Merge "Pass in rndc key to Designate deployment"

docker/services/designate-worker.yaml

@@ -86,7 +86,7 @@ outputs:
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: designate
-        puppet_tags: designate_config,dns_config,exec
+        puppet_tags: designate_config,dns_config
         step_config:
           list_join:
             - "\n"
@@ -124,6 +124,9 @@ outputs:
             - path: /var/named-persistent
               owner: root:named
               perm: '0770'
+            - path: /etc/rndc.key
+              owner: root:named
+              perm: '0640'
       docker_config:
         step_4:
           designate_worker:

puppet/services/designate-worker.yaml

@@ -41,6 +41,10 @@ parameters:
     default: 0
     description: Number of workers for Designate services.
     type: number
+  DesignateRndcKey:
+    description: The rndc key secret for communication with BIND.
+    type: string
+    hidden: true
 
 conditions:
   designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
@@ -69,8 +73,16 @@ outputs:
         map_merge:
         - get_attr: [DesignateBase, role_data, config_settings]
         - designate::worker::worker_notify: true
+          designate_rndc_key: {get_param: DesignateRndcKey}
           dns::vardir: /var/named-persistent
           dns::recursion: 'no'
+          # Because we generate the key locally and don't want the puppet
+          # module to do it, we set its path to /dev/null.  This means we need
+          # to explicitly include /etc/rndc.key though since the default config
+          # will just include /dev/null.
+          dns::rndckeypath: /dev/null
+          dns::additional_directives:
+            - include "/etc/rndc.key";
           dns::additional_options:
             listen-on:
               str_replace: