diff --git a/docker/control-host-openstack/Dockerfile b/docker/control-host-openstack/Dockerfile index 9ac51e9e..7a6819b6 100644 --- a/docker/control-host-openstack/Dockerfile +++ b/docker/control-host-openstack/Dockerfile @@ -13,7 +13,7 @@ RUN yum install -y epel-release; \ python-heatclient python-neutronclient \ python-novaclient python-saharaclient \ python-swiftclient python-troveclient \ - python-openstackclient \ + python-openstackclient python-dns \ pyOpenSSL \ origin-clients; \ yum clean all; \ diff --git a/inventory/s1-ha.casl.example.com.d/inventory/group_vars/OSEv3.yml b/inventory/s1-ha.casl.example.com.d/inventory/group_vars/OSEv3.yml index 694be439..60831212 100644 --- a/inventory/s1-ha.casl.example.com.d/inventory/group_vars/OSEv3.yml +++ b/inventory/s1-ha.casl.example.com.d/inventory/group_vars/OSEv3.yml @@ -4,7 +4,7 @@ openshift_deployment_type: openshift-enterprise openshift_master_cluster_method: native openshift_master_cluster_hostname: "{{ groups.lb.0 }}" openshift_master_cluster_public_hostname: "{{ groups.lb.0 }}" -openshift_master_default_subdomain: "apps.{{ env_id }}.{{ dns_domain }}" +openshift_master_default_subdomain: "apps.{{ env_id }}.{{ public_dns_domain }}" openshift_master_identity_providers: - 'name': 'htpasswd_auth' @@ -16,7 +16,9 @@ openshift_master_identity_providers: openshift_hosted_logging_deploy: true openshift_hosted_metrics_deploy: true + openshift_node_labels: "{{ openstack.metadata.node_labels}}" + openshift_node_kubelet_args: minimum-container-ttl-duration: - "10s" @@ -32,4 +34,3 @@ openshift_node_kubelet_args: - '80' image-gc-low-threshold: - '60' - diff --git a/inventory/s1-ha.casl.example.com.d/inventory/group_vars/all.yml b/inventory/s1-ha.casl.example.com.d/inventory/group_vars/all.yml index c480d1e9..c23d23cd 100644 --- a/inventory/s1-ha.casl.example.com.d/inventory/group_vars/all.yml +++ b/inventory/s1-ha.casl.example.com.d/inventory/group_vars/all.yml @@ -7,29 +7,37 @@ ansible_become: True openstack_default_image_name: "rhel-guest-image-7.3-35.x86_64" openstack_default_flavor: "m1.medium" openstack_external_network_name: "external" -openstack_dns_domain: "casl.example.com" openstack_subnet_prefix: 192.168.99 -openstack_nameservers: -- 192.168.1.1 openstack_num_masters: 3 openstack_num_nodes: 2 openstack_num_infra: 1 -dns_domain: "casl.example.com" -cluster_id: "casl.example.com" -public_dns_forwarder: 192.168.1.1 + env_id: "s1-ha" -# + +public_dns_domain: "casl.example.com" +public_dns_nameservers: +- 192.168.1.1 + docker_volume_size: "10" docker_storage_block_device: "/dev/vdb" -# -# # Subscription Management Details + +# Subscription Management Details +# Using Red Hat Satellite: rhsm_register: True -rhsm_satellite: 'sat-b.etl.rht-labs.com' -rhsm_org: 'Emerging_Tech_Lab' + +rhsm_satellite: 'sat-6.example.com' +rhsm_org: 'CASL_ORG' rhsm_activationkey: 'casl-latest' + rhsm_repos: - "rhel-7-server-rpms" - "rhel-7-server-ose-3.5-rpms" - "rhel-7-server-extras-rpms" - "rhel-7-fast-datapath-rpms" -rhsm_password: '' + +# Or using RHN username, password and optionally pool: +#rhsm_username: '' +#rhsm_password: '' +# leave commented out if you want to `--auto-attach` a pool +#rhsm_pool: '' + diff --git a/inventory/sample.casl.example.com.d/inventory/group_vars/OSEv3.yml b/inventory/sample.casl.example.com.d/inventory/group_vars/OSEv3.yml index d2f0104b..b9d40e62 100644 --- a/inventory/sample.casl.example.com.d/inventory/group_vars/OSEv3.yml +++ b/inventory/sample.casl.example.com.d/inventory/group_vars/OSEv3.yml @@ -1,7 +1,7 @@ --- openshift_deployment_type: openshift-enterprise openshift_release: v3.5 -openshift_master_default_subdomain: "apps.{{ env_id }}.{{ dns_domain }}" +openshift_master_default_subdomain: "apps.{{ env_id }}.