tripleo-heat-templates/deployment/unbound/unbound-container-ansible.yaml
Michael Johnson 773fccb7c1 Add the Unbound DNS resolver service
This patch addes TripleO support for the Unbound DNS resolver service.
This service will initially be used by the Designate service.

Change-Id: I8135ce4f344aeb7c0cf7521e0ba42335c4c7bbc8
2021-03-18 17:12:35 +00:00

135 lines
4.6 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Unbound DNS resolver
parameters:
ContainerUnboundImage:
description: image
type: string
ContainerUnboundConfigImage:
description: The container image to use for the unbound config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MonitoringSubscriptionUnbound:
default: 'overcloud-unbound'
type: string
# Unbound specific parameters
UnboundAllowedCIDRs:
default: []
description: A list of CIDRs allowed to make queries through Unbound.
Example, ['192.0.2.0/24', '198.51.100.0/24']
type: comma_delimited_list
UnboundLogQueries:
default: false
description: If true, Unbound will log the query requests.
type: boolean
UnboundSecurityHarden:
default: true
description: When true, Unbound will block certain queries that could
have security implications to the Unbound service.
type: boolean
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Unbound instance.
value:
service_name: unbound
firewall_rules:
'140 unbound udp':
proto: 'udp'
dport:
- 53
'141 unbound tcp':
proto: 'tcp'
dport:
- 53
- 853
monitoring_subscription: {get_param: MonitoringSubscriptionUnbound}
config_settings: {}
service_config_settings: {}
kolla_config:
/var/lib/kolla/config_files/unbound.json:
command: /usr/sbin/unbound -d -d -p
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/etc/unbound/conf.d/"
merge: true
owner: unbound:unbound
perm: '0640'
permissions:
- path: /var/log/unbound
owner: unbound:unbound
recurse: true
docker_config:
step_3:
unbound:
start_order: 1
image: {get_param: ContainerUnboundImage}
net: host
privileged: false
restart: always
healthcheck:
test: /usr/sbin/unbound-streamtcp -u . SOA IN
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /run/:/run/
- /var/lib/kolla/config_files/unbound.json:/var/lib/kolla/config_files/config.json:ro
- /var/log/containers/unbound:/var/log/unbound:z
- /var/lib/config-data/ansible-generated/unbound:/var/lib/kolla/config_files/src:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode }}"
with_items:
- { 'path': /var/log/containers/unbound, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/unbound, 'setype': container_file_t, 'mode': '0750' }
deploy_steps_tasks:
- name: Configure Unbound
when: step|int == 0
import_role:
name: tripleo_unbound
vars:
tripleo_unbound_config_basedir: /var/lib/config-data/ansible-generated/unbound
tripleo_unbound_network_name: {get_param: [ServiceNetMap, UnboundNetwork]}
tripleo_unbound_external_network_name: {get_param: [ServiceNetMap, PublicNetwork]}
tripleo_unbound_internal_network_name: {get_param: [ServiceNetMap, NeutronApiNetwork]}
tripleo_unbound_allowed_cidrs: {get_param: UnboundAllowedCIDRs}
tripleo_unbound_log_queries: {get_param: UnboundLogQueries}
tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden}