The dict is the same as for the private loop, and while we're not
writing the private date, we are iterating over it which causes
it to be printed to the log.
Change-Id: I42069f15e59a8615b41082dce1440ae7c51b8260
This adds the concept of an unmanaged domain; for unmanaged domains we
will write out the zone file only if it doesn't already exist.
acme.opendev.org is added as an unmanaged domain. It will be managed
by other ansible roles which add TXT records for ACME authentication.
The initial template comes from the dependent change, and this ensures
the bind configuration is always valid.
For flexibility and testing purposes, we allow passing an extra
refspec and version to the git checkout. This is one way to pull in
changes for speculative CI runs (I looked into having the hosts under
test checkout from Zuul; but by the time we're 3-ansible call's deep
on the DNS hosts-under-test it's a real pain. For the amount of times
we update this, it's easier to just allow a speculative change that
can take a gerrit URL; for an example see [1])
[1] https://review.openstack.org/#/c/641155/10/playbooks/group_vars/dns.yaml
Testing is enhanced to check for zone files and correct configuration
stanzas.
Depends-On: https://review.openstack.org/641154
Depends-On: https://review.openstack.org/641168
Change-Id: I9ef5cfc850c3458c63aff46cfaa0d49a5d194e87
Remove world-readable/traversable bits from permissions on the BIND
DNSSEC keys directory and the keys themselves (not actually
necessary for the public key files, but added for consistency as
they share a directory with the private keys). Note that this
matches the permissions and ownership of the existing
adns1.openstack.org server.
Change-Id: I015777ee346fefcaa92e64ad2ee88a41c7ea9bde
