IBM · zhengxiaomei123 · Jun 2, 2023 · shhull · Jun 19, 2023
diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/01-preparation.yaml
@@ -42,3 +42,7 @@
 - import_playbook: configure-security-groups.yaml
 - import_playbook: configure-network.yaml
 - import_playbook: configure-bastion-properties.yaml
+- import_playbook: configure-dns.yaml
+  when: use_bastion == true
+- import_playbook: configure-haproxy.yaml
+  when: use_bastion == true
diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/04-destroy.yaml
@@ -25,3 +25,6 @@
     - volume_type_id is defined
     - vm_type == "kvm"
 - import_playbook: destroy-files.yaml
+- import_playbook: destroy-bastion.yaml
+  when: use_bastion == true
+
diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md b/z_infra_provisioning/cloud_infra_center/ocp_upi/README.md
@@ -288,6 +288,7 @@ Update your settings based on the samples. The following propeties are **require
 If you need the Ansible playbook to help configure DNS server or HAProxy server on bastion server, you need to configure correct bastion properties.
 | Property| <div style="width:220px">Default</div> | Description                           |
 | --------------------------------------- | ------------------------------------- |:-----|
+| `use_bastion` | true | When false, you need configure DNS or HAproxy manually in step 2.
 | `ansible_ssh_host` | \<linux server ip addr\> | 'x.x.x.x'<br> **required** when use bastion server, give the IP address of bastion server.
 | `bastion_private_ip_address` | \<bastion ip addr\>      |IP address of your bastion node<br>**required** when use bastion server, give the IP address of bastion server.
 | `dns_forwarder` | \<upstream DNS ip addr\> |For nameserver where requests should be forwarded for resolution.<br>**required** when use bastion server
@@ -324,7 +325,9 @@ ansible-playbook -i inventory.yaml 01-preparation.yaml
 
 2. **Step2**:
 
-**Note**: This step is optional. You can skip this step if you want to use your external or existing DNS and Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update it.
+**Note**: This step is optional. 
+You can skip this step if you set use_bastion true.
+You can skip this step if you want to use your external or existing DNS and Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update it.
 
 > Use this playbook to configure the DNS server and HAProxy, please add `-K` parameter if you use the non-root user, and enter the password for your user.
 ```sh
@@ -337,6 +340,10 @@ ansible-playbook -i inventory.yaml bastion.yaml -K
 ```sh
 ansible-playbook -i inventory.yaml configure-haproxy.yaml
 ```
+> If you use your external or existing Load Balancer server, but no Load Balancer, you can refer [Add-DNS-HAProxy](docs/add-dns-haproxy.md) to update Load Balancer part, and use this playbook to configure DNS in your bastion server.
+```sh
+ansible-playbook -i inventory.yaml configure-dns.yaml
+```
 
 3. **Step3**:
 

diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/destroy-bastion.yaml
@@ -0,0 +1,71 @@
+# =================================================================
+# Copyright 2021 https://github.com/openshift/installer
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# =================================================================
+
+# Required Python packages:
+#
+# ansible
+# openstackclient
+# openstacksdk
+
+- hosts: localhost
+  gather_facts: false
+
+  tasks:
+    - name: 'Import common yaml'
+      become: true
+      become_user: root
+      become_method: sudo
+      ansible.builtin.blockinfile:
+        dest: /etc/named.conf
+        state: absent
+        block: |
+          zone "{{ cluster_name }}.{{ base_domain }}" {
+                  type master;
+                  file "{{ cluster_name }}.{{ base_domain }}.zone";
+                  allow-query { any; };
+                  allow-transfer { none; };
+                  allow-update { none; };
+          };
+      notify:
+        - restart dns
+
+    - name: Add reverse name resolution to /etc/named.conf
+      become: true
+      become_user: root
+      become_method: sudo
+      ansible.builtin.blockinfile:
+        dest: /etc/named.conf
+        state: absent
+        block: |
+          zone "{{ bastion_reverse }}.in-addr.arpa" {
+                  type master;
+                  file "{{ bastion_reverse }}.in-addr.arpa.zone";
+                  allow-query { any; };
+                  allow-transfer { none; };
+                  allow-update { none; };
+          };
+      notify:
+        - restart dns
+
+    - name: Remove cluster name resolution zone file
+      ansible.builtin.file:
+        path: /var/named/{{ cluster_domain_name }}.zone
+        state: absent
+
+    - name: Remove cluster reverse name resolution zone file
+      ansible.builtin.file:
+        path: /var/named/{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone
+        state: absent
diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md b/z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md
@@ -261,7 +261,7 @@ backend ocp4-router-https-seconds
 2. Restart HAProxy
 
