Create rndc key

The deployer can provide an rndc key to authenticate with bind.

Change-Id: I7cec53ebaf9fb69fa7116878528fa654dc362f92
This commit is contained in:
Jonathan Rosser 2018-05-23 20:38:00 +01:00
parent 07d79cd0a0
commit ff9a55d5db
6 changed files with 42 additions and 7 deletions

View File

@ -118,6 +118,14 @@ designate_role_name: admin
# rndc_host: 127.0.0.1 # rndc_host: 127.0.0.1
# rndc_port: 953 # rndc_port: 953
## rndc keys for authenticating with bind9
# define this to create as many key files as are required
# designate_rndc_keys
# - name: "rndc-key"
# file: /etc/designate/rndc.key
# algorithm: "hmac-md5"
# secret: "<key>"
## Service Type and Data ## Service Type and Data
designate_service_region: RegionOne designate_service_region: RegionOne
designate_service_endpoint_type: internalURL designate_service_endpoint_type: internalURL

View File

@ -49,6 +49,16 @@
dest: "/etc/designate/pools.yaml" dest: "/etc/designate/pools.yaml"
when: designate_pools_yaml is defined when: designate_pools_yaml is defined
- name: Create Designate rndc key file
template:
src: rndc.key.j2
dest: "{{ item.file }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0600') }}"
with_items: "{{ designate_rndc_keys }}"
when: designate_rndc_keys is defined
- name: Copy rootwrap filters - name: Copy rootwrap filters
copy: copy:
src: "{{ item }}" src: "{{ item }}"

4
templates/rndc.key.j2 Normal file
View File

@ -0,0 +1,4 @@
key "{{ item.name }}" {
algorithm "{{ item.algorithm }}";
secret "{{ item.secret }}";
};

View File

@ -48,6 +48,13 @@ designate_pools_yaml:
port: 53 port: 53
rndc_host: 127.0.0.1 rndc_host: 127.0.0.1
rndc_port: 953 rndc_port: 953
rndc_key_file: /etc/rndc.key
designate_rndc_keys:
- name: "rndc-key"
file: /etc/rndc.key
algorithm: "hmac-md5"
secret: 'DTngw5O8I5Axx631GjQ9pA=='
mode: "0644"
tempest_run: yes tempest_run: yes

View File

@ -41,6 +41,14 @@ options {
recursion no; recursion no;
}; };
{% if designate_rndc_keys is defined %}
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
{% endif %}
{% if ansible_pkg_mgr in ['yum', 'dnf'] %} {% if ansible_pkg_mgr in ['yum', 'dnf'] %}
logging { logging {
channel default_debug { channel default_debug {
@ -54,12 +62,6 @@ zone "." IN {
file "named.ca"; file "named.ca";
}; };
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
include "/etc/named.rfc1912.zones"; include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; include "/etc/named.root.key";
@ -89,4 +91,3 @@ zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN
include "/etc/named.conf.include"; include "/etc/named.conf.include";
{% endif %} {% endif %}

View File

@ -53,5 +53,10 @@
bind_service_state: "{{ (ansible_pkg_mgr == 'apt') | ternary('restarted','started') }}" bind_service_state: "{{ (ansible_pkg_mgr == 'apt') | ternary('restarted','started') }}"
roles: roles:
- role: "os_designate" - role: "os_designate"
post_tasks:
- name: Restart bind9, for test purposes the designate role drops a common rndc key to both bind and designate
service:
name: "{{ bind_service_name }}"
state: restarted
vars_files: vars_files:
- common/test-vars.yml - common/test-vars.yml