Support external/pre-provisioned authoritative cluster DNS (#690)

* Document how to use fully external DNS servers w/o provisioning
  dns servers group with Heat.

* Document how to use a mixed servers setup for dynamic records
  updates mathing public or private views.

* Allow custom nsupdate key names for OSP10 dns service compatibility.
  The osp-dns configures the named service with the fixed key_name
  'update-key'. Add optional key_name for the external_nsupdate_keys
  public section to allow custom key names.

2 files changed, 11 insertions, 2 deletions

diff --git a/roles/dns-records/tasks/main.yml b/roles/dns-records/tasks/main.yml
index 3672a8ea6..e9bce9718 100644
--- a/roles/dns-records/tasks/main.yml
+++ b/roles/dns-records/tasks/main.yml
@@ -14,6 +14,7 @@
     nsupdate_server_private: "{{ external_nsupdate_keys['private']['server'] }}"
     nsupdate_key_secret_private: "{{ external_nsupdate_keys['private']['key_secret'] }}"
     nsupdate_key_algorithm_private: "{{ external_nsupdate_keys['private']['key_algorithm'] }}"
+    nsupdate_private_key_name: "{{ external_nsupdate_keys['private']['key_name']|default('private-' + full_dns_domain) }}"
   when:
     - external_nsupdate_keys is defined
     - external_nsupdate_keys['private'] is defined
@@ -32,7 +33,7 @@
       - view: "private"
         zone: "{{ full_dns_domain }}"
         server: "{{ nsupdate_server_private }}"
-        key_name: "{{ ( 'private-' + full_dns_domain ) }}"
+        key_name: "{{ nsupdate_private_key_name|default('private-' + full_dns_domain) }}"
         key_secret: "{{ nsupdate_key_secret_private }}"
         key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}"
         entries: "{{ private_records }}"
@@ -54,6 +55,7 @@
     nsupdate_server_public: "{{ external_nsupdate_keys['public']['server'] }}"
     nsupdate_key_secret_public: "{{ external_nsupdate_keys['public']['key_secret'] }}"
     nsupdate_key_algorithm_public: "{{ external_nsupdate_keys['public']['key_algorithm'] }}"
+    nsupdate_public_key_name: "{{ external_nsupdate_keys['public']['key_name']|default('public-' + full_dns_domain) }}"
   when:
     - external_nsupdate_keys is defined
     - external_nsupdate_keys['public'] is defined
@@ -72,7 +74,7 @@
       - view: "public"
         zone: "{{ full_dns_domain }}"
         server: "{{ nsupdate_server_public }}"
-        key_name: "{{ ( 'public-' + full_dns_domain ) }}"
+        key_name: "{{ nsupdate_public_key_name|default('public-' + full_dns_domain) }}"
         key_secret: "{{ nsupdate_key_secret_public }}"
         key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}"
         entries: "{{ public_records }}"
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index 1ecf84aa6..ea2742a2c 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -54,6 +54,7 @@ outputs:
     description: Floating IPs of the nodes
     value: { get_attr: [ infra_nodes, floating_ip ] }
 
+{% if num_dns|int > 0 %}
   dns_name:
     description: Name of the DNS
     value:
@@ -68,6 +69,7 @@ outputs:
   dns_private_ips:
     description: Private IPs of the DNS
     value: { get_attr: [ dns, private_ip ] }
+{% endif %}
 
 resources:
 
@@ -405,6 +407,7 @@ resources:
           port_range_min: 443
           port_range_max: 443
 
+{% if num_dns|int > 0 %}
   dns-secgrp:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -439,6 +442,8 @@ resources:
           port_range_min: 53
           port_range_max: 53
           remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+{% endif %}
+
 {% if num_masters|int > 1 or ui_ssh_tunnel|bool %}
   lb-secgrp:
     type: OS::Neutron::SecurityGroup
@@ -716,6 +721,7 @@ resources:
     depends_on:
       - interface
 
+{% if num_dns|int > 0 %}
   dns:
     type: OS::Heat::ResourceGroup
     properties:
@@ -755,3 +761,4 @@ resources:
           volume_size: {{ dns_volume_size }}
     depends_on:
       - interface
+{% endif %}