From d3398d0266cbfd05730986fd371876e4479fd288 Mon Sep 17 00:00:00 2001 From: Zheng Xiao Mei Date: Fri, 2 Jun 2023 16:42:23 +0800 Subject: [PATCH] Support bastion insert and clean . Signed-off-by: Zheng Xiao Mei --- .../ocp_upi/01-preparation.yaml | 4 ++ .../ocp_upi/04-destroy.yaml | 3 + .../cloud_infra_center/ocp_upi/README.md | 9 ++- .../ocp_upi/destroy-bastion.yaml | 71 +++++++++++++++++++ .../ocp_upi/docs/add-dns-haproxy.md | 2 +- .../cloud_infra_center/ocp_upi/inventory.yaml | 1 + .../roles/configure-dns/tasks/main.yml | 67 ++++++++++++++++- .../configure-dns/templates/etc/named.conf.j2 | 4 +- 8 files changed, 154 insertions(+), 7 deletions(-) create mode 100644 z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml index 7702ccffc..9765e209d 100644 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml @@ -42,3 +42,7 @@ - import_playbook: configure-security-groups.yaml - import_playbook: configure-network.yaml - import_playbook: configure-bastion-properties.yaml +- import_playbook: configure-dns.yaml + when: use_bastion == true +- import_playbook: configure-haproxy.yaml + when: use_bastion == true diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml index 19b80aaff..3626c4c48 100644 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml @@ -25,3 +25,6 @@ - volume_type_id is defined - vm_type == "kvm" - import_playbook: destroy-files.yaml +- import_playbook: destroy-bastion.yaml + when: use_bastion == true + diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md b/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md index 16316a41d..6bf85bcbe 100644 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md @@ -288,6 +288,7 @@ Update your settings based on the samples. The following propeties are **require If you need the Ansible playbook to help configure DNS server or HAProxy server on bastion server, you need to configure correct bastion properties. | Property|
Default
| Description | | --------------------------------------- | ------------------------------------- |:-----| +| `use_bastion` | true | When false, you need configure DNS or HAproxy manually in step 2. | `ansible_ssh_host` | \ | 'x.x.x.x'
**required** when use bastion server, give the IP address of bastion server. | `bastion_private_ip_address` | \ |IP address of your bastion node
**required** when use bastion server, give the IP address of bastion server. | `dns_forwarder` | \ |For nameserver where requests should be forwarded for resolution.
**required** when use bastion server @@ -324,7 +325,9 @@ ansible-playbook -i inventory.yaml 01-preparation.yaml 2. **Step2**: -**Note**: This step is optional. You can skip this step if you want to use your external or existing DNS and Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update it. +**Note**: This step is optional. +You can skip this step if you set use_bastion true. +You can skip this step if you want to use your external or existing DNS and Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update it. > Use this playbook to configure the DNS server and HAProxy, please add `-K` parameter if you use the non-root user, and enter the password for your user. ```sh @@ -337,6 +340,10 @@ ansible-playbook -i inventory.yaml bastion.yaml -K ```sh ansible-playbook -i inventory.yaml configure-haproxy.yaml ``` +> If you use your external or existing Load Balancer server, but no Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update Load Balancer part, and use this playbook to configure DNS in your bastion server. +```sh +ansible-playbook -i inventory.yaml configure-dns.yaml +``` 3. **Step3**: diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml new file mode 100644 index 000000000..c8e25d971 --- /dev/null +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml @@ -0,0 +1,71 @@ +# ================================================================= +# Copyright 2021 https://github.com/openshift/installer +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================================================= + +# Required Python packages: +# +# ansible +# openstackclient +# openstacksdk + +- hosts: localhost + gather_facts: false + + tasks: + - name: 'Import common yaml' + become: true + become_user: root + become_method: sudo + ansible.builtin.blockinfile: + dest: /etc/named.conf + state: absent + block: | + zone "{{ cluster_name }}.{{ base_domain }}" { + type master; + file "{{ cluster_name }}.