Update CASL to use nsupdate for DNS records (#48)

* Updated to use nsupdate for DNS records

* Updated formatting of dict

* Updating descriptive text

* Support for external DNS config

* Upgrading jinja2 to work correctly with latest templates

* Latest update for nsupdate

* Updated to use nsupdate for DNS records

* Updated formatting of dict

* Updating descriptive text

* Support for external DNS config

* Latest update for nsupdate

* Updated to support external public/private DNS server(s)

* Updated DNS server handling

* Updated DNS server handling

* Updated DNS server handling

* Eliminated the  from the sample inventories

* Updated sample inventory to point to 2 separate DNS servers for private/public

* Playbook clean-up

* Adding 'python-dns'

* splitting subscription manager calls to allow for a clean pre-install playbook

docker/control-host-openstack/Dockerfile

@@ -13,7 +13,7 @@ RUN yum install -y epel-release; \
                  python-heatclient python-neutronclient \
                  python-novaclient python-saharaclient \
                  python-swiftclient python-troveclient \
-                 python-openstackclient \
+                 python-openstackclient python-dns \
                  pyOpenSSL \
                  origin-clients; \
   yum clean all; \

inventory/s1-ha.casl.example.com.d/inventory/group_vars/OSEv3.yml

@@ -4,7 +4,7 @@ openshift_deployment_type: openshift-enterprise
 openshift_master_cluster_method: native
 openshift_master_cluster_hostname: "{{ groups.lb.0 }}"
 openshift_master_cluster_public_hostname: "{{ groups.lb.0 }}"
-openshift_master_default_subdomain: "apps.{{ env_id }}.{{ dns_domain }}"
+openshift_master_default_subdomain: "apps.{{ env_id }}.{{ public_dns_domain }}"
 
 openshift_master_identity_providers:
  - 'name': 'htpasswd_auth'
@@ -16,7 +16,9 @@ openshift_master_identity_providers:
 openshift_hosted_logging_deploy: true
 
 openshift_hosted_metrics_deploy: true
+
 openshift_node_labels: "{{ openstack.metadata.node_labels}}"
+
 openshift_node_kubelet_args:
   minimum-container-ttl-duration:
   - "10s"
@@ -32,4 +34,3 @@ openshift_node_kubelet_args:
   - '80'
   image-gc-low-threshold: 
   - '60'
-

inventory/s1-ha.casl.example.com.d/inventory/group_vars/all.yml

@@ -7,29 +7,37 @@ ansible_become: True
 openstack_default_image_name: "rhel-guest-image-7.3-35.x86_64"
 openstack_default_flavor: "m1.medium"
 openstack_external_network_name: "external"
-openstack_dns_domain: "casl.example.com"
 openstack_subnet_prefix: 192.168.99
-openstack_nameservers:
-- 192.168.1.1
 openstack_num_masters: 3
 openstack_num_nodes: 2
 openstack_num_infra: 1
-dns_domain: "casl.example.com"
-cluster_id: "casl.example.com"
-public_dns_forwarder: 192.168.1.1
+
 env_id: "s1-ha"
-#
+
+public_dns_domain: "casl.example.com"
+public_dns_nameservers: 
+- 192.168.1.1
+
 docker_volume_size: "10"
 docker_storage_block_device: "/dev/vdb"
-#
-# # Subscription Management Details
+
+# Subscription Management Details
+# Using Red Hat Satellite:
 rhsm_register: True
-rhsm_satellite: 'sat-b.etl.rht-labs.com'
-rhsm_org: 'Emerging_Tech_Lab'
+
+rhsm_satellite: 'sat-6.example.com'
+rhsm_org: 'CASL_ORG'
 rhsm_activationkey: 'casl-latest'
+
 rhsm_repos:
  - "rhel-7-server-rpms"
  - "rhel-7-server-ose-3.5-rpms"
  - "rhel-7-server-extras-rpms"
  - "rhel-7-fast-datapath-rpms"
-rhsm_password: ''
+
+# Or using RHN username, password and optionally pool:
+#rhsm_username: ''
+#rhsm_password: ''
+# leave commented out if you want to `--auto-attach` a pool
+#rhsm_pool: ''
+

inventory/sample.casl.example.com.d/inventory/group_vars/OSEv3.yml

@@ -1,7 +1,7 @@
 ---
 openshift_deployment_type: openshift-enterprise
 openshift_release: v3.5
-openshift_master_default_subdomain: "apps.{{ env_id }}.{{ dns_domain }}"
+openshift_master_default_subdomain: "apps.{{ env_id }}.{{ public_dns_domain }}"
 
