Fix and cleanup not required dns bits

* Do not manage hostnames for openstack cloud provider,
  let cloud-init to do its job.
* Make python-dns / dnspython dependency check conditional.
* Drop not used dns node flavor and image.
* Do not manage dns nodes and sec groups in heat stacks.
* Keep supporting dynamic updates for private DNS records, yet only
  limited to an external DNS managed elsewhere (not deployed by
  the openshift_openstack provider). So users may still benefit from
  this feature, sending nsupdates to private and public servers as
  they want it.
* Fix openstack default for external nsupdate keys. It should be
  undefined by default as the dns-populate logic is based on that.
* Fix dns records generation for openstack provider's populate-dns
* Update docs

playbooks/openstack/advanced-configuration.md

@@ -23,35 +23,14 @@ There are no additional dependencies for the cluster nodes. Required
 configuration steps are done by Heat given a specific user data config
 that normally should not be changed.
 
-## Required galaxy modules
-
-In order to pull in external dependencies for DNS configuration steps,
-the following commads need to be executed:
-
-    ansible-galaxy install \
-      -r openshift-ansible-contrib/playbooks/provisioning/openstack/galaxy-requirements.yaml \
-      -p openshift-ansible-contrib/roles
-
-Alternatively you can install directly from github:
-
-    ansible-galaxy install git+https://github.com/redhat-cop/infra-ansible,master \
-      -p openshift-ansible-contrib/roles
-
-Notes:
-* This assumes we're in the directory that contains the clonned
-openshift-ansible-contrib repo in its root path.
-* When trying to install a different version, the previous one must be removed first
-(`infra-ansible` directory from [roles](https://github.com/openshift/openshift-ansible-contrib/tree/master/roles)).
-Otherwise, even if there are differences between the two versions, installation of the newer version is skipped.
-
-
 ## Accessing the OpenShift Cluster
 
 ### Configure DNS
 
-OpenShift requires two DNS records to function fully. The first one points to
+OpenShift requires a two public DNS records to function fully. The first one points to
 the master/load balancer and provides the UI/API access. The other one is a
-wildcard domain that resolves app route requests to the infra node.
+wildcard domain that resolves app route requests to the infra node. A private DNS
+server and records are not required and not managed here.
 
 If you followed the default installation from the README section, there is no
 DNS configured. You should add two entries to the `/etc/hosts` file on the
@@ -187,8 +166,8 @@ That sudomain can be set as well by the `openshift_openstack_app_subdomain` vari
 the inventory.
 
 The `openstack_<role name>_hostname` is a set of variables used for customising
-hostnames of servers with a given role. When such a variable stays commented,
-default hostname (usually the role name) is used.
+public names of Nova servers provisioned with a given role. When such a variable stays commented,
+default value (usually the role name) is used.
 
 The `openshift_openstack_dns_nameservers` is a list of DNS servers accessible from all
 the created Nova servers. These will provide the internal name resolution for
@@ -203,7 +182,7 @@ When Network Manager is enabled for provisioned cluster nodes, which is
 normally the case, you should not change the defaults and always deploy dnsmasq.
 
 `openshift_openstack_external_nsupdate_keys` describes an external authoritative DNS server(s)
-processing dynamic records updates in the public and private cluster views:
+processing dynamic records updates in the public only cluster view:
 
     openshift_openstack_external_nsupdate_keys:
       public:
@@ -211,10 +190,6 @@ processing dynamic records updates in the public and private cluster views:
         key_algorithm: 'hmac-md5'
         key_name: 'update-key'
         server: <public DNS server IP>
-      private:
-        key_secret: <some nsupdate key 2>
-        key_algorithm: 'hmac-sha256'
-        server: <public or private DNS server IP>
 
 Here, for the public view section, we specified another key algorithm and
 optional `key_name`, which normally defaults to the cluster's DNS domain.
@@ -222,24 +197,6 @@ This just illustrates a compatibility mode with a DNS service deployed
 by OpenShift on OSP10 reference architecture, and used in a mixed mode with
 another external DNS server.
 
-Another example defines an external DNS server for the public view
-additionally to the in-stack DNS server used for the private view only:
-
-    openshift_openstack_external_nsupdate_keys:
-      public:
-        key_secret: <some nsupdate key>
-        key_algorithm: 'hmac-sha256'
-        server: <public DNS server IP>
-
-Here, updates matching the public view will be hitting the given public
-server IP. While updates matching the private view will be sent to the
-auto evaluated in-stack DNS server's **public** IP.
-
-Note, for the in-stack DNS server, private view updates may be sent only
-via the public IP of the server. You can not send updates via the private
-IP yet. This forces the in-stack private server to have a floating IP.
-See also the [security notes](#security-notes)
-
 ## Flannel networking
 
 In order to configure the
@@ -376,18 +333,6 @@ be the case for development environments. When turned off, the servers will
 be provisioned omitting the ``yum update`` command. This brings security
 implications though, and is not recommended for production deployments.
 
