
Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes NetCidrMapValue a list of ip networks. The designate service configures the dns backend security to contol from wich addresses updates are allowed. We should use the list of cidr's associated with the DesignateApiNetwork to allow all nodes in the network to remotely control the nameserver. Partial: blueprint tripleo-routed-networks-templates Change-Id: I5c5cd51c8f127e8879c5528883c3abd261f4a5b3
125 lines
4.1 KiB
YAML
125 lines
4.1 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Designate Worker service configured with Puppet
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
MonitoringSubscriptionDesignateWorker:
|
|
default: 'overcloud-designate-worker'
|
|
type: string
|
|
DesignateWorkerLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.designate.worker
|
|
path: /var/log/designate/designate-worker.log
|
|
DesignateWorkers:
|
|
default: 0
|
|
description: Number of workers for Designate services.
|
|
type: number
|
|
DesignateRndcKey:
|
|
description: The rndc key secret for communication with BIND.
|
|
type: string
|
|
hidden: true
|
|
|
|
conditions:
|
|
designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
|
|
|
|
resources:
|
|
DesignateBase:
|
|
type: ./designate-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Designate Worker service.
|
|
value:
|
|
service_name: designate_worker
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [DesignateBase, role_data, config_settings]
|
|
- designate::worker::worker_notify: true
|
|
designate_rndc_key: {get_param: DesignateRndcKey}
|
|
dns::vardir: /var/named-persistent
|
|
dns::recursion: 'no'
|
|
# Because we generate the key locally and don't want the puppet
|
|
# module to do it, we set its path to /dev/null. This means we need
|
|
# to explicitly include /etc/rndc.key though since the default config
|
|
# will just include /dev/null.
|
|
dns::rndckeypath: /dev/null
|
|
dns::additional_directives:
|
|
- include "/etc/rndc.key";
|
|
dns::additional_options:
|
|
listen-on:
|
|
str_replace:
|
|
template:
|
|
"{ %{hiera('$NETWORK')}; }"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, BINDNetwork]}
|
|
tripleo::profile::base::designate::rndc_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
|
tripleo::profile::base::designate::rndc_allowed_addresses:
|
|
get_param:
|
|
- ServiceData
|
|
- net_cidr_map
|
|
- {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
|
designate::backend::bind9::rndc_host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
|
tripleo::designate_worker::firewall_rules:
|
|
'140 designate_worker udp':
|
|
proto: 'udp'
|
|
dport:
|
|
- 53
|
|
- 953
|
|
'141 designate_worker tcp':
|
|
proto: 'tcp'
|
|
dport:
|
|
- 53
|
|
- 953
|
|
-
|
|
if:
|
|
- designate_workers_zero
|
|
- {}
|
|
- designate::worker::workers: {get_param: DesignateWorkers}
|
|
step_config: |
|
|
include tripleo::profile::base::designate::worker
|