{{ public_dns_domain }}" # HTPASSWD Identity Provider openshift_master_identity_providers: diff --git a/inventory/sample.casl.example.com.d/inventory/group_vars/all.yml b/inventory/sample.casl.example.com.d/inventory/group_vars/all.yml index 51dbd12a..a7d61824 100644 --- a/inventory/sample.casl.example.com.d/inventory/group_vars/all.yml +++ b/inventory/sample.casl.example.com.d/inventory/group_vars/all.yml @@ -7,20 +7,33 @@ ansible_become: True openstack_default_image_name: "rhel-guest-image-7.3-35.x86_64" openstack_default_flavor: "m1.medium" openstack_external_network_name: "external" -openstack_dns_domain: "casl.example.com" openstack_subnet_prefix: 192.168.99 -openstack_nameservers: -- 192.168.1.1 +openstack_num_masters: 1 openstack_num_nodes: 2 openstack_num_infra: 1 -dns_domain: "casl.example.com" -cluster_id: "casl.example.com" -public_dns_forwarder: 192.168.1.1 + env_id: "sample" -# + +public_dns_domain: "casl.example.com" +public_dns_nameservers: +- 192.168.1.1 + +# Roll-your-own DNS +openstack_num_dns: 0 + +external_nsupdate_keys: + public: + key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg==' + key_algorithm: 'hmac-md5' + server: '192.168.1.1' + private: + key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw==' + key_algorithm: 'hmac-md5' + server: '192.168.1.2' + docker_volume_size: "5" docker_storage_block_device: "/dev/vdb" -# + # # Subscription Management Details rhsm_register: True rhsm_repos: diff --git a/playbooks/dns-provision.yaml b/playbooks/dns-provision.yaml deleted file mode 100644 index b8549820..00000000 --- a/playbooks/dns-provision.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- hosts: localhost - pre_tasks: - - include: roles/common/pre_tasks/pre_tasks.yml - roles: - # Provision DNS - - role: openstack-create - type: "dns" - key_name: "{{ openstack_key_name }}" - image_name: "{{ openshift_openstack_image_name }}" - flavor_name: "m1.small" - security_groups: "{{ openshift_openstack_dns_security_groups }}" - register_host_group: "dns,openshift" - node_count: "1" diff --git a/playbooks/dns/config_dns_server.yml b/playbooks/dns/config_dns_server.yml index 07f8c4cf..a87ed3f6 100644 --- a/playbooks/dns/config_dns_server.yml +++ b/playbooks/dns/config_dns_server.yml @@ -8,4 +8,3 @@ delegate_to: localhost roles: - role: dns-server - diff --git a/playbooks/dns/vars/views.yml b/playbooks/dns/vars/views.yml index c2901c5f..8350c11d 100644 --- a/playbooks/dns/vars/views.yml +++ b/playbooks/dns/vars/views.yml @@ -1,8 +1,11 @@ --- named_config_views: -- name: "casl" +- name: "casl-private" zone: - - "dns_domain": "casl.example.com" + - "dns_domain": "private.example.com" +- name: "casl-public" + zone: + - "dns_domain": "public.example.com" forwarder: - "8.8.8.8" diff --git a/playbooks/dns_dual_view.yaml b/playbooks/dns_dual_view.yaml deleted file mode 100644 index 61780e0f..00000000 --- a/playbooks/dns_dual_view.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: "Setting up views" - template: - dest: /tmp/named_views.yaml - src: ./playbooks/templates/named_views.template - force: true - delegate_to: localhost diff --git a/playbooks/dns_records.yaml b/playbooks/dns_records.yaml deleted file mode 100644 index 2e09e17f..00000000 --- a/playbooks/dns_records.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- - - name: "Creating DNS records" - template: - dest: "/tmp/records.yaml" - src: "./playbooks/templates/records.template.yaml" - force: yes - delegate_to: localhost - diff --git a/playbooks/openshift/dns_dual_view.yml b/playbooks/openshift/dns_dual_view.yml deleted file mode 100644 index a74978fc..00000000 --- a/playbooks/openshift/dns_dual_view.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - - name: "Set dual view dns group" - set_fact: - named_views_hostgroup: "cluster_hosts" - named_views_infragroup: "infra_hosts" - - - name: "Setting up views" - template: - dest: /tmp/named_views.yml - src: ./templates/named_views.template - force: true - delegate_to: localhost diff --git a/playbooks/openshift/dns_records.yml b/playbooks/openshift/dns_records.yml deleted file mode 100644 index 1f244189..00000000 --- a/playbooks/openshift/dns_records.