openstack
/
tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/deployment/unbound/unbound-container-ansible.yaml

208 lines
7.5 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Unbound DNS resolver
parameters:
ContainerUnboundImage:
description: image
type: string
ContainerUnboundConfigImage:
description: The container image to use for the unbound config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MonitoringSubscriptionUnbound:
default: 'overcloud-unbound'
type: string
# Unbound specific parameters
UnboundAllowedCIDRs:
default: []
description: A list of CIDRs allowed to make queries through Unbound.
Example, ['192.0.2.0/24', '198.51.100.0/24']
type: comma_delimited_list
UnboundLogQueries:
default: false
description: If true, Unbound will log the query requests.
type: boolean
UnboundSecurityHarden:
default: true
description: When true, Unbound will block certain queries that could
have security implications to the Unbound service.
type: boolean
UnboundDesignateIntegration:
default: true
description: When true, Unbound will be configured to listen on an
unique IP so it can co-exist with bind on same host. Set
to false to run unbound independently of designate
type: boolean
UnboundListenIPs:
default: []
description: A list of IPs to add to the externally accessible interface
(e.g. interface on the external network or the VIP interface
in standalone). If provided, the number of IPs must match the
number of deployed Unbound instances. If left empty,
the deployment will create additonal IPs using the external
network.
type: comma_delimited_list
conditions:
public_net_is_ctlplane:
equals:
- {get_param: [ServiceData, net_vip_map, {get_param: [ServiceNetMap, UnboundNetwork]}]}
- {get_param: [ServiceData, net_vip_map, ctlplane]}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Unbound instance.
value:
service_name: unbound
firewall_rules:
'140 unbound udp':
proto: 'udp'
dport:
- 53
'141 unbound tcp':
proto: 'tcp'
dport:
- 53
- 853
monitoring_subscription: {get_param: MonitoringSubscriptionUnbound}
config_settings: {}
service_config_settings: {}
kolla_config:
/var/lib/kolla/config_files/unbound.json:
command: /usr/sbin/unbound -d -d -p
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/etc/unbound/conf.d/"
merge: true
owner: unbound:unbound
perm: '0640'
permissions:
- path: /var/log/unbound
owner: unbound:unbound
recurse: true
docker_config:
step_3:
unbound:
start_order: 1
image: {get_param: ContainerUnboundImage}
net: host
privileged: false
restart: always
healthcheck:
test: /usr/sbin/unbound-streamtcp -u . SOA IN
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /run/:/run/
- /var/lib/kolla/config_files/unbound.json:/var/lib/kolla/config_files/config.json:ro
- /var/log/containers/unbound:/var/log/unbound:z
- /var/lib/config-data/ansible-generated/unbound:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
external_deploy_tasks:
- name: Get list of provided listen ips
when:
- step|int == 1
set_fact:
unbound_listen_ips: { get_param: UnboundListenIPs }
- name: Distribute configured unbound listen IPs across nodes
when:
- step|int == 1
- unbound_listen_ips|length > 0
block:
- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.0 }}' ]"
delegate_to: "{{ item.1 }}"
delegate_facts: true
with_together:
- "{{ unbound_listen_ips }}"
- "{{ groups.unbound }}"
- name: Handle a bind and unbound collocated on the same host
when:
- step|int == 1
- unbound_listen_ips|length == 0
block:
- name: Create a neutron port for a new address
os_port:
state: present
network:
if:
- public_net_is_ctlplane
- 'ctlplane'
- { get_param: [ServiceNetMap, PublicNetwork] }
no_security_groups: True
name: "unbound-designate-{{ item }}-integration-port"
register: _unbound_designate_ports
with_items:
- "{{ groups.unbound }}"
- name: Set the unbound host ip fact
set_fact:
tripleo_unbound_listen_interfaces: "[ '{{ item.port.fixed_ips[0].ip_address }}' ]"
delegate_to: "{{ item.item }}"
delegate_facts: true
with_items:
- "{{ _unbound_designate_ports.results }}"
deploy_steps_tasks:
- name: Configure Unbound
when: step|int == 1
import_role:
name: tripleo_unbound
vars:
tripleo_unbound_config_basedir: /var/lib/config-data/ansible-generated/unbound
tripleo_unbound_network_name: {get_param: [ServiceNetMap, UnboundNetwork]}
tripleo_unbound_external_network_name: {get_param: [ServiceNetMap, PublicNetwork]}
tripleo_unbound_internal_network_name: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}
tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration}
tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]}
View Git Blame Copy Permalink