Designate: configure collocation IP on bind and neutron dns integration

This patch moves the collcation IP that was on unbound to the bind worker instance allowing the use of the framework provided to configure the neutron services to refer to the designate DNS services. Note: the ansible tasks were move to the bind config ansible role instead of the template. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/839973 Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/835742 Change-Id: Ia6a8128b0c87979fd118a7ae8cd33e0430a4aad1
2022-03-28 18:47:46 +00:00 · 2022-03-28 18:47:46 +00:00 · 78a51efb6c
commit 78a51efb6c
parent 93c6665a36
5 changed files with 118 additions and 105 deletions
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@ -28,7 +28,7 @@ parameter_defaults:
  RpcPort: 31459
  NotifyPort: 5672
  ContainerCli: podman
-  UnboundListenIPs: ["192.168.24.20"]
+  DesignateBackendListenIPs: ["192.168.24.20"]
  ExtraFirewallRules:
    '301 allow arbitrary tcp rule':
      dport: 12345
--- a/deployment/designate/designate-base.yaml
+++ b/deployment/designate/designate-base.yaml
@ -49,6 +49,11 @@ parameters:
    default: 60
    description: Designate's RPC response timeout, in seconds.
    type: number
+  DesignateEnableNeutronIntegration:
+    default: true
+    description: Enable configuring neutron to use Designate managed DNS
+                 services.
+    type: boolean

 outputs:
  role_data:
@ -65,3 +70,4 @@ outputs:
        designate::notification_driver: {get_param: NotificationDriver}
        designate::rpc_response_timeout: {get_param: DesignateRpcResponseTimeout}
        designate::db::sync_db: false
+        designate_enable_neutron_integration: {get_param: DesignateEnableNeutronIntegration}
--- a/deployment/designate/designate-bind-container.yaml
+++ b/deployment/designate/designate-bind-container.yaml
@ -48,6 +48,22 @@ parameters:
    description: Set to true to enable logging of queries on BIND.
    type: boolean
    default: false
+  DesignateBackendListenIPs:
+    default: []
+    description: A list of IPs to add to the externally accessible interface
+                 (e.g. interface on the external network or the VIP interface
+                 in standalone). If provided, the number of IPs must match the
+                 number of deployed Bind instances. If left empty,
+                 the deployment will create additonal IPs using the external
+                 network.
+    type: comma_delimited_list
+
+conditions:
+
+  public_net_is_ctlplane:
+    equals:
+      - {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, DesignateBindNetwork]}]}
+      - {get_param: [ServiceData, net_vip_map, ctlplane]}

 resources:

