Create rndc key

The deployer can provide an rndc key to authenticate with bind. Change-Id: I7cec53ebaf9fb69fa7116878528fa654dc362f92
2018-05-23 20:38:00 +01:00 · 2018-05-23 20:38:00 +01:00 · ff9a55d5db
commit ff9a55d5db
parent 07d79cd0a0
6 changed files with 42 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -118,6 +118,14 @@ designate_role_name: admin
 #           rndc_host: 127.0.0.1
 #           rndc_port: 953

+## rndc keys for authenticating with bind9
+# define this to create as many key files as are required
+# designate_rndc_keys
+#   - name: "rndc-key"
+#     file: /etc/designate/rndc.key
+#     algorithm: "hmac-md5"
+#     secret: "<key>"
+
 ## Service Type and Data
 designate_service_region: RegionOne
 designate_service_endpoint_type: internalURL
--- a/tasks/designate_post_install.yml
+++ b/tasks/designate_post_install.yml
@ -49,6 +49,16 @@
    dest: "/etc/designate/pools.yaml"
  when: designate_pools_yaml is defined

+- name: Create Designate rndc key file
+  template:
+    src: rndc.key.j2
+    dest: "{{ item.file }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+    mode: "{{ item.mode | default('0600') }}"
+  with_items: "{{ designate_rndc_keys }}"
+  when: designate_rndc_keys is defined
+
 - name: Copy rootwrap filters
  copy:
    src: "{{ item }}"
--- a/templates/rndc.key.j2
+++ b/templates/rndc.key.j2
@ -0,0 +1,4 @@
+key "{{ item.name }}" {
+        algorithm "{{ item.algorithm }}";
+        secret "{{ item.secret }}";
+};
--- a/tests/os_designate-overrides.yml
+++ b/tests/os_designate-overrides.yml
@ -48,6 +48,13 @@ designate_pools_yaml:
          port: 53
          rndc_host: 127.0.0.1
          rndc_port: 953
+          rndc_key_file: /etc/rndc.key
+designate_rndc_keys:
+  - name: "rndc-key"
+    file: /etc/rndc.key
+    algorithm: "hmac-md5"
+    secret: 'DTngw5O8I5Axx631GjQ9pA=='
+    mode: "0644"

 tempest_run: yes

--- a/tests/templates/named.conf.j2
+++ b/tests/templates/named.conf.j2
@ -41,6 +41,14 @@ options {
        recursion no;
 };

+{% if designate_rndc_keys is defined %}
+include "/etc/rndc.key";
+
+controls {
+        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
+};
+{% endif %}
+
 {% if ansible_pkg_mgr in ['yum', 'dnf'] %}
 logging {
        channel default_debug {
@ -54,12 +62,6 @@ zone "." IN {
        file "named.ca";
 };

-include "/etc/rndc.key";
-
-controls {
-        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
-};
-
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";

@ -89,4 +91,3 @@ zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN
 include "/etc/named.conf.include";

 {% endif %}
-
--- a/tests/test-install-designate.yml
+++ b/tests/test-install-designate.yml
@ -53,5 +53,10 @@
    bind_service_state: "{{ (ansible_pkg_mgr == 'apt') | ternary('restarted','started') }}"
  roles:
    - role: "os_designate"
+  post_tasks:
+    - name: Restart bind9, for test purposes the designate role drops a common rndc key to both bind and designate
+      service:
+        name: "{{ bind_service_name }}"
+        state: restarted
  vars_files:
    - common/test-vars.yml