From 03f636c1295b4e2774b278ce3f12084183ce7521 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Wed, 4 Nov 2020 13:03:16 +0100 Subject: [PATCH] Skip entries not in cloud_domain Adding a host without a domain or with a different domain caused failures with tls everywhere enabled. This patch checks if the domain ends with cloud_domain to determine if it should be managed by tripleo-ipa. Change-Id: I15d72e95705cc77e40b4b74fb9320478c3fa5188 Closes-Bug: #1889105 Resolves: rhbz#1869174 --- tripleo_ipa/molecule/default/converge.yml | 2 + tripleo_ipa/molecule/default/molecule.yml | 1 - .../molecule/default/tests/test_default.py | 23 ++++ .../roles/tripleo_ipa_dns/tasks/dns.yaml | 108 ++++++++++-------- 4 files changed, 88 insertions(+), 46 deletions(-) diff --git a/tripleo_ipa/molecule/default/converge.yml b/tripleo_ipa/molecule/default/converge.yml index 3abba0e..87c538c 100644 --- a/tripleo_ipa/molecule/default/converge.yml +++ b/tripleo_ipa/molecule/default/converge.yml @@ -152,6 +152,8 @@ - 2001:0db8:85a3:0000:0000:8a2e:0370:7333 foo.ooo.test - 2001:0db8:85a3:0000:0000:8a2e:0370:7333 bar.ooo.test - 192.168.24.111 bar.ooo.test + - 192.168.24.10 baz + - 192.168.24.11 baz.different.domain - 192.168.24.1 undercloud.ctlplane.ooo.test undercloud.ctlplane - 192.168.24.115 overcloud.ctlplane.ooo.test - 10.0.0.135 overcloud.ooo.test diff --git a/tripleo_ipa/molecule/default/molecule.yml b/tripleo_ipa/molecule/default/molecule.yml index 0909b45..52e36af 100644 --- a/tripleo_ipa/molecule/default/molecule.yml +++ b/tripleo_ipa/molecule/default/molecule.yml @@ -1,7 +1,6 @@ --- driver: name: docker - log: true platforms: diff --git a/tripleo_ipa/molecule/default/tests/test_default.py b/tripleo_ipa/molecule/default/tests/test_default.py index 878e91e..f52960b 100644 --- a/tripleo_ipa/molecule/default/tests/test_default.py +++ b/tripleo_ipa/molecule/default/tests/test_default.py @@ -200,6 +200,17 @@ def test_dns(host, ip, name): assert 'record: {}'.format(ip) in result +@pytest.mark.parametrize('ip, name', [ + ('192.168.24.10', '.baz'), + ('192.168.24.11', 'baz.different.domain'), +]) +def test_dns_absent(host, ip, name): + record_name, zone_name = name.split('.', 1) + host.run_expect( + [1, 2], 'ipa dnsrecord-find {} --name={}'.format( + zone_name, record_name)) + + @pytest.mark.parametrize('ip, name', [ ('2001:0db8:85a3:0000:0000:8a2e:0370:7334', 'foo'), ('2001:0db8:85a3:0000:0000:8a2e:0370:7333', 'bar'), @@ -229,3 +240,15 @@ def test_reverse_dns(host, ip, name): 'ipa dnsrecord-find {} --name={}'.format( zone, record)) assert 'record: {}'.format(name) in result + + +@pytest.mark.parametrize('ip, name', [ + ('192.168.24.10', '.baz'), + ('192.168.24.11', 'baz.different.domain'), +]) +def test_reverse_dns_absent(host, ip, name): + reverse = ipaddress.ip_address(ip).reverse_pointer + record, zone = reverse.split('.', 1) + host.run_expect( + [1, 2], 'ipa dnsrecord-find {} --name={}'.format( + zone, record)) diff --git a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml index f39ef2c..3b46881 100644 --- a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml +++ b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml @@ -20,57 +20,75 @@ record_value: "{{ item.split()[0] }}" record_name: "{{ item.split()[1].split('.', 1)[0] }}" zone_name: "{{ item.split()[1].split('.', 1)[1] }}" + when: item.split() | length >= 2 and item.split()[1].split('.') | length >= 2 -- name: set record type +- name: set alternative record values set_fact: - record_type: "{{ 'A' if record_value| ipv4 else 'AAAA' }}" + record_value: "no record value" + record_name: "no record name" + zone_name: "no record zone name provided" + when: item.split() | length < 2 or item.split()[1].split('.') | length < 2 -- name: add dns zone - ipa_dnszone: - zone_name: "{{ zone_name }}" - become: true +- name: Notify about not adding entries + debug: + msg: | + "{{ item }}" not added to DNS due to not being managed by us. + Entries with domains outside of cloud_domain are skipped. + when: not zone_name is match("^(|.