@ -130,24 +146,32 @@ outputs:
              owner: root:named
              perm: '0640'
      deploy_steps_tasks:
-          - name: generate rndc key configuration files
-            when: step|int == 4
-            import_role:
-                name: designate_rndc_config
-            vars:
-                designate_rndc_key: {get_param: DesignateRndcKey}
-                designate_rndc_key_file_path: /var/lib/config-data/ansible-generated/designate/etc/
-          - name: generate bind configuration
-            when: step|int == 4
-            import_role:
-                name: designate_bind_config
-            vars:
-                designate_bind_enable_query_logging: {get_param: DesignateBindQueryLogging}
-                rndc_allowed_addresses:
-                    get_param:
-                      - ServiceData
-                      - net_cidr_map
-                      - {get_param: [ServiceNetMap, DesignateApiNetwork]}
+        - name: Configure extra IP on the network interfaces
+          when:
+            - step|int == 1
+          include_role:
+            name: designate_bind_config
+            tasks_from: configure_interfaces
+          vars:
+              tripleo_designate_bind_network: {get_param: [ServiceNetMap, DesignateBindNetwork]}
+        - name: generate rndc key configuration files
+          when: step|int == 1
+          import_role:
+              name: designate_rndc_config
+          vars:
+              designate_rndc_key: {get_param: DesignateRndcKey}
+              designate_rndc_key_file_path: /var/lib/config-data/ansible-generated/designate/etc/
+        - name: generate bind configuration
+          when: step|int == 1
+          import_role:
+              name: designate_bind_config
+          vars:
+              designate_bind_enable_query_logging: {get_param: DesignateBindQueryLogging}
+              rndc_allowed_addresses:
+                  get_param:
+                    - ServiceData
+                    - net_cidr_map
+                    - {get_param: [ServiceNetMap, DesignateApiNetwork]}
      docker_config:
        step_4:
          designate_backend_bind9:
@ -168,6 +192,7 @@ outputs:
                  - /var/lib/designate/named-persistent:/var/named-persistent:z
            environment:
              KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
+
      host_prep_tasks:
        - name: create persistent named directories
          file:
@ -178,3 +203,51 @@ outputs:
          with_items:
            - { 'path': /var/lib/designate/named-persistent,  'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/log/containers/designate-bind, 'setype': container_file_t, 'mode': '0750' }
+
+      external_deploy_tasks:
+        - name: Get list of provided listen ips
+          when:
+            - step|int == 1
+          set_fact:
+            dns_listen_ips: { get_param: DesignateBackendListenIPs }
+        - name: Distribute configured unbound listen IPs across nodes
+          when:
+            - step|int == 1
+            - dns_listen_ips|length > 0
+          block:
+            - name: Set the host ip fact
+              set_fact:
+                tripleo_dns_listen_interfaces: "[ '{{ item.0 }}' ]"
+              delegate_to: "{{ item.1 }}"
+              delegate_facts: true
+              with_together:
+                - "{{ dns_listen_ips }}"
+                - "{{ groups.designate_bind }}"
+
+        - name: Configure ports to allow bind to collocate with other services listening on DNS ports
+          when:
+            - step|int == 1
+            - dns_listen_ips|length == 0
+          block:
+            - name: Get the subnet id for the proper network
+              openstack.cloud.subnets_info:
+                name:
+                  if:
+                    - public_net_is_ctlplane
+                    - ctlplane-subnet
+                    -
+                      str_replace:
+                        template:
+                          "$NETWORK_subnet"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, DesignateBindNetwork]}
+              register: subnet_info
+
+            - name: Create the extra IPs
+              include_role:
+                name: designate_bind_config
+                tasks_from: create_collocated_ips
+              vars:
+                hosts_for_ports: "{{ groups.designate_bind }}"
+                network_name: {get_param: [ServiceNetMap, DesignateBindNetwork]}
+                subnet_id: "{{ subnet_info.openstack_subnets[0].id }}"
--- a/deployment/designate/designate-central-container-puppet.yaml
+++ b/deployment/designate/designate-central-container-puppet.yaml
@ -190,10 +190,12 @@ outputs:
          config_files: *designate_central_config_files
          permissions: *designate_central_permissions
      deploy_steps_tasks:
-          - name: generate designate pool
-            when: step|int == 4
-            import_role:
-                name: designate_bind_pool
+        - name: generate designate pool
+          when: step|int == 4
+          import_role:
+              name: designate_bind_pool
+          vars:
+            alternate_bind: true
      docker_config:
        # db sync runs before permissions set by kolla_config
        step_2:
--- a/deployment/unbound/unbound-container-ansible.yaml
+++ b/deployment/unbound/unbound-container-ansible.yaml
@ -40,6 +40,15 @@ parameters:
  MonitoringSubscriptionUnbound:
    default: 'overcloud-unbound'
    type: string
+  OVNDnsServers:
+    default: []
+    description: List of servers to use as as dns forwarders
+    type: comma_delimited_list
+  NeutronDhcpAgentDnsmasqDnsServers:
+    default: []
+    description: List of servers to use as dnsmasq forwarders
+    type: comma_delimited_list
+
 # Unbound specific parameters
  UnboundAllowedCIDRs:
    default: []
@ -61,15 +70,6 @@ parameters:
                 unique IP so it can co-exist with bind on same host. Set
                 to false to run unbound independently of designate
    type: boolean
-  UnboundListenIPs:
-    default: []
-    description: A list of IPs to add to the externally accessible interface
-                 (e.g. interface on the external network or the VIP interface
-                 in standalone). If provided, the number of IPs must match the
-                 number of deployed Unbound instances. If left empty,
-                 the deployment will create additonal IPs using the external
-                 network.
-    type: comma_delimited_list
  UnboundForwardResolvers:
    default: []
    description: A list of DNS resolver IP addresses, with optional port,
@ -91,14 +91,6 @@ parameters:
    type: boolean