 # HTPASSWD Identity Provider
 openshift_master_identity_providers:

inventory/sample.casl.example.com.d/inventory/group_vars/all.yml

@@ -7,20 +7,33 @@ ansible_become: True
 openstack_default_image_name: "rhel-guest-image-7.3-35.x86_64"
 openstack_default_flavor: "m1.medium"
 openstack_external_network_name: "external"
-openstack_dns_domain: "casl.example.com"
 openstack_subnet_prefix: 192.168.99
-openstack_nameservers:
-- 192.168.1.1
+openstack_num_masters: 1
 openstack_num_nodes: 2
 openstack_num_infra: 1
-dns_domain: "casl.example.com"
-cluster_id: "casl.example.com"
-public_dns_forwarder: 192.168.1.1
+
 env_id: "sample"
-#
+
+public_dns_domain: "casl.example.com"
+public_dns_nameservers:
+- 192.168.1.1
+
+# Roll-your-own DNS 
+openstack_num_dns: 0
+
+external_nsupdate_keys:
+  public:
+    key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg=='
+    key_algorithm: 'hmac-md5'
+    server: '192.168.1.1'
+  private:
+    key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw=='
+    key_algorithm: 'hmac-md5'
+    server: '192.168.1.2'
+
 docker_volume_size: "5"
 docker_storage_block_device: "/dev/vdb"
-#
+
 # # Subscription Management Details
 rhsm_register: True
 rhsm_repos:

playbooks/dns/config_dns_server.yml

@@ -8,4 +8,3 @@
     delegate_to: localhost
   roles:
     - role: dns-server
-

playbooks/dns/vars/views.yml

@@ -1,8 +1,11 @@
 ---
 
 named_config_views:
-- name: "casl"
+- name: "casl-private"
   zone:
-  - "dns_domain": "casl.example.com"
+  - "dns_domain": "private.example.com"
+- name: "casl-public"
+  zone:
+  - "dns_domain": "public.example.com"
   forwarder:
   - "8.8.8.8"

playbooks/openshift/openstack_dns_records.yml

@@ -0,0 +1,77 @@
+---
+
+- name: "Generate list of private A records"
+  set_fact:
+    private_records: "{{ private_records | default([]) + [ { 'type': 'A', 'hostname': hostvars[item]['ansible_hostname'], 'ip': hostvars[item]['openstack']['private_v4'] } ] }}"
+  with_items: "{{ groups['cluster_hosts'] }}"
+
+- name: "Set the private DNS server to use the external value (if provided)"
+  set_fact:
+    nsupdate_server_private: "{{ external_nsupdate_keys['private']['server'] }}"
+    nsupdate_key_secret_private: "{{ external_nsupdate_keys['private']['key_secret'] }}"
+    nsupdate_key_algorithm_private: "{{ external_nsupdate_keys['private']['key_algorithm'] }}"
+  when:
+  - external_nsupdate_keys is defined
+  - external_nsupdate_keys['private'] is defined
+
+- name: "Set the private DNS server to use the provisioned value"
+  set_fact:
+    nsupdate_server_private: "{{ hostvars[groups['dns'][0]].openstack.public_v4 }}"
+    nsupdate_key_secret_private: "{{ hostvars[groups['dns'][0]].nsupdate_keys['private-' + full_dns_domain].key_secret }}"
+    nsupdate_key_algorithm_private: "{{ hostvars[groups['dns'][0]].nsupdate_keys['private-' + full_dns_domain].key_algorithm }}"
+  when:
+  - nsupdate_server_private is undefined
+
+- name: "Generate the private Add section for DNS"
+  set_fact:
+    private_named_records:
+    - view: "private"
+      zone: "{{ full_dns_domain }}"
+      server: "{{ nsupdate_server_private }}"
+      key_name: "{{ ( 'private-' + full_dns_domain ) }}"
+      key_secret: "{{ nsupdate_key_secret_private }}"
+      key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}"
+      entries: "{{ private_records }}"
+
+- name: "Generate list of public A records"
+  set_fact:
+    public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': hostvars[item]['ansible_hostname'], 'ip': hostvars[item]['openstack']['public_v4'] } ] }}"
+  with_items: "{{ groups['cluster_hosts'] }}"
+
+- name: "Add wildcard records to the public A records"
+  set_fact:
+    public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': '*.' + openshift_app_domain, 'ip': hostvars[item]['openstack']['public_v4'] } ] }}"
+  with_items: "{{ groups['infra_hosts'] }}"
+
+- name: "Set the public DNS server details to use the external value (if provided)"
+  set_fact:
+    nsupdate_server_public: "{{ external_nsupdate_keys['public']['server'] }}"
+    nsupdate_key_secret_public: "{{ external_nsupdate_keys['public']['key_secret'] }}"
+    nsupdate_key_algorithm_public: "{{ external_nsupdate_keys['public']['key_algorithm'] }}"
+  when:
+  - external_nsupdate_keys is defined
+  - external_nsupdate_keys['public'] is defined
+
+- name: "Set the public DNS server details to use the provisioned value"
+  set_fact:
+    nsupdate_server_public: "{{ hostvars[groups['dns'][0]].openstack.public_v4 }}"
+    nsupdate_key_secret_public: "{{ hostvars[groups['dns'][0]].nsupdate_keys['public-' + full_dns_domain].key_secret }}"
+    nsupdate_key_algorithm_public: "{{ hostvars[groups['dns'][0]].nsupdate_keys['public-' + full_dns_domain].key_algorithm }}"
+  when:
+  - nsupdate_server_public is undefined
+
+- name: "Generate the public Add section for DNS"
+  set_fact:
+    public_named_records:
+    - view: "public"
+      zone: "{{ full_dns_domain }}"
+      server: "{{ nsupdate_server_public }}"
+      key_name: "{{ ( 'public-' + full_dns_domain ) }}"
+      key_secret: "{{ nsupdate_key_secret_public }}"
+      key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}"
+      entries: "{{ public_records }}"
+
+- name: "Generate the final dns_records_add"
+  set_fact: 
+    dns_records_add: "{{ private_named_records + public_named_records }}"
+

