This commit introduces the maas_nameserver Ansible role to configure DNS domains and records in MAAS (Metal as a Service) based on an Ansible inventory. Key features include:

- Configures DNS entries for hosts (e.g., main interfaces, IPMI interfaces) using `dns_domains` and inventory variables (`ip`, `ipmi`).
- Dynamically sets `maas_cluster_instance.host` via `maas_api_url` in `defaults/main.yml`, with credentials (`customer_key`, `token_key`, `token_secret`) loaded from a secrets file (`secrets/maas.yml`).
- Filters inventory to process only hosts with `ip` or `ipmi` variables, excluding groups like `all` and `ungrouped`.
- Cleans up unwanted DNS records and domains not in `dns_domains` or `excluded_domains`, skipping default MAAS domains.
- Skips NS record creation due to module limitations, with instructions for manual creation via MAAS CLI/UI.
- Includes comprehensive `README.md` with:
  - Inventory example with `mac`, `ip`, `ipmi`, and `bmc` attributes (e.g., `server01.example.com mac=00:1a:2b:3c:4d:5e ip=192.168.1.11 ipmi=192.168.2.11 bmc=00:1a:2b:3c:4d:5f`).
  - Setup instructions for inventory, secrets, and variables.
  - Troubleshooting for common issues (e.g., network errors, missing `dns_domains`).
  - Performance tips (e.g., fact caching).
- Ensures idempotency and supports large inventories.

Signed-off-by: Adam Kraitman <akraitma@li-8b09b2cc-35b7-11b2-a85c-cd1dbade58f9.ibm.com>

Author: Adam Kraitman

maas_nameserver.yml

@@ -1,6 +1,6 @@
 ---
-- name: Configure MAAS DNS
-  hosts: maas
-  gather_facts: false
+- name: Deploy MAAS DNS
+  hosts: localhost
+  connection: local
   roles:
-    - maas_nameserver
+    - role: maas_nameserver

roles/maas_nameserver/README.md

@@ -2,13 +2,16 @@
 
 ## Overview
 
-The `maas_nameserver` role configures DNS domains and records in MAAS (Metal as a Service) based on an Ansible inventory. It manages DNS entries for hosts (e.g., Main interfaces, IPMI interfaces, VLAN interfaces) in specified domains, ensuring only desired records and domains exist while cleaning up unwanted ones. This role depends on a secrets file to load MAAS API credentials.
+The `maas_nameserver` role configures DNS domains and records in MAAS (Metal as a Service) based on an Ansible inventory. It manages DNS entries for hosts (e.g., main interfaces, IPMI interfaces) in specified domains, ensuring only desired records and domains exist while cleaning up unwanted ones. This role depends on a secrets file to load MAAS API credentials.
 
 ## Requirements
 
 - Ansible: Version 2.9 or higher
 - MAAS CLI: Installed on the target MAAS server
+- Python: Version 3.6 or higher (for `maas.maas` collection)
 - Inventory: A valid Ansible inventory with `group_vars/all.yml` defining `dns_domains`
+- MAAS API Access: Valid credentials in a secrets file
+- Network: Stable connectivity to the MAAS server
 
 ## Role Structure
 
@@ -26,23 +29,22 @@ roles/
 
 ## Dependencies
 
-- **Secrets File**: A `maas.yml` file at `{{ secrets_path }}/maas.yml` provides MAAS API credentials (e.g., `maas_api_key`, `maas_api_url`). No separate secrets role is required; credentials are loaded via `include_vars`.
+- **Secrets File**: A `maas.yml` file at `{{ secrets_path }}/maas.yml` provides MAAS API credentials (`maas_cluster_instance` with `customer_key`, `token_key`, and `token_secret`). The `host` is set dynamically at runtime.
+- **maas.maas Collection**: Automatically installed by the role if not present.
 
 ## Usage
 
 1. **Prepare Inventory**
 
-   Define your `maas` and target host groups:
+   Define your `maas` group and target hosts in your inventory file (e.g., `inventory/hosts`):
 
    ```ini
    [maas]
-   maas.internal.ceph.ibm.com ip=10.11.120.237
+   maas-server.example.com ansible_host=192.168.1.10
 
-   [snipeit]
-   snipe-it.internal.ceph.ibm.com ip=10.60.100.11
-
-   [machine]
-   machine001.internal.ceph.ibm.com ip=10.18.131.100 ipmi=10.18.139.100 vlan104=10.18.144.3
+   [servers]
+   server01.example.com mac=00:1a:2b:3c:4d:5e ip=192.168.1.11 ipmi=192.168.2.11 bmc=00:1a:2b:3c:4d:5f
+   server02.example.com mac=00:1a:2b:3c:4d:60 ip=192.168.1.12 ipmi=192.168.2.12 bmc=00:1a:2b:3c:4d:61
    ```
 