-### DNS servers security options
-
-Aside from `openshift_openstack_node_ingress_cidr` restricting public access to in-stack DNS
-servers, there are following (bind/named specific) DNS security
-options available:
-
-    named_public_recursion: 'no'
-    named_private_recursion: 'yes'
-
-External DNS servers, which is not included in the 'dns' hosts group,
-are not managed. It is up to you to configure such ones.
-
 ## Configure the OpenShift parameters
 
 Finally, you need to update the DNS entry in

playbooks/openstack/openshift-cluster/provision.yml

@@ -27,9 +27,6 @@
     setup:
 
 
-# NOTE(shadower): the (internal) DNS must be functional at this point!!
-# That will have happened in provision.yml if nsupdate was configured.
-
 # TODO(shadower): consider splitting this up so people can stop here
 # and configure their DNS if they have to.
 - name: Populate the DNS entries

roles/openshift_openstack/defaults/main.yml

@@ -7,7 +7,6 @@ openshift_openstack_lb_ingress_cidr: 0.0.0.0/0
 openshift_openstack_num_etcd: 0
 openshift_openstack_num_masters: 1
 openshift_openstack_num_nodes: 1
-openshift_openstack_num_dns: 0
 openshift_openstack_num_infra: 1
 openshift_openstack_dns_nameservers: []
 openshift_openstack_nodes_to_remove: []
@@ -44,7 +43,6 @@ openshift_openstack_container_storage_setup:
 
 # populate-dns
 openshift_openstack_dns_records_add: []
-openshift_openstack_external_nsupdate_keys: {}
 
 openshift_openstack_full_dns_domain: "{{ (openshift_openstack_clusterid|trim == '') | ternary(openshift_openstack_public_dns_domain, openshift_openstack_clusterid + '.' + openshift_openstack_public_dns_domain) }}"
 openshift_openstack_app_subdomain: "apps"
@@ -59,20 +57,17 @@ openshift_openstack_infra_hostname: infra-node
 openshift_openstack_node_hostname: app-node
 openshift_openstack_lb_hostname: lb
 openshift_openstack_etcd_hostname: etcd
-openshift_openstack_dns_hostname: dns
 openshift_openstack_keypair_name: openshift
 openshift_openstack_lb_flavor: "{{ openshift_openstack_default_flavor }}"
 openshift_openstack_etcd_flavor: "{{ openshift_openstack_default_flavor }}"
 openshift_openstack_master_flavor: "{{ openshift_openstack_default_flavor }}"
 openshift_openstack_node_flavor: "{{ openshift_openstack_default_flavor }}"
 openshift_openstack_infra_flavor: "{{ openshift_openstack_default_flavor }}"
-openshift_openstack_dns_flavor: "{{ openshift_openstack_default_flavor }}"
 openshift_openstack_master_image: "{{ openshift_openstack_default_image_name }}"
 openshift_openstack_infra_image: "{{ openshift_openstack_default_image_name }}"
 openshift_openstack_node_image: "{{ openshift_openstack_default_image_name }}"
 openshift_openstack_lb_image: "{{ openshift_openstack_default_image_name }}"
 openshift_openstack_etcd_image: "{{ openshift_openstack_default_image_name }}"
-openshift_openstack_dns_image: "{{ openshift_openstack_default_image_name }}"
 openshift_openstack_provider_network_name: null
 openshift_openstack_external_network_name: null
 openshift_openstack_private_network: >-
@@ -88,6 +83,5 @@ openshift_openstack_master_volume_size: "{{ openshift_openstack_docker_volume_si
 openshift_openstack_infra_volume_size: "{{ openshift_openstack_docker_volume_size }}"
 openshift_openstack_node_volume_size: "{{ openshift_openstack_docker_volume_size }}"
 openshift_openstack_etcd_volume_size: 2
-openshift_openstack_dns_volume_size: 1
 openshift_openstack_lb_volume_size: 5
 openshift_openstack_ephemeral_volumes: false

roles/openshift_openstack/tasks/check-prerequisites.yml

@@ -32,10 +32,12 @@
   command: python -c "import dns"
   ignore_errors: yes
   register: pythondns_result
+  when: openshift_openstack_external_nsupdate_keys is defined
 - name: Check if python-dns is installed
   assert:
     that: 'pythondns_result.rc == 0'
     msg: "Python module python-dns is not installed"
+  when: openshift_openstack_external_nsupdate_keys is defined
 
