From 5666a4fe0dc42ba296621cb4e56b6f375841ef5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
Date: Mon, 19 Nov 2018 22:58:21 +0100
Subject: [PATCH] Designate - Use net_cidr_map for rndc_allowed_addresses

Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes
NetCidrMapValue a list of ip networks.

The designate service configures the dns backend security
to contol from wich addresses updates are allowed. We
should use the list of cidr's associated with the
DesignateApiNetwork to allow all nodes in the network to
remotely control the nameserver.

Partial: blueprint tripleo-routed-networks-templates
Change-Id: I5c5cd51c8f127e8879c5528883c3abd261f4a5b3
---
 puppet/services/designate-worker.yaml | 10 ++++------
 tools/yaml-validate.py                |  4 ++++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/puppet/services/designate-worker.yaml b/puppet/services/designate-worker.yaml
index 786936bdf0..e180ff2cfd 100644
--- a/puppet/services/designate-worker.yaml
+++ b/puppet/services/designate-worker.yaml
@@ -94,12 +94,10 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
           tripleo::profile::base::designate::rndc_allowed_addresses:
-            # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, DesignateApiNetwork]}
-            - str_replace:
-                template:
-                  "%{hiera('$NETWORK_subnet')}"
-                params:
-                  $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
+            get_param:
+              - ServiceData
+              - net_cidr_map
+              - {get_param: [ServiceNetMap, DesignateApiNetwork]}
           designate::backend::bind9::rndc_host:
             str_replace:
               template:
diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py
index d1ff13e0b0..fa36cbbb17 100755
--- a/tools/yaml-validate.py
+++ b/tools/yaml-validate.py
@@ -912,6 +912,10 @@ def validate_service_hiera_interpol(f, tpl):
             # Omit apache remoteip proxy_ips
             if 'apache::mod::remoteip::proxy_ips' in path:
                 continue
+            # Omit Designate rndc_allowed_addressses
+            if ('tripleo::profile::base::designate::rndc_allowed_addresses' in
+                    path):
+                continue
 
             # Omit if not a part of {get_param: [ServiceNetMap ...
             if not enter_lists and path[-1] != 'get_param':