maas dns role for configuring maas dns domains and records

Adam Kraitman · Adam Kraitman · commit 59ed665f3d75 · 2025-04-21T17:51:14.000+03:00
Signed-off-by: Adam Kraitman &lt;akraitma@li-8b09b2cc-35b7-11b2-a85c-cd1dbade58f9.ibm.com&gt;
diff --git a/maas_nameserver.yml b/maas_nameserver.yml
@@ -0,0 +1,6 @@
+---
+- name: Configure MAAS DNS
+  hosts: maas
+  gather_facts: false
+  roles:
+    - maas_nameserver
diff --git a/roles/maas_nameserver/README.md b/roles/maas_nameserver/README.md
@@ -0,0 +1,99 @@
+# README for `maas_nameserver` Ansible Role
+
+## Overview
+The `maas_nameserver` role configures DNS domains and records in MAAS (Metal as a Service) based on an Ansible inventory. It manages DNS entries for Ceph nodes and their IPMI interfaces, ensuring only desired records and domains exist while cleaning up unwanted ones. This role depends on a `secrets` role to load encrypted MAAS API credentials using Ansible Vault.
+
+## Requirements
+- **Ansible**: Version 2.9 or higher
+- **MAAS CLI**: Installed on the target MAAS server
+- **Secrets Role**: A companion `secrets` role to load encrypted credentials
+
+## Role Structure
+```
+roles/
+  maas_nameserver/
+    defaults/
+      main.yml
+    meta/
+      main.yml
+    tasks/
+      main.yml
+    vars/
+      main.yml
+    README.md
+```
+
+## Dependencies
+- **`secrets` Role**: Defined in `meta/main.yml`, this role loads encrypted MAAS API credentials from a configurable path. Ensure the `secrets` role is available in your `roles/` directory.
+
+## Usage
+1. **Place the Role**: Ensure the `maas_nameserver` and `secrets` roles are in your `roles/` directory.
+2. **Prepare Inventory**: Define your `maas` and your target hosts groups (e.g., in `/etc/ansible/hosts/tucson`):
+   ```ini
+   [ceph]
+   ceph001.internal.ceph.tucson.com ip=10.18.131.1 ipmi=10.18.139.1 vlan104=10.18.104.1 104mac=3c:fd:fe:d2:6a:84
+   ceph002.internal.ceph.tucson.com ip=10.18.131.2 ipmi=10.18.139.2 vlan104=10.18.104.2 104mac=3c:fd:fe:b2:8e:24
+   ceph003.internal.ceph.tucson.com ip=10.18.131.3 ipmi=10.18.139.3 vlan104=10.18.104.3 104mac=3c:fd:fe:e6:5c:13
+
+   [maas]
+   ceph-vm-14.internal.ceph.tucson.com ip=9.11.120.237
+   ```
+3. **Set Up Secrets**: Encrypt your MAAS credentials in a secrets file (see "Secrets File" section below).
+4. **Run the Playbook**:
+   ```bash
+   ansible-playbook maas-dns-playbook.yml
+   ```
+
+## Variables
+
+### `defaults/main.yml`
+These are overridable defaults:
+- `maas_api_url`: Default MAAS API endpoint (`http://localhost:5240/MAAS/api/2.0/`). Typically overridden by the secrets file.
+- `maas_profile`: Default MAAS profile name (`admin`). Overridden by the secrets file.
+- `default_domains`: List of domains to preserve/ignore (default: `["maas"]`). The default domain is a DNS domain that is used by maas when you deploy a machine it is used by maas for internal dns records so we choose to exclude it from our ansible role.
+
+### `vars/main.yml`
+These are role-specific variables, they can be override as needed:
+- `dns_domains`:
+  - `ceph`: Static primary domain (e.g., `internal.ceph.tucson.com`).
+  - `ipmi`: Static IPMI domain (`ipmi.ceph.tucson.com`).
+  - `vlan104`: Static sub-domain for vlan104 address(`vlan104.internal.ceph.tucson.com`).
+
+## Secrets File
+The `maas_nameserver` role depends on the `secrets` role to load encrypted MAAS API credentials. The secrets file is expected at `{{ secrets_path }}/maas.yml`.