 2. **Set Up Inventory Variables**
@@ -52,109 +54,158 @@ roles/
    ```yaml
    ---
    dns_domains:
-     ceph: "internal.ceph.ibm.com"
-     ipmi: "ipmi.ceph.ibm.com"
-     vlan104: "vlan104.internal.ceph.ibm.com"
+     ip: "example.com"
+     ipmi: "ipmi.example.com"
+   ```
+
+   Optionally, define `dns_records` in `group_vars/dns_records.yml` for additional DNS records:
+
+   ```yaml
+   ---
+   dns_records:
+     - name: "api"
+       domain: "ocp1.example.com"
+       type: "A/AAAA"
+       ip: "192.168.1.101"
+     - name: "*"
+       domain: "apps.ocp1.example.com"
+       type: "A/AAAA"
+       ip: "192.168.1.102"
    ```
 
 3. **Set Up Secrets**
 
-   Create a secrets file at `{{ secrets_path }}/maas.yml`:
+   Create a secrets file at `{{ secrets_path }}/maas.yml` (e.g., `secrets/maas.yml`):
 
    ```yaml
    ---
-   maas_profile: "admin" # also called the maas api username
-   maas_api_key: "XXXXXXXXXXXXXXXX" # api key of the profile defined in maas_profile
-   maas_api_url: "http://localhost:5240/MAAS/api/2.0/"
+   maas_cluster_instance:
+     customer_key: "your_customer_key"
+     token_key: "your_token_key"
+     token_secret: "your_token_secret"
    ```
 
+   **Note**: The `host` field is not included in `maas_cluster_instance` as it is set dynamically using `maas_api_url` from `defaults/main.yml` and the `maas` group in the inventory. Restrict file permissions (e.g., `chmod 600 secrets/maas.yml`) and consider using Ansible Vault for encryption.
+
 4. **Run the Playbook**
 
    ```bash
    ansible-playbook maas_nameserver.yml
    ```
 
-## Variables
-
-### defaults/main.yml
-
-These are overridable defaults:
-
-- `maas_api_url`: Default MAAS API endpoint (`http://localhost:5240/MAAS/api/2.0/`). Override in `secrets/maas.yml`.
+   For verbose output to troubleshoot:
 
-- `maas_profile`: Default MAAS profile name (`admin`). Override in `secrets/maas.yml`.
-
-- `default_domains`: Domains to preserve (default: `["maas"]`). The `maas` domain is used by MAAS for internal DNS records and is excluded from cleanup.
+   ```bash
+   ansible-playbook maas_nameserver.yml -vvvv
+   ```
 
-- `target_hosts`: List of hosts for DNS records. Defaults to an empty list (`[]`), in which case the role dynamically selects all hosts from inventory groups except those in `exclude_groups`. Override in `group_vars/maas.yml`:
+## Variables
 
-  ```yaml
-  target_hosts:
-    - machine001.internal.ceph.ibm.com
-    - machine002.internal.ceph.ibm.com
-  ```
+### defaults/main.yml
 
-  Or via command line:
+Overridable defaults:
 
-  ```bash
-  ansible-playbook maas_nameserver.yml -e "target_hosts=['machine001.internal.ceph.ibm.com']"
-  ```
+- `maas_server_ip`: Derived from the first host in the `maas` group (`{{ groups.get('maas', []) | first | default('undefined_maas_server') }}`).
+- `maas_api_url`: MAAS API endpoint (`http://{{ maas_server_ip }}:5240/MAAS`).
+- `dns_ttl`: Default TTL for DNS records (`3600` seconds).
+- `excluded_groups`: Groups to exclude from inventory processing (`["all", "ungrouped"]`).
+- `excluded_domains`: Domains to preserve from cleanup (`["maas", "front.sepia.example.com"]`).
+- `supported_record_types`: Allowed DNS record types (`["A/AAAA", "CNAME", "MX", "NS", "SRV", "SSHFP", "TXT"]`).
 