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - - name: "Creating DNS records" - template: - dest: "/tmp/records.yml" - src: "./templates/records.template.yml" - force: yes - delegate_to: localhost - diff --git a/playbooks/openshift/openstack_dns_records.yml b/playbooks/openshift/openstack_dns_records.yml new file mode 100644 index 00000000..b1008fe3 --- /dev/null +++ b/playbooks/openshift/openstack_dns_records.yml @@ -0,0 +1,77 @@ +--- + +- name: "Generate list of private A records" + set_fact: + private_records: "{{ private_records | default([]) + [ { 'type': 'A', 'hostname': hostvars[item]['ansible_hostname'], 'ip': hostvars[item]['openstack']['private_v4'] } ] }}" + with_items: "{{ groups['cluster_hosts'] }}" + +- name: "Set the private DNS server to use the external value (if provided)" + set_fact: + nsupdate_server_private: "{{ external_nsupdate_keys['private']['server'] }}" + nsupdate_key_secret_private: "{{ external_nsupdate_keys['private']['key_secret'] }}" + nsupdate_key_algorithm_private: "{{ external_nsupdate_keys['private']['key_algorithm'] }}" + when: + - external_nsupdate_keys is defined + - external_nsupdate_keys['private'] is defined + +- name: "Set the private DNS server to use the provisioned value" + set_fact: + nsupdate_server_private: "{{ hostvars[groups['dns'][0]].openstack.public_v4 }}" + nsupdate_key_secret_private: "{{ hostvars[groups['dns'][0]].nsupdate_keys['private-' + full_dns_domain].key_secret }}" + nsupdate_key_algorithm_private: "{{ hostvars[groups['dns'][0]].nsupdate_keys['private-' + full_dns_domain].key_algorithm }}" + when: + - nsupdate_server_private is undefined + +- name: "Generate the private Add section for DNS" + set_fact: + private_named_records: + - view: "private" + zone: "{{ full_dns_domain }}" + server: "{{ nsupdate_server_private }}" + key_name: "{{ ( 'private-' + full_dns_domain ) }}" + key_secret: "{{ nsupdate_key_secret_private }}" + key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}" + entries: "{{ private_records }}" + +- name: "Generate list of public A records" + set_fact: + public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': hostvars[item]['ansible_hostname'], 'ip': hostvars[item]['openstack']['public_v4'] } ] }}" + with_items: "{{ groups['cluster_hosts'] }}" + +- name: "Add wildcard records to the public A records" + set_fact: + public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': '*.' + openshift_app_domain, 'ip': hostvars[item]['openstack']['public_v4'] } ] }}" + with_items: "{{ groups['infra_hosts'] }}" + +- name: "Set the public DNS server details to use the external value (if provided)" + set_fact: + nsupdate_server_public: "{{ external_nsupdate_keys['public']['server'] }}" + nsupdate_key_secret_public: "{{ external_nsupdate_keys['public']['key_secret'] }}" + nsupdate_key_algorithm_public: "{{ external_nsupdate_keys['public']['key_algorithm'] }}" + when: + - external_nsupdate_keys is defined + - external_nsupdate_keys['public'] is defined + +- name: "Set the public DNS server details to use the provisioned value" + set_fact: + nsupdate_server_public: "{{ hostvars[groups['dns'][0]].openstack.public_v4 }}" + nsupdate_key_secret_public: "{{ hostvars[groups['dns'][0]].nsupdate_keys['public-' + full_dns_domain].key_secret }}" + nsupdate_key_algorithm_public: "{{ hostvars[groups['dns'][0]].nsupdate_keys['public-' + full_dns_domain].key_algorithm }}" + when: + - nsupdate_server_public is undefined + +- name: "Generate the public Add section for DNS" + set_fact: + public_named_records: + - view: "public" + zone: "{{ full_dns_domain }}" + server: "{{ nsupdate_server_public }}" + key_name: "{{ ( 'public-' + full_dns_domain ) }}" + key_secret: "{{ nsupdate_key_secret_public }}" + key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}" + entries: "{{ public_records }}" + +- name: "Generate the final dns_records_add" + set_fact: + dns_records_add: "{{ private_named_records + public_named_records }}" + diff --git a/playbooks/openshift/openstack_dns_views.yml b/playbooks/openshift/openstack_dns_views.yml new file mode 100644 index 00000000..611ed9f8 --- /dev/null +++ b/playbooks/openshift/openstack_dns_views.yml @@ -0,0 +1,27 @@ +--- + +- name: "Generate ACL list for DNS server" + set_fact: + acl_list: "{{ acl_list | default([]) + [ (hostvars[item]['openstack']['private_v4'] + '/32') ] }}" + with_items: "{{ groups['cluster_hosts'] }}" + +- name: "Generate the private view" + set_fact: + private_named_view: + - name: "private" + acl_entry: "{{ acl_list }}" + zone: + - dns_domain: "{{ full_dns_domain }}" + +- name: "Generate the public view" + set_fact: + public_named_view: + - name: "public" + zone: + - dns_domain: "{{ full_dns_domain }}" + forwarder: "{{ public_dns_nameservers }}" + +- name: "Generate the final named_config_views" + set_fact: + named_config_views: "{{ private_named_view + public_named_view }}" + diff --git a/playbooks/openshift/post-provision-openstack.yml b/playbooks/openshift/post-provision-openstack.yml new file mode 100644 index 00000000..d65e075b --- /dev/null +++ b/playbooks/openshift/post-provision-openstack.yml @@ -0,0 +1,60 @@ +--- + +# Assign hostnames +- hosts: cluster_hosts + pre_tasks: + - include: roles/common/pre_tasks/pre_tasks.yml + roles: + - role: hostnames + +# Subscribe DNS Host to allow for configuration below +- hosts: dns + roles: + - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager', ansible_sudo: true } + +# Determine which DNS server(s) to use for our generated records +- hosts: localhost + roles: + - dns-server-detect + +# Build the DNS Server Views and Configure DNS Server(s) +- hosts: dns + pre_tasks: + - include: roles/common/pre_tasks/pre_tasks.yml + - name: "Generate dns-server views" + include: openstack_dns_views.yml + roles: + - role: dns-server + +# Build and process DNS Records +- hosts: localhost + pre_tasks: + - include: roles/common/pre_tasks/pre_tasks.yml + - name: "Generate dns records" + include: openstack_dns_records.yml + roles: + - role: dns + +# Use newly configured DNS server for this container ... +- hosts: localhost + tasks: + - name: "Edit /etc/resolv.conf in container" + shell: "sed '0,/.*nameserver.*/s/.*nameserver.*/nameserver {{ public_dns_server }} \\n&/' /etc/resolv.conf > /tmp/resolv.conf && /bin/cp -f /tmp/resolv.conf /etc/resolv.conf" + +# OpenShift Pre-Requisites +- hosts: OSEv3 + tasks: + - name: "Edit /etc/resolv.conf on masters/nodes" + lineinfile: + state: present + dest: /etc/resolv.conf + regexp: "nameserver {{ hostvars['localhost'].private_dns_server }}" + line: "nameserver {{ hostvars['localhost'].private_dns_server }}" + insertafter: search* + - name: "Include DNS configuration to ensure proper name resolution" + lineinfile: + state: present + dest: /etc/sysconfig/network + regexp: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}" + line: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}" + diff --git a/playbooks/openshift/pre-install.yml b/playbooks/openshift/pre-install.yml index 587516fd..8225287f 100644 --- a/playbooks/openshift/pre-install.yml +++ b/playbooks/openshift/pre-install.yml @@ -1,70 +1,15 @@ --- -# Assign hostnames -- hosts: cluster_hosts - pre_tasks: - - include: roles/common/pre_tasks/pre_tasks.yml - roles: - - role: hostnames - -# Subscribe Hosts -- hosts: cluster_hosts - roles: - - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager', ansible_sudo: true } - -# Build DNS Records -- hosts: localhost - pre_tasks: - - include: roles/common/pre_tasks/pre_tasks.yml - - name: "Generate dns-server views" - include: dns_dual_view.yml - - name: "Generate dns records" - include: dns_records.yml - -# Workaround - copy the DNS files over to the DNS server for sourcing ... -- hosts: dns - tasks: - - name: "Copy named_views.yml" - copy: - src: /tmp/named_views.yml - dest: /tmp/named_views.yml - - name: "Copy records.yml" - copy: - src: /tmp/records.yml - dest: /tmp/records.yml - -# Configure DNS Server(s) -- hosts: dns - pre_tasks: - - name: "Include the generated views" - include_vars: /tmp/named_views.yml - - name: "Include generated dns records" - include_vars: /tmp/records.yml - roles: - - role: dns-server - - role: dns - -# Use newly configured DNS server for this container ... -- hosts: localhost - tasks: - - name: "Edit /etc/resolv.conf in container" - shell: "sed '0,/.*nameserver.*/s/.*nameserver.*/nameserver {%for host in groups['dns']%}{{ hostvars[host].openstack.public_v4 }}{% endfor %}\\n&/' /etc/resolv.conf > /tmp/resolv.conf && /bin/cp -f /tmp/resolv.conf /etc/resolv.conf" +############################### # OpenShift Pre-Requisites + +# - subscribe hosts +# - prepare docker +# - other prep (install additional packages, etc.) +# - hosts: OSEv3 - tasks: - - name: "Edit /etc/resolv.conf on masters/nodes" - lineinfile: - state: present - dest: /etc/resolv.conf - regexp: "nameserver {%for host in groups['dns']%} {{ hostvars[host].openstack.private_v4 }} {% endfor %}" - line: "nameserver {%for host in groups['dns']%} {{ hostvars[host].openstack.private_v4 }} {% endfor %}" - insertafter: search* - - name: "Include DHCP/DNS workaround for OSE 3.2" - lineinfile: - state: present - dest: /etc/sysconfig/network - regexp: "IP4_NAMESERVERS={%for host in groups['dns']%}{{ hostvars[host].openstack.private_v4 }}{% endfor %}" - line: "IP4_NAMESERVERS={%for host in groups['dns']%}{{ hostvars[host].openstack.private_v4 }}{% endfor %}" roles: + - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager', ansible_sudo: true } - { role: docker, tags: 'docker' } - { role: openshift-prep, tags: 'openshift-prep' } + diff --git a/playbooks/openshift/provision-openstack.yml b/playbooks/openshift/provision-openstack.yml index d36e3ae4..8125548f 100644 --- a/playbooks/openshift/provision-openstack.yml +++ b/playbooks/openshift/provision-openstack.yml @@ -4,9 +4,9 @@ - include: roles/common/pre_tasks/pre_tasks.yml roles: - role: openstack-stack - stack_name: "{{ env_id }}.{{ openstack_dns_domain }}" - dns_domain: "{{ openstack_dns_domain }}" - dns_nameservers: "{{ openstack_nameservers }}" + stack_name: "{{ env_id }}.{{ public_dns_domain }}" + dns_domain: "{{ public_dns_domain }}" + dns_nameservers: "{{ public_dns_nameservers }}" subnet_prefix: "{{ openstack_subnet_prefix }}" ssh_public_key: "{{ openstack_ssh_public_key }}" openstack_image: "{{ openstack_default_image_name }}" @@ -21,7 +21,7 @@ num_masters: "{{ openstack_num_masters }}" num_nodes: "{{ openstack_num_nodes }}" num_infra: "{{ openstack_num_infra }}" - num_dns: 1 + num_dns: "{{ openstack_num_dns | default(1) }}" master_volume_size: "{{ docker_volume_size }}" app_volume_size: "{{ docker_volume_size }}" infra_volume_size: "{{ docker_volume_size }}" @@ -44,3 +44,5 @@ - name: waiting for server to come back local_action: wait_for host={{ hostvars[inventory_hostname]['ansible_ssh_host'] }} port=22 delay=30 timeout=300 become: false + +- include: post-provision-openstack.yml diff --git a/playbooks/openshift/templates/named_views.template b/playbooks/openshift/templates/named_views.template deleted file mode 100644 index 4272be95..00000000 --- a/playbooks/openshift/templates/named_views.template +++ /dev/null @@ -1,14 +0,0 @@ ---- -named_config_views: - - name: "private" - acl_entry: -{% for host in groups[named_views_hostgroup]%} - - "{{ hostvars[host]['openstack']['private_v4'] }}/32" -{% endfor %} - zone: - - "dns_domain": "{{ full_dns_domain }}" - - name: "public" - zone: - - "dns_domain": "{{ full_dns_domain }}" - forwarder: - - "{{ public_dns_forwarder }}" diff --git a/playbooks/openshift/templates/records.template.yml b/playbooks/openshift/templates/records.template.yml deleted file mode 100644 index 16d0d03d..00000000 --- a/playbooks/openshift/templates/records.template.