 ```
-systemctl restrat HAProxy
+systemctl restart haproxy
 ```
 
 3. Test if DNS and HAProxy works

diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml b/z_infra_provisioning/cloud_infra_center/ocp_upi/inventory.yaml
@@ -76,6 +76,7 @@ all:
       create_server_timeout: 10 # minute
 
     bastion:
+      use_bastion: true
       ansible_ssh_host: '<linux-server-ip-addr>'
       ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
       bastion_private_ip_address: '<bastion-ip-addr>'

diff --git a/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml b/z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml
@@ -18,13 +18,18 @@
 # tasks file for configure-dns
 - ansible.builtin.include_vars: cluster-template.yaml
 
+- name: Get Service Status
+  ansible.builtin.shell: systemctl is-active named-chroot
+  register: named_status
+
 - name: Install bind-chroot for dns
   become: true
   become_user: root
   become_method: sudo
   ansible.builtin.yum:
     name: bind-chroot
     state: latest
+  when: named_status == "inactive"
 
 - name: Create /var/named directory
   become: true
@@ -33,6 +38,7 @@
   ansible.builtin.file:
     path: /var/named
     state: directory
+  when: named_status == "inactive"
 
 - name: Combine cluster name and base domain
   ansible.builtin.set_fact:
@@ -42,7 +48,7 @@
   ansible.builtin.set_fact:
     subnet_range: "{{ lookup('file', '.subnet_range.yml') }}"
 
-- name: Create dns subnet definition
+- name: Create name resolution for cluster
   become: true
   become_user: root
   become_method: sudo
@@ -87,18 +93,70 @@
   ansible.builtin.set_fact:
     bastion_reverse: "{{ os_dns_domain.split('.')[:-1][::-1]|join('.') }}"
 
-- name: Create dns subnet zone for bastion
+- name: Create reverse name resolution for cluster
   become: true
   become_user: root
   become_method: sudo
   ansible.builtin.template:
     src: var/named/bastion.in-addr.arpa.zone.j2
-    dest: /var/named/{{ bastion_reverse }}.in-addr.arpa.zone
+    dest: /var/named/{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone
     owner: named
     group: named
   notify:
     - restart dns
 
+# if named-chroot is running, use insert.
+- name: Check if DNS is already defined in /etc/named.conf
+  become: true
+  become_user: root
+  become_method: sudo
+  ansible.builtin.shell: grep -c "^{{ cluster_domain_name }}" /etc/named.conf || true
+  register: checknamed
+
+- name: Add name resolution to /etc/named.conf
+  become: true
+  become_user: root
+  become_method: sudo
+  ansible.builtin.blockinfile:
+    dest: /etc/named.conf
+    insertafter: EOF
+    block: |
+      zone "{{ cluster_name }}.{{ base_domain }}" {
+              type master;
+              file "{{ cluster_name }}.{{ base_domain }}.zone";
+              allow-query { any; };
+              allow-transfer { none; };
+              allow-update { none; };
+      };
+  notify:
+    - restart dns
+  when: 
+    - named_status == "active"
+    - checknamed.stdout == "0"
+
+- name: Add reverse name resolution to /etc/named.conf
+  become: true
+  become_user: root
+  become_method: sudo
+  ansible.builtin.blockinfile:
+    dest: /etc/named.conf
+    insertafter: EOF
+    block: |
+      zone "{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}" {
+              type master;
+              file "{{ bastion_reverse }}.in-addr.arpa.{{ cluster_domain_name }}.zone";
+              allow-query { any; };
+              allow-transfer { none; };
+              allow-update { none; };
+      };
+  notify:
+    - restart dns
+  when: 
+    - named_status == "active"
+    - checknamed.stdout == "0"
+
+# if named-chroot is not running, use replace.
+
 - name: Create /etc/named.conf
   become: true
   become_user: root
@@ -108,6 +166,7 @@
     dest: /etc/named.conf
   notify:
     - restart dns
+  when: named_status == "inactive"
 
 - name: Update cluster_subnet_range
   become: true
@@ -117,6 +176,7 @@
     cmd: sed -i "s|cluster_subnet_range|{{ subnet_range }}|g" /etc/named.conf
   notify:
     - restart dns
+  when: named_status == "inactive"
 
 - name: Update bastion_subnet_prefix_reverse
   become: true
@@ -126,6 +186,7 @@
     cmd: sed -i "s/bastion_subnet_prefix_reverse/{{ bastion_reverse }}/g" /etc/named.conf
   notify:
     - restart dns
+  when: named_status == "inactive"
 
 - name: Add dns to firewall
   become: true

diff --git a/...a_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2 b/...a_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/templates/etc/named.conf.j2
@@ -51,9 +51,9 @@ zone "{{ cluster_name }}.{{ base_domain }}" {
 };
 
 
-zone "bastion_subnet_prefix_reverse.in-addr.arpa" {
+zone "bastion_subnet_prefix_reverse.in-addr.arpa.{{ cluster_name }}.{{ base_domain }}" {
         type master;
-        file "bastion_subnet_prefix_reverse.in-addr.arpa.zone";
+        file "bastion_subnet_prefix_reverse.in-addr.arpa.{{ cluster_name }}.{{ base_domain }}.zone";
         allow-query { any; };
         allow-transfer { none; };
         allow-update { none; };