+
+### Example Secrets File
+Create and encrypt the file (e.g., `{{ secrets_path }}/maas.yml`):
+```yaml
+---
+maas_api_url: "http://X.X.X.X:5240/MAAS/api/2.0/"
+maas_api_key: "XXXXXXXXXXXXXXXX"
+maas_profile: "admin"
+```
+
+**Notes**:
+- **Location**: Store this file in a secure directory (e.g., `/etc/ansible/secrets` or a private repo like `~/secrets/ceph-secrets`). Adjust `secrets_path` if using a custom location.
+- **Security**: Ensure the file is readable only by the Ansible user (e.g., `chmod 600`).
+- **Variables**:
+  - `maas_api_url`: The MAAS API endpoint.
+  - `maas_api_key`: The API key for authentication.
+  - `maas_profile`: The profile name used with the MAAS CLI.
+- **Vault Password**: Store the password securely (e.g., in `~/.vault_pass.txt` with `chmod 600`) or provide it at runtime.
+
+## Behavior
+- **DNS Records**: Creates A records for Ceph nodes (`ip`) and IPMI interfaces (`ipmi`) in `internal.ceph.tucson.com` and `ipmi.ceph.tucson.com`, respectively.
+- **Cleanup**: Removes unwanted DNS records and domains not matching the desired state or `default_domains`.
+- **Idempotency**: Skips actions if the desired state is already met.
+
+## Example Output
+Running the playbook should produce output similar to:
+```
+TASK [maas_nameserver : Debug desired FQDNs] ******************************************
+ok: [ceph-vm-14.internal.ceph.tucson.com] => {
+    "msg": "Desired FQDNs: ['ceph001.internal.ceph.tucson.com', 'ceph002.internal.ceph.tucson.com', 'ceph003.internal.ceph.tucson.com', 'ceph001.ipmi.ceph.tucson.com', 'ceph002.ipmi.ceph.tucson.com', 'ceph003.ipmi.ceph.tucson.com']"
+}
+```
+
+## Troubleshooting
+- **Secrets Not Loading**: Verify `secrets_path` points to the correct directory and the file is encrypted correctly. Check vault password access.
+- **MAAS CLI Errors**: Ensure the MAAS CLI is installed and the API credentials are valid.
diff --git a/roles/maas_nameserver/defaults/main.yml b/roles/maas_nameserver/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+maas_api_url: "http://localhost:5240/MAAS/api/2.0/"  # Default, overridden by secrets
+maas_profile: "admin"  # Default, overridden by secrets
+default_domains:
+  - "maas"
+
+# List of target hosts for DNS records, excluding the 'maas' group by default.
+# Can be overridden in secrets/maas.yml (e.g., target_hosts: ['host1.example.com', 'host2.example.com'])
+# or via extra vars (e.g., ansible-playbook -e "target_hosts=['host1.example.com']").
+# If not set, defaults to all hosts in inventory groups except 'maas'.
+target_hosts: []
diff --git a/roles/maas_nameserver/meta/main.yml b/roles/maas_nameserver/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: secrets
diff --git a/roles/maas_nameserver/tasks/main.yml b/roles/maas_nameserver/tasks/main.yml
@@ -0,0 +1,106 @@
+---
+- name: Include secrets
+  ansible.builtin.include_vars: "{{ item }}"
+  no_log: true
+  with_first_found:
+    - "{{ secrets_path | mandatory }}/maas.yml"
+  tags:
+    - always
+
+- name: Ensure MAAS CLI is logged in
+  ansible.builtin.command: "maas login {{ maas_profile }} {{ maas_api_url }} {{ maas_api_key }}"
+  register: maas_login
+  changed_when: maas_login.rc == 0
+  failed_when: maas_login.rc != 0 and maas_login.stderr != "Profile already exists"
+
+- name: Get existing DNS resources
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresources read"
+  register: existing_resources
+  changed_when: false
+
+- name: Initialize DNS records list
+  ansible.builtin.set_fact:
+    dns_records: []
+
+# Define target hosts for DNS records, excluding the 'maas' group.
+# After population, target_hosts will contain all hosts from inventory groups except 'maas', e.g.,
+# ['machine001.internal.example.com', 'snipe.internal.example.com', 'vm-14.example.com'].