-- `exclude_groups`: List of inventory groups to exclude from `target_hosts` when `target_hosts` is empty. Defaults to `["maas", "all", "ungrouped"]`. The `all` and `ungrouped` groups must be included to prevent the automatic inclusion of all hosts (via the `all` group, which contains every host in the inventory) or ungrouped hosts (via the `ungrouped` group). Override in `group_vars/maas.yml`:
+Example `defaults/main.yml`:
 
-  ```yaml
-  exclude_groups: ["maas", "all", "ungrouped", "other_group"]
-  ```
+```yaml
+---
+maas_server_ip: "{{ groups.get('maas', []) | first | default('undefined_maas_server') }}"
+maas_api_url: "http://{{ maas_server_ip }}:5240/MAAS"
+dns_ttl: 3600
+excluded_groups: ["all", "ungrouped"]
+excluded_domains: ["maas", "front.sepia.example.com"]
+supported_record_types: ["A/AAAA", "CNAME", "MX", "NS", "SRV", "SSHFP", "TXT"]
+```
 
 ### vars/main.yml
 
 No mandatory, non-overridable variables are defined. Environment-specific variables like `dns_domains` must be set in `inventory/group_vars/all.yml`.
 
 ### secrets/maas.yml
 
-Provides MAAS API credentials and optional overrides:
-
-1. `maas_api_key`: MAAS API key for authentication.
-2. `maas_api_url`: MAAS API endpoint (e.g., `http://127.0.0.1:5240/MAAS/api/2.0/`).
+Provides MAAS API credentials:
 
-`maas_profile`: MAAS CLI profile name (e.g., `admin`).
-
-1. `target_hosts` (optional): Override the default `target_hosts` list.
-2. `exclude_groups` (optional): Override the default `exclude_groups` list.
+- `maas_cluster_instance.customer_key`: MAAS API customer key.
+- `maas_cluster_instance.token_key`: MAAS API token key.
+- `maas_cluster_instance.token_secret`: MAAS API token secret.
 
 **Example**:
 
 ```yaml
-maas_api_key: "XXXXXXXXXXXXXXXX"
-maas_api_url: "http://127.0.0.1:5240/MAAS/api/2.0/"
-maas_profile: "admin"
-# Optional overrides
-target_hosts:
-  - machine001.internal.ceph.ibm.com
-exclude_groups:
-  - maas
-  - all
-  - ungrouped
+---
+maas_cluster_instance:
+  customer_key: "your_customer_key"
+  token_key: "your_token_key"
+  token_secret: "your_token_secret"
 ```
 
-**Notes**:
-
-- **Security**: Ensure file permissions are restricted (e.g., `chmod 600 maas.yml`).
-- **Vault**: If encrypted, provide the vault password (e.g., via `--vault-password-file ~/.vault_pass.txt`).
-
 ## Behavior
 
-- **DNS Records**: Creates A records for hosts based on `dns_domains` and inventory variables (e.g., `ip`, `ipmi`, `vlan104`). Example:
-  - `machine001.internal.ceph.ibm.com` → `10.18.131.100`
-  - `machine001.ipmi.ceph.ibm.com` → `10.18.139.100`
-  - `machine001.vlan104.internal.ceph.ibm.com` → `10.18.144.3`
-- **Cleanup**: Deletes DNS records and domains not in `dns_domains` or `default_domains`.
+- **DNS Records**: Creates A/AAAA records for hosts based on `dns_domains` and inventory variables (e.g., `ip`, `ipmi`). Example:
+  - `server01.example.com` → `192.168.1.11`
+  - `server01.ipmi.example.com` → `192.168.2.11`
+  - Additional records from `dns_records` (e.g., `api.ocp1.example.com` → `192.168.1.101`).
+- **Cleanup**: Deletes DNS records and domains not in `dns_domains` or `excluded_domains`, skipping default MAAS domains.
+- **NS Records**: Skipped due to module limitations; create manually via MAAS CLI or UI.
 - **Idempotency**: Skips actions if the desired state is already met.
+- **Retries**: Removal tasks include retries (`retries: 3`, `delay: 5`) to handle transient network issues.
 
 ## Troubleshooting
 
-- **Missing** `dns_domains`: Ensure `dns_domains` is defined in `inventory/group_vars/all.yml`. The playbook will fail if undefined.
-- **Secrets Not Loading**: Verify `secrets_path` points to the correct directory and `maas.yml` contains valid credentials.
-- **MAAS CLI Errors**: Confirm the MAAS CLI is installed on the target server and the API key is valid.
-- **Failed Deletions**: Check playbook output for errors during DNS record or domain deletions (e.g., permissions, network issues, or records that do not exist).
-- **Unwanted DNS Records**: If DNS records are created for unintended hosts, verify `exclude_groups` includes `all` and `ungrouped` to prevent the inclusion of all inventory hosts or ungrouped hosts. Check for overrides in `secrets/maas.yml` or extra vars that modify `target_hosts` or `exclude_groups`.
+- **Network Issues**: If you see `[Errno -2] Name or service not known`, verify the MAAS server hostname (e.g., `maas-server.example.com`) resolves correctly:
+  ```bash
+  ping maas-server.example.com
+  curl http://maas-server.example.com:5240/MAAS/api/2.0/version/
+  ```
+  Add to `/etc/hosts` if needed (e.g., `192.168.1.10 maas-server.example.com`).
+
+- **Missing dns_domains**: Ensure `dns_domains` is defined in `inventory/group_vars/all.yml`.
+
+- **Secrets Not Loading**: Verify `secrets_path` points to the correct directory and `maas.yml` contains valid credentials. If using Ansible Vault, provide the vault password:
+  ```bash
+  ansible-playbook maas_nameserver.yml --vault-password-file ~/.vault_pass.txt
+  ```
+
+- **MAAS API Errors**: Confirm the MAAS CLI is installed and the API credentials are valid. Test with:
+  ```bash
+  maas login <profile> http://maas-server.example.com:5240/MAAS <api-key>
+  maas <profile> domains read
+  ```
+
+- **Unwanted DNS Records**: Verify `excluded_groups` includes `all` and `ungrouped` in `defaults/main.yml` to prevent unintended host inclusion.
+
+- **NS Record Skipped**: Manually create NS records in MAAS UI or CLI:
+  ```bash
+  maas login <profile> http://maas-server.example.com:5240/MAAS <api-key>
+  maas <profile> dnsresource create domain=example.com name=ns1 type=NS data=ns1.example.com ttl=3600
+  ```
+
+- **Slow Execution**: Enable profiling to identify bottlenecks:
+  ```bash
+  ansible-playbook maas_nameserver.yml -v
+  ```
+  Adjust `ansible.cfg` for higher parallelism:
+  ```ini
+  [defaults]
+  forks = 20
+  ```
+
+## Performance Optimizations
+
+- **Inventory Filtering**: Only hosts with `ip` or `ipmi` variables are processed, reducing unnecessary iterations.
+- **Retries for Reliability**: Removal tasks use retries to handle transient network issues, improving robustness for large inventories (e.g., 48 hosts).
+
+For further optimization, consider enabling fact caching in `ansible.cfg` to reduce API calls in subsequent runs:
+```ini
+[defaults]
+fact_caching = jsonfile
+fact_caching_timeout = 86400
+fact_caching_connection = /tmp/ansible_cache
+```

roles/maas_nameserver/defaults/main.yml

@@ -1,17 +1,14 @@
 ---
-maas_api_url: "http://localhost:5240/MAAS/api/2.0/"  # Default, overridden by secrets
-maas_profile: "admin"  # Default, overridden by secrets
-default_domains:
-  - "maas"
-
-# List of target hosts for DNS records, excluding the 'maas' group by default.
-# Can be overridden in secrets/maas.yml (e.g., target_hosts: ['host1.example.com', 'host2.example.com'])
-# If not set, defaults to all hosts in inventory groups except those in exclude_groups.
-target_hosts: []
-
-# List of inventory groups to exclude from target_hosts.
-# Includes 'all' and 'ungrouped' to prevent automatic inclusion of all hosts or ungrouped hosts,
-# as 'all' contains every host in the inventory and 'ungrouped' includes hosts not assigned to any group.
-exclude_groups: ["maas", "all", "ungrouped"]
-
-# Note: dns_domains should be defined in the inventory's group_vars/all.yml
+inventory_path: "{{ lookup('env', 'ANSIBLE_INVENTORY_PATH') | default('/etc/ansible/hosts', true) }}"
+# MAAS server IP address
+maas_server_ip: "{{ groups.get('maas', []) | first | default('undefined_maas_server') }}"
+# MAAS API URL
+maas_api_url: "http://{{ maas_server_ip }}:5240/MAAS"
+# Default TTL for DNS records
+dns_ttl: 3600
+# Groups to exclude from inventory processing
+excluded_groups: ['all', 'ungrouped']
+# Domains to exclude from management
+excluded_domains: ['maas', 'front.sepia.ceph.com']
+# Supported DNS record types
+supported_record_types: ['A/AAAA', 'CNAME', 'MX', 'NS', 'SRV', 'SSHFP', 'TXT']