Harald Jensås 5666a4fe0d Designate - Use net_cidr_map for rndc_allowed_addresses
Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes
NetCidrMapValue a list of ip networks.

The designate service configures the dns backend security
to contol from wich addresses updates are allowed. We
should use the list of cidr's associated with the
DesignateApiNetwork to allow all nodes in the network to
remotely control the nameserver.

Partial: blueprint tripleo-routed-networks-templates
Change-Id: I5c5cd51c8f127e8879c5528883c3abd261f4a5b3
2019-01-06 18:20:58 +01:00

125 lines
4.1 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Designate Worker service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
MonitoringSubscriptionDesignateWorker:
default: 'overcloud-designate-worker'
type: string
DesignateWorkerLoggingSource:
type: json
default:
tag: openstack.designate.worker
path: /var/log/designate/designate-worker.log
DesignateWorkers:
default: 0
description: Number of workers for Designate services.
type: number
DesignateRndcKey:
description: The rndc key secret for communication with BIND.
type: string
hidden: true
conditions:
designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
resources:
DesignateBase:
type: ./designate-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Designate Worker service.
value:
service_name: designate_worker
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
config_settings:
map_merge:
- get_attr: [DesignateBase, role_data, config_settings]
- designate::worker::worker_notify: true
designate_rndc_key: {get_param: DesignateRndcKey}
dns::vardir: /var/named-persistent
dns::recursion: 'no'
# Because we generate the key locally and don't want the puppet
# module to do it, we set its path to /dev/null. This means we need
# to explicitly include /etc/rndc.key though since the default config
# will just include /dev/null.
dns::rndckeypath: /dev/null
dns::additional_directives:
- include "/etc/rndc.key";
dns::additional_options:
listen-on:
str_replace:
template:
"{ %{hiera('$NETWORK')}; }"
params:
$NETWORK: {get_param: [ServiceNetMap, BINDNetwork]}
tripleo::profile::base::designate::rndc_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::profile::base::designate::rndc_allowed_addresses:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, DesignateApiNetwork]}
designate::backend::bind9::rndc_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::designate_worker::firewall_rules:
'140 designate_worker udp':
proto: 'udp'
dport:
- 53
- 953
'141 designate_worker tcp':
proto: 'tcp'
dport:
- 53
- 953
-
if:
- designate_workers_zero
- {}
- designate::worker::workers: {get_param: DesignateWorkers}
step_config: |
include tripleo::profile::base::designate::worker