+# This can be overridden in secrets/maas.yml (e.g., target_hosts: ['host1.example.com', 'host2.example.com'])
+# or via extra vars (e.g., -e "target_hosts=['host1.example.com']").
+- name: Define target hosts for DNS records
+  ansible.builtin.set_fact:
+    target_hosts: "{{ target_hosts | default(groups | dict2items | rejectattr('key', 'equalto', 'maas') | map(attribute='value') | flatten | unique | default([])) }}"
+  when: groups.keys() | length > 1
+
+- name: Build DNS records for all interfaces
+  ansible.builtin.set_fact:
+    dns_records: "{{ dns_records + [{'name': item[0].split('.')[0], 'ip': interface_ip, 'type': 'A', 'domain': item[1].value}] }}"
+  loop: "{{ (target_hosts | default([])) | product(dns_domains | dict2items) | list }}"
+  vars:
+    interface_ip: "{{ hostvars[item[0]][item[1].key] if item[1].key != 'ceph' else hostvars[item[0]]['ip'] }}"
+  when:
+    - target_hosts is defined and target_hosts | length > 0
+    - "item[1].key in hostvars[item[0]] or (item[1].key == 'ceph' and 'ip' in hostvars[item[0]])"
+
+- name: Parse desired FQDNs
+  ansible.builtin.set_fact:
+    desired_fqdns: "{{ dns_records | map(attribute='name') | zip(dns_records | map(attribute='domain')) | map('join', '.') | list }}"
+  when: dns_records | length > 0
+
+- name: Remove unwanted DNS records
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresource delete {{ item.id }}"
+  loop: "{{ existing_resources.stdout | from_json }}"
+  when: >
+    dns_records | length > 0 and
+    item.fqdn not in desired_fqdns
+  register: dns_deletion
+  failed_when: dns_deletion.rc != 0 and "does not exist" not in dns_deletion.stderr
+  notify: log_deletion_failure
+
+- name: Get updated DNS resources after deletions
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresources read"
+  register: updated_resources
+  changed_when: false
+
+- name: Get existing DNS domains
+  ansible.builtin.command: "maas {{ maas_profile }} domains read"
+  register: existing_domains
+  changed_when: false
+
+- name: Parse existing domains
+  ansible.builtin.set_fact:
+    current_domains: "{{ existing_domains.stdout | from_json | map(attribute='name') | list }}"
+
+- name: Remove unwanted domains
+  ansible.builtin.command: "maas {{ maas_profile }} domain delete {{ item.id }}"
+  loop: "{{ existing_domains.stdout | from_json }}"
+  when: >
+    item.name not in default_domains and
+    item.name not in dns_domains.values()
+  register: domain_deletion
+  failed_when: domain_deletion.rc != 0 and "does not exist" not in domain_deletion.stderr and "protected foreign keys" not in domain_deletion.stderr
+
+- name: Ensure new DNS domains exist
+  ansible.builtin.command: "maas {{ maas_profile }} domains create name={{ item.value }}"
+  loop: "{{ dns_domains | dict2items }}"
+  when: item.value not in current_domains
+  register: domain_creation
+  failed_when: domain_creation.rc != 0 and "already exists" not in domain_creation.stderr
+
+- name: Ensure DNS records exist
+  ansible.builtin.command: >
+    maas {{ maas_profile }} dnsresources create
+    fqdn={{ item.name }}.{{ item.domain }}
+    ip_addresses={{ item.ip }}
+  loop: "{{ dns_records }}"
+  when: >
+    dns_records | length > 0 and
+    (item.name + '.' + item.domain) not in 
+    (updated_resources.stdout | from_json | map(attribute='fqdn') | list)
+  register: dns_creation
+  failed_when: dns_creation.rc != 0 and "already exists" not in dns_creation.stderr
+
+- name: Logout from MAAS
+  ansible.builtin.command: "maas logout {{ maas_profile }}"
+  when: maas_login is success
+  changed_when: true
diff --git a/roles/maas_nameserver/vars/main.yml b/roles/maas_nameserver/vars/main.yml
@@ -0,0 +1,5 @@
+---
+dns_domains:
+  ceph: "internal.ceph.ibm.com"
+  ipmi: "ipmi.ceph.ibm.com"
+  vlan104: "vlan104.internal.ceph.ibm.com"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+dependencies:`
	`3`	`+ - role: secrets`