{{ base_domain }}.zone"; + allow-query { any; }; + allow-transfer { none; }; + allow-update { none; }; + }; + notify: + - restart dns + + - name: Add reverse name resolution to /etc/named.conf + become: true + become_user: root + become_method: sudo + ansible.builtin.blockinfile: + dest: /etc/named.conf + state: absent + block: | + zone "{{ bastion_reverse }}.in-addr.arpa" { + type master; + file "{{ bastion_reverse }}.in-addr.arpa.zone"; + allow-query { any; }; + allow-transfer { none; }; + allow-update { none; }; + }; + notify: + - restart dns + + - name: Remove cluster name resolution zone file + ansible.builtin.file: + path: /var/named/{{ cluster_domain_name }}.zone + state: absent + + - name: Remove cluster reverse name resolution zone file + ansible.builtin.file: + path: /var/named/{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone + state: absent diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md b/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md index 160cb35a5..aebd1b821 100644 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md @@ -261,7 +261,7 @@ backend ocp4-router-https-seconds 2. Restart HAProxy ``` -systemctl restrat HAProxy +systemctl restart haproxy ``` 3. Test if DNS and HAProxy works diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml index 66fc01361..36dd7bf97 100644 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml @@ -76,6 +76,7 @@ all: create_server_timeout: 10 # minute bastion: + use_bastion: true ansible_ssh_host: '' ansible_ssh_common_args: "-o StrictHostKeyChecking=no" bastion_private_ip_address: '' diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml b/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml index 472a1ce70..21a81fd2e 100755 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml @@ -18,6 +18,10 @@ # tasks file for configure-dns - ansible.builtin.include_vars: cluster-template.yaml +- name: Get Service Status + ansible.builtin.shell: systemctl is-active named-chroot + register: named_status + - name: Install bind-chroot for dns become: true become_user: root @@ -25,6 +29,7 @@ ansible.builtin.yum: name: bind-chroot state: latest + when: named_status == "inactive" - name: Create /var/named directory become: true @@ -33,6 +38,7 @@ ansible.builtin.file: path: /var/named state: directory + when: named_status == "inactive" - name: Combine cluster name and base domain ansible.builtin.set_fact: @@ -42,7 +48,7 @@ ansible.builtin.set_fact: subnet_range: "{{ lookup('file', '.subnet_range.yml') }}" -- name: Create dns subnet definition +- name: Create name resolution for cluster become: true become_user: root become_method: sudo @@ -87,18 +93,70 @@ ansible.builtin.set_fact: bastion_reverse: "{{ os_dns_domain.split('.')[:-1][::-1]|join('.') }}" -- name: Create dns subnet zone for bastion +- name: Create reverse name resolution for cluster become: true become_user: root become_method: sudo ansible.builtin.template: src: var/named/bastion.in-addr.arpa.zone.j2 - dest: /var/named/{{ bastion_reverse }}.in-addr.arpa.zone + dest: /var/named/{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone owner: named group: named notify: - restart dns +# if named-chroot is running, use insert. +- name: Check if DNS is already defined in /etc/named.conf + become: true + become_user: root + become_method: sudo + ansible.builtin.shell: grep -c "^{{ cluster_domain_name }}" /etc/named.conf || true + register: checknamed + +- name: Add name resolution to /etc/named.conf + become: true + become_user: root + become_method: sudo + ansible.builtin.blockinfile: + dest: /etc/named.conf + insertafter: EOF + block: | + zone "{{ cluster_name }}.{{ base_domain }}" { + type master; + file "{{ cluster_name }}.{{ base_domain }}.zone"; + allow-query { any; }; + allow-transfer { none; }; + allow-update { none; }; + }; + notify: + - restart dns + when: + - named_status == "active" + - checknamed.stdout == "0" + +- name: Add reverse name resolution to /etc/named.conf + become: true + become_user: root + become_method: sudo + ansible.builtin.blockinfile: + dest: /etc/named.conf + insertafter: EOF + block: | + zone "{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}" { + type master; + file "{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone"; + allow-query { any; }; + allow-transfer { none; }; + allow-update { none; }; + }; + notify: + - restart dns + when: + - named_status == "active" + - checknamed.stdout == "0" + +# if named-chroot is not running, use replace. + - name: Create /etc/named.conf become: true become_user: root @@ -108,6 +166,7 @@ dest: /etc/named.conf notify: - restart dns + when: named_status == "inactive" - name: Update cluster_subnet_range become: true @@ -117,6 +176,7 @@ cmd: sed -i "s|cluster_subnet_range|{{ subnet_range }}|g" /etc/named.conf notify: - restart dns + when: named_status == "inactive" - name: Update bastion_subnet_prefix_reverse become: true @@ -126,6 +186,7 @@ cmd: sed -i "s/bastion_subnet_prefix_reverse/{{ bastion_reverse }}/g" /etc/named.conf notify: - restart dns + when: named_status == "inactive" - name: Add dns to firewall become: true diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2 b/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2 index b32e6a79f..bd461dc9f 100755 --- a/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2 +++ b/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2 @@ -51,9 +51,9 @@ zone "{{ cluster_name }}.{{ base_domain }}" { }; -zone "bastion_subnet_prefix_reverse.in-addr.arpa" { +zone "bastion_subnet_prefix_reverse.in-addr.arpa.{{ cluster_name }}.{{ base_domain }}" { type master; - file "bastion_subnet_prefix_reverse.in-addr.arpa.zone"; + file "bastion_subnet_prefix_reverse.in-addr.arpa.{{ cluster_name }}.{{ base_domain }}.zone"; allow-query { any; }; allow-transfer { none; }; allow-update { none; };