 # Check jinja2
 - name: Try to import jinja2 module
@@ -92,7 +94,6 @@
   - "{{ openshift_openstack_node_image }}"
   - "{{ openshift_openstack_lb_image }}"
   - "{{ openshift_openstack_etcd_image }}"
-  - "{{ openshift_openstack_dns_image }}"
 
 # Check that custom flavors are available
 - include: custom_flavor_check.yaml
@@ -102,4 +103,3 @@
   - "{{ openshift_openstack_node_flavor }}"
   - "{{ openshift_openstack_lb_flavor }}"
   - "{{ openshift_openstack_etcd_flavor }}"
-  - "{{ openshift_openstack_dns_flavor }}"

roles/openshift_openstack/tasks/hostname.yml

@@ -1,26 +0,0 @@
----
-- name: Setting Hostname Fact
-  set_fact:
-    new_hostname: "{{ custom_hostname | default(inventory_hostname_short) }}"
-
-- name: Setting FQDN Fact
-  set_fact:
-    new_fqdn: "{{ new_hostname }}.{{ openshift_openstack_full_dns_domain }}"
-
-- name: Setting hostname and DNS domain
-  hostname: name="{{ new_fqdn }}"
-
-- name: Check for cloud.cfg
-  stat: path=/etc/cloud/cloud.cfg
-  register: cloud_cfg
-
-- name: Prevent cloud-init updates of hostname/fqdn (if applicable)
-  lineinfile:
-    dest: /etc/cloud/cloud.cfg
-    state: present
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
-  with_items:
-  - { regexp: '^ - set_hostname', line: '# - set_hostname' }
-  - { regexp: '^ - update_hostname', line: '# - update_hostname' }
-  when: cloud_cfg.stat.exists == True

roles/openshift_openstack/tasks/node-configuration.yml

@@ -4,8 +4,6 @@
     msg: "SELinux is required for OpenShift and has been detected as '{{ ansible_selinux.config_mode }}'"
   when: ansible_selinux.config_mode != "enforcing"
 
-- include: hostname.yml
-
 - include: container-storage-setup.yml
 
 - include: node-network.yml

roles/openshift_openstack/tasks/populate-dns.yml

@@ -30,7 +30,6 @@
     nsupdate_key_algorithm_private: "{{ openshift_openstack_external_nsupdate_keys['private']['key_algorithm'] }}"
     nsupdate_private_key_name: "{{ openshift_openstack_external_nsupdate_keys['private']['key_name']|default('private-' + openshift_openstack_full_dns_domain) }}"
   when:
-    - openshift_openstack_external_nsupdate_keys is defined
     - openshift_openstack_external_nsupdate_keys['private'] is defined
 
 
@@ -44,6 +43,8 @@
         key_secret: "{{ nsupdate_key_secret_private }}"
         key_algorithm: "{{ nsupdate_key_algorithm_private | lower }}"
         entries: "{{ private_records }}"
+  when:
+    - openshift_openstack_external_nsupdate_keys['private'] is defined
 
 - name: "Generate list of public A records"
   set_fact:
@@ -78,7 +79,6 @@
     nsupdate_key_algorithm_public: "{{ openshift_openstack_external_nsupdate_keys['public']['key_algorithm'] }}"
     nsupdate_public_key_name: "{{ openshift_openstack_external_nsupdate_keys['public']['key_name']|default('public-' + openshift_openstack_full_dns_domain) }}"
   when:
-    - openshift_openstack_external_nsupdate_keys is defined
     - openshift_openstack_external_nsupdate_keys['public'] is defined
 
 - name: "Generate the public Add section for DNS"
@@ -91,11 +91,13 @@
         key_secret: "{{ nsupdate_key_secret_public }}"
         key_algorithm: "{{ nsupdate_key_algorithm_public | lower }}"
         entries: "{{ public_records }}"
+  when:
+    - openshift_openstack_external_nsupdate_keys['public'] is defined
 
 
 - name: "Generate the final openshift_openstack_dns_records_add"
   set_fact:
-    openshift_openstack_dns_records_add: "{{ private_named_records + public_named_records }}"
+    openshift_openstack_dns_records_add: "{{ private_named_records|default([]) + public_named_records|default([]) }}"
 