playbooks/openshift/openstack_dns_views.yml

@@ -0,0 +1,27 @@
+---
+
+- name: "Generate ACL list for DNS server"
+  set_fact:
+    acl_list: "{{ acl_list | default([]) + [ (hostvars[item]['openstack']['private_v4'] + '/32') ] }}" 
+  with_items: "{{ groups['cluster_hosts'] }}"
+
+- name: "Generate the private view"
+  set_fact:
+    private_named_view:
+    - name: "private"
+      acl_entry: "{{ acl_list }}"
+      zone:
+      - dns_domain: "{{ full_dns_domain }}"
+
+- name: "Generate the public view"
+  set_fact:
+    public_named_view:
+    - name: "public"
+      zone:
+      - dns_domain: "{{ full_dns_domain }}"
+      forwarder: "{{ public_dns_nameservers }}"
+
+- name: "Generate the final named_config_views"
+  set_fact: 
+    named_config_views: "{{ private_named_view + public_named_view }}"
+

playbooks/openshift/post-provision-openstack.yml

@@ -0,0 +1,60 @@
+---
+
+# Assign hostnames
+- hosts: cluster_hosts
+  pre_tasks:
+  - include: roles/common/pre_tasks/pre_tasks.yml
+  roles:
+  - role: hostnames
+
+# Subscribe DNS Host to allow for configuration below
+- hosts: dns
+  roles:
+    - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager', ansible_sudo: true }
+
+# Determine which DNS server(s) to use for our generated records
+- hosts: localhost
+  roles: 
+  - dns-server-detect
+
+# Build the DNS Server Views and Configure DNS Server(s)
+- hosts: dns
+  pre_tasks:
+  - include: roles/common/pre_tasks/pre_tasks.yml
+  - name: "Generate dns-server views"
+    include: openstack_dns_views.yml
+  roles:
+  - role: dns-server
+
+# Build and process DNS Records
+- hosts: localhost
+  pre_tasks:
+  - include: roles/common/pre_tasks/pre_tasks.yml
+  - name: "Generate dns records"
+    include: openstack_dns_records.yml
+  roles:
+  - role: dns
+
+# Use newly configured DNS server for this container ...
+- hosts: localhost
+  tasks:
+  - name: "Edit /etc/resolv.conf in container"
+    shell: "sed '0,/.*nameserver.*/s/.*nameserver.*/nameserver {{ public_dns_server }} \\n&/' /etc/resolv.conf > /tmp/resolv.conf && /bin/cp -f /tmp/resolv.conf /etc/resolv.conf"
+
+# OpenShift Pre-Requisites
+- hosts: OSEv3
+  tasks:
+  - name: "Edit /etc/resolv.conf on masters/nodes"
+    lineinfile:
+      state: present
+      dest: /etc/resolv.conf
+      regexp: "nameserver {{ hostvars['localhost'].private_dns_server }}"
+      line: "nameserver {{ hostvars['localhost'].private_dns_server }}"
+      insertafter: search*
+  - name: "Include DNS configuration to ensure proper name resolution"
+    lineinfile:
+      state: present
+      dest: /etc/sysconfig/network
+      regexp: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}"
+      line: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}"
+