignateIntegration:
+    default: true
+    description: When true, Unbound will be configured to listen on an
+                 unique IP so it can co-exist with bind on same host. Set
+                 to false to run unbound independently of designate
+    type: boolean
+  UnboundListenIPs:
+    default: []
+    description: A list of IPs to add to the externally accessible interface
+                 (e.g. interface on the external network or the VIP interface
+                 in standalone). If provided, the number of IPs must match the
+                 number of deployed Unbound instances. If left empty,
+                 the deployment will create additonal IPs using the external
+                 network.
+    type: comma_delimited_list
+
+
+conditions:
+
+  public_net_is_ctlplane:
+    equals:
+      - {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
+      - {get_param: [ServiceData, net_vip_map, ctlplane]}
+
 
 resources:
 
@@ -119,9 +143,56 @@ outputs:
           with_items:
             - { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
+      external_deploy_tasks:
+        - name: Get list of provided listen ips
+          when:
+            - step|int == 1
+          set_fact:
+            unbound_listen_ips: { get_param: UnboundListenIPs }
+        - name: Distribute configured unbound listen IPs across nodes
+          when:
+            - step|int == 1
+            - unbound_listen_ips|length > 0
+          block:
+            - name: Set the unbound host ip fact
+              set_fact:
+                tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
+              delegate_to: "{{ item.1 }}"
+              delegate_facts: true
+              with_together:
+                - "{{ unbound_listen_ips }}"
+                - "{{ groups.unbound }}"
+
+        - name: Handle a bind and unbound collocated on the same host
+          when:
+            - step|int == 1
+            - unbound_listen_ips|length == 0
+          block:
+            - name: Create a neutron port for a new address
+              os_port:
+                state: present
+                network:
+                  if:
+                    - public_net_is_ctlplane
+                    - 'ctlplane'
+                    - { get_param: [ServiceNetMap, PublicNetwork] }
+                no_security_groups: True
+                name: "unbound-designate-{{ item }}-integration-port"
+              register: _unbound_designate_ports
+              with_items:
+                - "{{ groups.unbound }}"
+
+            - name: Set the unbound host ip fact
+              set_fact:
+                tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
+              delegate_to: "{{ item.item }}"
+              delegate_facts: true
+              with_items:
+                - "{{ _unbound_designate_ports.results }}"
+
       deploy_steps_tasks:
         - name: Configure Unbound
-          when: step|int == 0
+          when: step|int == 1
           import_role:
             name: tripleo_unbound
           vars:
@@ -132,3 +203,5 @@ outputs:
             tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
             tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
             tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
+            tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
+            tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}