-conditions:
-
-  public_net_is_ctlplane:
-    equals:
-      - {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
-      - {get_param: [ServiceData, net_vip_map, ctlplane]}
-
-
 resources:
  ContainersCommon:
    type: ../containers-common.yaml
@ -134,7 +126,11 @@ outputs:
            - 853
      monitoring_subscription: {get_param: MonitoringSubscriptionUnbound}
      config_settings: {}
-      service_config_settings: {}
+      service_config_settings:
+        neutron_dhcp:
+          tripleo::profile::base::neutron::dhcp::neutron_dns_integration: {get_param: UnboundDesignateIntegration}
+        neutron_plugin_ml2_ovn:
+          tripleo::profile::base::neutron::plugins::ml2::ovn::neutron_dns_integration: {get_param: UnboundDesignateIntegration}
      kolla_config:
        /var/lib/kolla/config_files/unbound.json:
          command: /usr/sbin/unbound -d -d -p
@ -177,69 +173,7 @@ outputs:
          with_items:
            - { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
            - { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
-      external_deploy_tasks:
-        - name: Get list of provided listen ips
-          when:
-            - step|int == 1
-          set_fact:
-            unbound_listen_ips: { get_param: UnboundListenIPs }
-        - name: Distribute configured unbound listen IPs across nodes
-          when:
-            - step|int == 1
-            - unbound_listen_ips|length > 0
-          block:
-            - name: Set the unbound host ip fact
-              set_fact:
-                tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
-              delegate_to: "{{ item.1 }}"
-              delegate_facts: true
-              with_together:
-                - "{{ unbound_listen_ips }}"
-                - "{{ groups.unbound }}"

-        - name: Handle a bind and unbound collocated on the same host
-          when:
-            - step|int == 1
-            - unbound_listen_ips|length == 0
-          block:
-            - name: Get the subnet id for the proper network
-              openstack.cloud.subnets_info:
-                name:
-                  if:
-                    - public_net_is_ctlplane
-                    - 'ctlplane-subnet'
-                    -
-                      str_replace:
-                        template:
-                          "$NETWORK_subnet"
-                        params:
-                          $NETWORK: {get_param: [ServiceNetMap, PublicNetwork] }
-              register: subnet_info
-            - name: Create a neutron port for a new address
-              os_port:
-                state: present
-                network:
-                  if:
-                    - public_net_is_ctlplane
-                    - 'ctlplane'
-                    - { get_param: [ServiceNetMap, PublicNetwork] }
-                # NOTE(beagles): Seems to be required for some deployments to make sure
-                # port gets an IP address.
-                fixed_ips:
-                  - subnet_id: "{{ subnet_info.openstack_subnets[0].id }}"
-                no_security_groups: True
-                name: "unbound-designate-{{ item }}-integration-port"
-              register: _unbound_designate_ports
-              with_items:
-                - "{{ groups.unbound }}"
-
-            - name: Set the unbound host ip fact
-              set_fact:
-                tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
-              delegate_to: "{{ item.item }}"
-              delegate_facts: true
-              with_items:
-                - "{{ _unbound_designate_ports.results }}"

      deploy_steps_tasks:
        - name: Configure Unbound
@ -254,8 +188,6 @@ outputs:
            tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
            tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
            tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
-            tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
-            tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}
            tripleo_unbound_forward_resolvers: {get_param: UnboundForwardResolvers}
            tripleo_unbound_forward_fallback: {get_param: UnboundForwardFallback}
            tripleo_unbound_allow_recursion: {get_param: UnboundAllowRecursion}