 
 - name: "Add DNS A records"
@@ -111,7 +113,7 @@
     # TODO(shadower): add a cleanup playbook that removes these records, too!
     state: present
   with_subelements:
-    - "{{ openshift_openstack_dns_records_add | default({}) }}"
+    - "{{ openshift_openstack_dns_records_add | default([]) }}"
     - entries
   register: nsupdate_add_result
   until: nsupdate_add_result|succeeded

roles/openshift_openstack/templates/heat_stack.yaml.j2

@@ -54,23 +54,6 @@ outputs:
     description: Floating IPs of the nodes
     value: { get_attr: [ infra_nodes, floating_ip ] }
 
-{% if openshift_openstack_num_dns|int > 0 %}
-  dns_name:
-    description: Name of the DNS
-    value:
-      get_attr:
-        - dns
-        - name
-
-  dns_floating_ips:
-    description: Floating IPs of the DNS
-    value: { get_attr: [ dns, floating_ip ] }
-
-  dns_private_ips:
-    description: Private IPs of the DNS
-    value: { get_attr: [ dns, private_ip ] }
-{% endif %}
-
 conditions:
   no_floating: {% if openshift_openstack_provider_network_name %}true{% else %}false{% endif %}
 
@@ -436,43 +419,6 @@ resources:
           port_range_min: 443
           port_range_max: 443
 
-{% if openshift_openstack_num_dns|int > 0 %}
-  dns-secgrp:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      name:
-        str_replace:
-          template: openshift-ansible-cluster_id-dns-secgrp
-          params:
-            cluster_id: {{ openshift_openstack_stack_name }}
-      description:
-        str_replace:
-          template: Security group for cluster_id cluster DNS
-          params:
-            cluster_id: {{ openshift_openstack_stack_name }}
-      rules:
-        - direction: ingress
-          protocol: udp
-          port_range_min: 53
-          port_range_max: 53
-          remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }}
-        - direction: ingress
-          protocol: udp
-          port_range_min: 53
-          port_range_max: 53
-          remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24"
-        - direction: ingress
-          protocol: tcp
-          port_range_min: 53
-          port_range_max: 53
-          remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }}
-        - direction: ingress
-          protocol: tcp
-          port_range_min: 53
-          port_range_max: 53
-          remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24"
-{% endif %}
-
 {% if openshift_openstack_num_masters|int > 1 %}
   lb-secgrp:
     type: OS::Neutron::SecurityGroup
@@ -818,54 +764,3 @@ resources:
     depends_on:
       - interface
 {% endif %}
-
-{% if openshift_openstack_num_dns|int > 0 %}
-  dns:
-    type: OS::Heat::ResourceGroup
-    properties:
-      count: {{ openshift_openstack_num_dns }}
-      resource_def:
-        type: server.yaml
-        properties:
-          name:
-            str_replace:
-              template: k8s_type-%index%.cluster_id
-              params:
-                cluster_id: {{ openshift_openstack_stack_name }}
-                k8s_type: {{ openshift_openstack_dns_hostname }}
-          cluster_env: {{ openshift_openstack_public_dns_domain }}
-          cluster_id:  {{ openshift_openstack_stack_name }}
-          group:
-            str_replace:
-              template: k8s_type.cluster_id
-              params:
-                k8s_type: dns
-                cluster_id: {{ openshift_openstack_stack_name }}
-          type:        dns
-          image:       {{ openshift_openstack_dns_image }}
-          flavor:      {{ openshift_openstack_dns_flavor }}
-          key_name:    {{ openshift_openstack_keypair_name }}
-{% if openshift_openstack_provider_network_name %}
-          net:         {{ openshift_openstack_provider_network_name }}
-          net_name:         {{ openshift_openstack_provider_network_name }}
-{% else %}
-          net:         { get_resource: net }
-          subnet:      { get_resource: subnet }
-          net_name:
-            str_replace:
-              template: openshift-ansible-cluster_id-net
-              params:
-                cluster_id: {{ openshift_openstack_stack_name }}
-{% endif %}
-          secgrp:
-            - { get_resource: dns-secgrp }
-            - { get_resource: common-secgrp }
-{% if not openshift_openstack_provider_network_name %}
-          floating_network: {{ openshift_openstack_external_network_name }}
-{% endif %}
-          volume_size: {{ openshift_openstack_dns_volume_size }}
-{% if not openshift_openstack_provider_network_name %}
-    depends_on:
-      - interface
-{% endif %}
-{% endif %}