+\.)" + cloud_domain + "$") -- name: add forward dns record - ipa_dnsrecord: - zone_name: "{{ zone_name }}" - record_name: "{{ record_name }}" - record_type: "{{ record_type }}" - record_value: "{{ record_value }}" - become: true +- name: add entries + block: + - name: set record type + set_fact: + record_type: "{{ 'A' if record_value| ipv4 else 'AAAA' }}" -- name: get reverse record data - set_fact: - reverse_addr: "{{ record_value | ipaddr('revdns') }}" + - name: add dns zone + ipa_dnszone: + zone_name: "{{ zone_name }}" + become: true -- name: set reverse record entries for ipv4 - set_fact: - reverse_record_zone: "{{ reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv4|int)[-1] }}" - reverse_record_name: "{{ '.'.join(reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv4|int)[:-1]) }}" - when: record_type == 'A' + - name: add forward dns record + ipa_dnsrecord: + zone_name: "{{ zone_name }}" + record_name: "{{ record_name }}" + record_type: "{{ record_type }}" + record_value: "{{ record_value }}" + become: true -- name: set reverse record entries for ipv6 - set_fact: - reverse_record_zone: "{{ reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv6|int)[-1] }}" - reverse_record_name: "{{ '.'.join(reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv6|int)[:-1]) }}" - when: record_type == 'AAAA' + - name: get reverse record data + set_fact: + reverse_addr: "{{ record_value | ipaddr('revdns') }}" -- name: add reverse record dns zone - ipa_dnszone: - zone_name: "{{ reverse_record_zone }}" - register: reverse_zone_result - failed_when: - - "'zone' not in reverse_zone_result" - - "'already exists in DNS' not in reverse_zone_result.msg" - become: true + - name: set reverse record entries for ipv4 + set_fact: + reverse_record_zone: "{{ reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv4|int)[-1] }}" + reverse_record_name: "{{ '.'.join(reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv4|int)[:-1]) }}" + when: record_type == 'A' -- name: add reverse dns record - ipa_dnsrecord: - zone_name: "{{ reverse_record_zone }}" - record_name: "{{ reverse_record_name }}" - record_value: "{{ record_name }}.{{ zone_name }}." - record_type: "PTR" - register: reverse_record_result - failed_when: - - "'record' not in reverse_record_result" - - "'DNS zone not found' not in reverse_record_result.msg" - become: true + - name: set reverse record entries for ipv6 + set_fact: + reverse_record_zone: "{{ reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv6|int)[-1] }}" + reverse_record_name: "{{ '.'.join(reverse_addr.split('.', tripleo_ipa_ptr_zone_split_ipv6|int)[:-1]) }}" + when: record_type == 'AAAA' + + - name: add reverse record dns zone + ipa_dnszone: + zone_name: "{{ reverse_record_zone }}" + register: reverse_zone_result + failed_when: + - "'zone' not in reverse_zone_result" + - "'already exists in DNS' not in reverse_zone_result.msg" + become: true + + - name: add reverse dns record + ipa_dnsrecord: + zone_name: "{{ reverse_record_zone }}" + record_name: "{{ reverse_record_name }}" + record_value: "{{ record_name }}.{{ zone_name }}." + record_type: "PTR" + register: reverse_record_result + failed_when: + - "'record' not in reverse_record_result" + - "'DNS zone not found' not in reverse_record_result.msg" + become: true + when: zone_name is match("^(|.+\.)" + cloud_domain + "$")