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -dns_records_add: - - view: private - zone: "{{ full_dns_domain }}" - entries: -{% for host in groups[named_views_hostgroup] %} - - type: A - hostname: "{{ hostvars[host]['ansible_hostname'] }}" - ip: "{{ hostvars[host]['openstack']['private_v4'] }}" -{% endfor %} - - view: public - zone: "{{ full_dns_domain}}" - entries: -{% for host in groups[named_views_hostgroup]%} - - type: A - hostname: "{{ hostvars[host]['ansible_hostname'] }}" - ip: "{{ hostvars[host]['openstack']['public_v4'] }}" -{% endfor %} -{% for host in groups[named_views_infragroup]%} - - type: A - hostname: "*.{{ openshift_app_domain }}" - ip: "{{ hostvars[host]['openstack']['public_v4'] }}" -{% endfor %} diff --git a/playbooks/templates/named_views.template b/playbooks/templates/named_views.template deleted file mode 100644 index 1546ced0..00000000 --- a/playbooks/templates/named_views.template +++ /dev/null @@ -1,14 +0,0 @@ ---- -named_config_views: - - name: "private" - acl_entry: -{% for host in groups['openshift']%} - - "{{ hostvars[host]["dns_private_ip"] }}/32" -{% endfor %} - zone: - - "dns_domain": "{{ full_dns_domain }}" - - name: "public" - zone: - - "dns_domain": "{{ full_dns_domain }}" - forwarder: - - "{{ public_dns_forwarder }}" diff --git a/playbooks/templates/records.template.yaml b/playbooks/templates/records.template.yaml deleted file mode 100644 index 6bcf283b..00000000 --- a/playbooks/templates/records.template.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -dns_records_add: - - view: private - zone: {{ full_dns_domain }} - entries: -{% for host in groups['openshift'] %} - - type: A - hostname: {{ hostvars[host]['ansible_hostname'] }} - ip: {{ hostvars[host]['dns_private_ip'] }} -{% endfor %} - - view: public - zone: {{ full_dns_domain}} - entries: -{% for host in groups['openshift']%} - - type: A - hostname: {{ hostvars[host]['ansible_hostname'] }} - ip: {{ hostvars[host]['dns_public_ip'] }} -{% endfor %} diff --git a/roles/common/pre_tasks/pre_tasks.yml b/roles/common/pre_tasks/pre_tasks.yml index cc4e64a0..c5e79e89 100644 --- a/roles/common/pre_tasks/pre_tasks.yml +++ b/roles/common/pre_tasks/pre_tasks.yml @@ -22,7 +22,7 @@ - name: Updating DNS domain to include env_id (if not empty) set_fact: - full_dns_domain: "{{ (env_id|trim == '') | ternary(dns_domain, env_id + '.' + dns_domain) }}" + full_dns_domain: "{{ (env_id|trim == '') | ternary(public_dns_domain, env_id + '.' + public_dns_domain) }}" delegate_to: localhost - name: Set the APP domain for OpenShift use diff --git a/roles/dns-server-detect/defaults/main.yml b/roles/dns-server-detect/defaults/main.yml new file mode 100644 index 00000000..58bd861c --- /dev/null +++ b/roles/dns-server-detect/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +external_nsupdate_keys: {} diff --git a/roles/dns-server-detect/tasks/main.yml b/roles/dns-server-detect/tasks/main.yml new file mode 100644 index 00000000..e8dd0acf --- /dev/null +++ b/roles/dns-server-detect/tasks/main.yml @@ -0,0 +1,38 @@ +--- + +- fail: + msg: 'Missing required private DNS server(s)' + when: + - external_nsupdate_keys['private'] is undefined + - hostvars[groups['dns'][0]] is undefined + +- fail: + msg: 'Missing required public DNS server(s)' + when: + - external_nsupdate_keys['public'] is undefined + - hostvars[groups['dns'][0]] is undefined + +- name: "Set the private DNS server to use the external value (if provided)" + set_fact: + private_dns_server: "{{ external_nsupdate_keys['private']['server'] }}" + when: + - external_nsupdate_keys['private'] is defined + +- name: "Set the private DNS server to use the provisioned value" + set_fact: + private_dns_server: "{{ hostvars[groups['dns'][0]].openstack.private_v4 }}" + when: + - private_dns_server is undefined + +- name: "Set the public DNS server to use the external value (if provided)" + set_fact: + public_dns_server: "{{ external_nsupdate_keys['public']['server'] }}" + when: + - external_nsupdate_keys['public'] is defined + +- name: "Set the public DNS server to use the provisioned value" + set_fact: + public_dns_server: "{{ hostvars[groups['dns'][0]].openstack.public_v4 }}" + when: + - public_dns_server is undefined + diff --git a/roles/dns-server/defaults/main.yml b/roles/dns-server/defaults/main.yml index 5391ac1f..5b06fa0d 100644 --- a/roles/dns-server/defaults/main.yml +++ b/roles/dns-server/defaults/main.yml @@ -1,4 +1,8 @@ --- + +default_dnssec_keygen_size: 256 +default_dnssec_keygen_algorithm: HMAC-SHA256 + named_config_views: [] named_config_allow_query: [] named_config_allow_transfer: [] diff --git a/roles/dns-server/tasks/main.yml b/roles/dns-server/tasks/main.yml index f89af97b..9d7c4c3b 100644 --- a/roles/dns-server/tasks/main.yml +++ b/roles/dns-server/tasks/main.yml @@ -96,18 +96,36 @@ - zone - name: Generate keys for nsupdate - command: "/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom -K /var/named {{ item.0.name }}-{{ item.1.dns_domain }}" + command: > + /sbin/dnssec-keygen + -a {{ dnssec_keygen_algorithm | default(default_dnssec_keygen_algorithm) }} + -b {{ dnssec_keygen_size | default(default_dnssec_keygen_size) }} + -n USER + -r /dev/urandom + -K /var/named {{ item.0.name }}-{{ item.1.dns_domain }} with_subelements: - "{{ named_config_views }}" - zone - name: Gather keys for nsupdate shell: "grep Key: /var/named/K{{ item.0.name }}-{{ item.1.dns_domain }}*.private | cut -d ' ' -f 2" - register: nsupdate_keys + register: nsupdate_keys_captured with_subelements: - "{{ named_config_views }}" - zone + # Build the dict with the proper keys, i.e.: + # casl-private.example.com: + # algorithm: HMAC-MD5 + # secret: SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg== + # casl-public.example.com: + # algorithm: HMAC-MD5 + # secret: kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw== +- name: Set nsupdate keys fact + set_fact: + nsupdate_keys: "{{ nsupdate_keys | default({}) | combine({ ( item.item.0.name + '-' + item.item.1.dns_domain ): { 'key_algorithm': ( dnssec_keygen_algorithm | default(default_dnssec_keygen_algorithm) ), 'key_secret': item.stdout } }) }}" + with_items: "{{ nsupdate_keys_captured.results }}" + - name: Setup key files for nsupdate template: src: domain-key.j2 @@ -115,7 +133,7 @@ owner: named group: named mode: 0660 - with_items: "{{ nsupdate_keys.results }}" + with_items: "{{ nsupdate_keys_captured.results }}" - name: Prepare Zone Files template: @@ -153,4 +171,3 @@ service: name: named state: restarted - diff --git a/roles/dns-server/templates/domain-key.j2 b/roles/dns-server/templates/domain-key.j2 index 5ac40ceb..66803edd 100644 --- a/roles/dns-server/templates/domain-key.j2 +++ b/roles/dns-server/templates/domain-key.j2 @@ -1,4 +1,4 @@ key {{ item.item.0.name }}-{{ item.item.1.dns_domain }} { - algorithm HMAC-SHA256; + algorithm {{ dnssec_keygen_algorithm | default(default_dnssec_keygen_algorithm) }}; secret "{{ item.stdout }}"; }; diff --git a/roles/dns/README.md b/roles/dns/README.md index 009a5878..6db836c7 100644 --- a/roles/dns/README.md +++ b/roles/dns/README.md @@ -17,6 +17,10 @@ Example Playbook dns_records_rm: - view: "private" zone: "first.example.com" + server: "192.168.1.100" + key_name: "my_private_key" + key_secret: "+bFQtBCta7j2vWkjPkAFtgA==" + key_algorithm: "hmac-sha256" entries: - type: A hostname: server_1 @@ -24,6 +28,10 @@ Example Playbook dns_records_add: - view: "private" zone: "first.example.com" + server: "192.168.1.100" + key_name: "my_private_key" + key_secret: "+bFQtBCta7j2vWkjPkAFtgA==" + key_algorithm: "hmac-sha256" entries: - type: A hostname: server_a @@ -32,6 +40,10 @@ Example Playbook hostname: server_b ip: 192.168.1.2 - view: "private" + server: "192.168.1.100" + key_name: "my_private_key" + key_secret: "+bFQtBCta7j2vWkjPkAFtgA==" + key_algorithm: "hmac-sha256" zone: "second.example.com" entries: - type: A diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index c85a7454..39cd756a 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,24 +1,29 @@ --- -- name: Remove DNS A records (if any) - lineinfile: - dest=/var/named/static/{{ item.0.view }}-{{ item.0.zone }}.db - state=absent - regexp="^{{ item.1.hostname|regex_escape }}\s+.+IN\s+A\s+{{ item.1.ip }}.*" +- name: "Remove any deleted DNS A records" + nsupdate: + key_name: "{{ item.0.key_name }}" + key_secret: "{{ item.0.key_secret }}" + key_algorithm: "{{ item.0.key_algorithm }}" + server: "{{ item.0.server }}" + zone: "{{ item.0.zone }}" + record: "{{ item.1.hostname }}" + type: "{{ item.1.type }}" + state: absent with_subelements: - "{{ dns_records_rm | default({}) }}" - entries - when: item.1.type == "A" - notify: restart named -- name: Add DNS A records (if any) - lineinfile: - dest=/var/named/static/{{ item.0.view }}-{{ item.0.zone }}.db - state=present - regexp="^{{ item.1.hostname|regex_escape }}\s+\d+IN\s+A\s+{{ item.1.ip }}.*" - line="{{ item.1.hostname }} 3600 IN A {{ item.1.ip }}" +- name: "Add DNS A records" + nsupdate: + key_name: "{{ item.0.key_name }}" + key_secret: "{{ item.0.key_secret }}" + key_algorithm: "{{ item.0.key_algorithm }}" + server: "{{ item.0.server }}" + zone: "{{ item.0.zone }}" + record: "{{ item.1.hostname }}" + value: "{{ item.1.ip }}" + type: "{{ item.1.type }}" + state: present with_subelements: - "{{ dns_records_add | default({}) }}" - entries - when: item.1.type == "A" - notify: restart named - diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index c367aabe..09b62cba 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -381,7 +381,7 @@ resources: params: cluster_id: {{ stack_name }} k8s_type: etcd - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: @@ -421,7 +421,7 @@ resources: params: cluster_id: {{ stack_name }} k8s_type: lb - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: @@ -461,7 +461,7 @@ resources: params: cluster_id: {{ stack_name }} k8s_type: master - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: @@ -505,7 +505,7 @@ resources: cluster_id: {{ stack_name }} k8s_type: node subtype: app - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: @@ -548,7 +548,7 @@ resources: cluster_id: {{ stack_name }} k8s_type: node subtype: infra - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: @@ -591,7 +591,7 @@ resources: params: cluster_id: {{ stack_name }} k8s_type: dns - cluster_env: {{ dns_domain }} + cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: diff --git a/roles/openstack-stack/test/stack-create-test.yml b/roles/openstack-stack/test/stack-create-test.yml index 94e312ee..6cbd7ff3 100644 --- a/roles/openstack-stack/test/stack-create-test.yml +++ b/roles/openstack-stack/test/stack-create-test.yml @@ -3,8 +3,8 @@ roles: - role: openstack-stack stack_name: test-stack - dns_domain: "{{ openstack_dns_domain }}" - dns_nameservers: "{{ openstack_nameservers }}" + dns_domain: "{{ public_dns_domain }}" + dns_nameservers: "{{ public_dns_nameservers }}" subnet_prefix: "{{ openstack_subnet_prefix }}" ssh_public_key: "{{ openstack_ssh_public_key }}" openstack_image: "{{ openstack_default_image_name }}"