diff options
author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-08-25 16:15:40 +0200 |
---|---|---|
committer | Tomas Sedovic <tomas@sedovic.cz> | 2017-08-25 16:15:40 +0200 |
commit | 2ea1ccfb37461a70d329655f7eeaaab090f1ca0d (patch) | |
tree | 65c6384264d2e637d14a6412d246e5a90232d5f2 | |
parent | 9593ffb85ab6c2b5ee3964d7566932cf9ae768c9 (diff) | |
download | openshift-2ea1ccfb37461a70d329655f7eeaaab090f1ca0d.tar.gz openshift-2ea1ccfb37461a70d329655f7eeaaab090f1ca0d.tar.bz2 openshift-2ea1ccfb37461a70d329655f7eeaaab090f1ca0d.tar.xz openshift-2ea1ccfb37461a70d329655f7eeaaab090f1ca0d.zip |
Support external/pre-provisioned authoritative cluster DNS (#690)
* Document how to use fully external DNS servers w/o provisioning
dns servers group with Heat.
* Document how to use a mixed servers setup for dynamic records
updates mathing public or private views.
* Allow custom nsupdate key names for OSP10 dns service compatibility.
The osp-dns configures the named service with the fixed key_name
'update-key'. Add optional key_name for the external_nsupdate_keys
public section to allow custom key names.
-rw-r--r-- | playbooks/provisioning/openstack/README.md | 56 | ||||
-rw-r--r-- | roles/dns-records/tasks/main.yml | 6 | ||||
-rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 7 |
3 files changed, 61 insertions, 8 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index c9f651032..2eb9aa9cd 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -53,8 +53,9 @@ Otherwise, even if there are differences between the two versions, installation * Assigns Cinder volumes to the servers * Set up an `openshift` user with sudo privileges * Optionally attach Red Hat subscriptions -* Set up a bind-based DNS server -* When deploying more than one master, set up a HAproxy server +* Sets up a bind-based DNS server or configures the cluster servers to use an external DNS server. +* Supports mixed in-stack/external DNS servers for dynamic updates. +* When deploying more than one master, sets up a HAproxy server ## Set up @@ -69,9 +70,17 @@ Otherwise, even if there are differences between the two versions, installation ### Update `inventory/group_vars/all.yml` +#### DNS configuration variables + Pay special attention to the values in the first paragraph -- these will depend on your OpenStack environment. +Note that the provsisioning playbooks update the original Neutron subnet +created with the Heat stack to point to the configured DNS servers. +So the provisioned cluster nodes will start using those natively as +default nameservers. Technically, this allows to deploy OpenShift clusters +without dnsmasq proxies. + The `env_id` and `public_dns_domain` will form the cluster's DNS domain all your servers will be under. With the default values, this will be `openshift.example.com`. For workloads, the default subdomain is 'apps'. @@ -93,10 +102,45 @@ daemon that in turn proxies DNS requests to the authoritative DNS server. When Network Manager is enabled for provisioned cluster nodes, which is normally the case, you should not change the defaults and always deploy dnsmasq. -Note that the authoritative DNS server is configured on post provsision -steps, and the Neutron subnet for the Heat stack is updated to point to that -server in the end. So the provisioned servers will start using it natively -as a default nameserver that comes from the NetworkManager and cloud-init. +`external_nsupdate_keys` describes an external authoritative DNS server(s) +processing dynamic records updates in the public and private cluster views: + + external_nsupdate_keys: + public: + key_secret: <some nsupdate key> + key_algorithm: 'hmac-md5' + key_name: 'update-key' + server: <public DNS server IP> + private: + key_secret: <some nsupdate key 2> + key_algorithm: 'hmac-sha256' + server: <public or private DNS server IP> + +Here, for the public view section, we specified another key algorithm and +optional `key_name`, which normally defaults to the cluster's DNS domain. +This just illustrates a compatibility mode with a DNS service deployed +by OpenShift on OSP10 reference architecture, and used in a mixed mode with +another external DNS server. + +Another example defines an external DNS server for the public view +additionally to the in-stack DNS server used for the private view only: + + external_nsupdate_keys: + public: + key_secret: <some nsupdate key> + key_algorithm: 'hmac-sha256' + server: <public DNS server IP> + +Here, updates matching the public view will be hitting the given public +server IP. While updates matching the private view will be sent to the +auto evaluated in-stack DNS server's **public** IP. + +Note, for the in-stack DNS server, private view updates may be sent only +via the public IP of the server. You can not send updates via the private +IP yet. This forces the in-stack private server to have a floating IP. +See also the [security notes](#security-notes) + +#### Other configuration variables `openstack_ssh_key` is a Nova keypair - you can see your keypairs with `openstack keypair list`. This guide assumes that its corresponding private diff --git a/roles/dns-records/tasks/main.yml b/roles/dns-records/tasks/main.yml index 3672a8ea6..e9bce9718 100644 --- a/roles/dns-records/tasks/main.yml +++ b/roles/dns-records/tasks/main.yml @@ -14,6 +14,7 @@ nsupdate_server_private: "{{ external_nsupdate_keys['private']['server'] }}" nsupdate_key_secret_private: "{{ external_nsupdate_keys['private']['key_secret'] }}" nsupdate_key_algorithm_private: "{{ external_nsupdate_keys['private']['key_algorithm'] }}" + nsupdate_private_key_name: "{{ external_nsupdate_keys['private']['key_name']|default('private-' + full_dns_domain) }}" when: - external_nsupdate_keys is defined - external_nsupdate_keys['private'] is defined @@ -32,7 +33,7 @@ - view: "private" zone: "{{ full_dns_domain }}" server: "{{ nsupdate_server_private }}" - key_name: "{{ ( 'private-' + full_dns_domain ) }}" + key_name: "{{ nsupdate_private_key_name|default('private-' + full_dns_domain) }}" key_secret: "{{ nsupdate_key_secret_private }}" key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}" entries: "{{ private_records }}" @@ -54,6 +55,7 @@ nsupdate_server_public: "{{ external_nsupdate_keys['public']['server'] }}" nsupdate_key_secret_public: "{{ external_nsupdate_keys['public']['key_secret'] }}" nsupdate_key_algorithm_public: "{{ external_nsupdate_keys['public']['key_algorithm'] }}" + nsupdate_public_key_name: "{{ external_nsupdate_keys['public']['key_name']|default('public-' + full_dns_domain) }}" when: - external_nsupdate_keys is defined - external_nsupdate_keys['public'] is defined @@ -72,7 +74,7 @@ - view: "public" zone: "{{ full_dns_domain }}" server: "{{ nsupdate_server_public }}" - key_name: "{{ ( 'public-' + full_dns_domain ) }}" + key_name: "{{ nsupdate_public_key_name|default('public-' + full_dns_domain) }}" key_secret: "{{ nsupdate_key_secret_public }}" key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}" entries: "{{ public_records }}" diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index 1ecf84aa6..ea2742a2c 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -54,6 +54,7 @@ outputs: description: Floating IPs of the nodes value: { get_attr: [ infra_nodes, floating_ip ] } +{% if num_dns|int > 0 %} dns_name: description: Name of the DNS value: @@ -68,6 +69,7 @@ outputs: dns_private_ips: description: Private IPs of the DNS value: { get_attr: [ dns, private_ip ] } +{% endif %} resources: @@ -405,6 +407,7 @@ resources: port_range_min: 443 port_range_max: 443 +{% if num_dns|int > 0 %} dns-secgrp: type: OS::Neutron::SecurityGroup properties: @@ -439,6 +442,8 @@ resources: port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" +{% endif %} + {% if num_masters|int > 1 or ui_ssh_tunnel|bool %} lb-secgrp: type: OS::Neutron::SecurityGroup @@ -716,6 +721,7 @@ resources: depends_on: - interface +{% if num_dns|int > 0 %} dns: type: OS::Heat::ResourceGroup properties: @@ -755,3 +761,4 @@ resources: volume_size: {{ dns_volume_size }} depends_on: - interface +{% endif %} |