maas dns role for configuring maas dns domains and records

Signed-off-by: Adam Kraitman <akraitma@li-8b09b2cc-35b7-11b2-a85c-cd1dbade58f9.ibm.com>

Author: Adam Kraitman

maas_nameserver.yml

@@ -0,0 +1,6 @@
+---
+- name: Configure MAAS DNS
+  hosts: maas
+  gather_facts: false
+  roles:
+    - maas_nameserver

roles/maas_nameserver/README.rst

@@ -0,0 +1,102 @@
+---
+
+# README for `maas_nameserver` Ansible Role
+
+## Overview
+The `maas_nameserver` role configures DNS domains and records in MAAS (Metal as a Service) based on an Ansible inventory. It manages DNS entries for Ceph nodes and their IPMI interfaces, ensuring only desired records and domains exist while cleaning up unwanted ones. This role depends on a `secrets` role to load encrypted MAAS API credentials using Ansible Vault.
+
+## Requirements
+- **Ansible**: Version 2.9 or higher
+- **MAAS CLI**: Installed on the target maas server
+- **Secrets Role**: A companion `secrets` role to load encrypted credentials
+
+## Role Structure
+```
+roles/
+  maas_nameserver/
+    defaults/
+      main.yml
+    meta/
+      main.yml
+    tasks/
+      main.yml
+    vars/
+      main.yml
+    README.md
+```
+
+## Dependencies
+- **`secrets` Role**: Defined in `meta/main.yml`, this role loads encrypted MAAS API credentials from a configurable path. Ensure the `secrets` role is available in your `roles/` directory.
+
+## Usage
+1. **Place the Role**: Ensure the `maas_namesever` and `secrets` roles are in your `roles/` directory.
+2. **Prepare Inventory**: Define your `maas` and `ceph` groups (e.g., in `/etc/ansible/hosts/tucson`):
+   ```ini
+   [ceph]
+   ceph001.internal.ceph.ibm.com ip=10.18.131.1 ipmi=10.18.139.1
+   ceph002.internal.ceph.ibm.com ip=10.18.131.2 ipmi=10.18.139.2
+   ceph003.internal.ceph.ibm.com ip=10.18.131.3 ipmi=10.18.139.3
+
+   [maas]
+   ceph-vm-14.tuc.stglabs.ibm.com ip=9.11.120.237
+   ```
+3. **Set Up Secrets**: Encrypt your MAAS credentials in a secrets file (see "Secrets File" section below).
+4. **Run the Playbook**:
+   ```bash
+   ansible-playbook maas-dns-playbook.yml
+   ```
+
+## Variables
+
+### `defaults/main.yml`
+These are overridable defaults:
+- `maas_api_url`: Default MAAS API endpoint (`http://localhost:5240/MAAS/api/2.0/`). Typically overridden by the secrets file.
+- `maas_profile`: Default MAAS profile name (`admin`). Overridden by the secrets file.
+- `allowed_domains`: List of domains to preserve (default: `["maas"]`).
+
+### `vars/main.yml`
+These are role-specific variables, not intended for override:
+- `dns_domains`:
+  - `ceph`: Dynamically derived from the first Ceph host’s domain (e.g., `internal.ceph.ibm.com`).
+  - `ipmi`: Static IPMI domain (`ipmi.ceph.ibm.com`).
+  
+## Secrets File
+The `maas_nameserver` role depends on the `secrets` role to load encrypted MAAS API credentials. The secrets file is expected at `{{ secrets_path }}/group_vars/maas.yml`, where `secrets_path` defaults to `/etc/ansible/secrets` (configurable via the `ANSIBLE_SECRETS_PATH` environment variable).
+
+### Example Secrets File
+Create and encrypt the file (e.g., `/etc/ansible/secrets/maas.yml`):
+```yaml
+---
+maas_api_url: "http://X.X.X.X:5240/MAAS/api/2.0/"
+maas_api_key: "XXXXXXXXXXXXXXXX"
+maas_profile: "admin"
+```
+**Notes**:
+- **Location**: Store this file in a secure directory (e.g., `/etc/ansible/secrets` or a private repo like `~/secrets/ceph-secrets`). Adjust `secrets_path` if using a custom location.
+- **Security**: Ensure the file is readable only by the Ansible user (e.g., `chmod 600`).
+- **Variables**:
+  - `maas_api_url`: The MAAS API endpoint.
+  - `maas_api_key`: The API key for authentication.
+  - `maas_profile`: The profile name used with the MAAS CLI.
+- **Vault Password**: Store the password securely (e.g., in `~/.vault_pass.txt` with `chmod 600`) or provide it at runtime.
+
+## Behavior
+- **DNS Records**: Creates A records for Ceph nodes (`ip`) and IPMI interfaces (`ipmi`) in `internal.ceph.ibm.com` and `ipmi.ceph.ibm.com`, respectively.
+- **Cleanup**: Removes unwanted DNS records and domains not matching the desired state or `allowed_domains`.
+- **Idempotency**: Skips actions if the desired state is already met.
+
+## Example Output
+Running the playbook should produce output similar to:
+```
+TASK [maas_nameserver : Debug desired FQDNs] ******************************************
+ok: [ceph-vm-14.tuc.stglabs.ibm.com] => {
+    "msg": "Desired FQDNs: ['ceph001.internal.ceph.ibm.com', 'ceph002.internal.ceph.ibm.com', 'ceph003.internal.ceph.ibm.com', 'ceph001.ipmi.ceph.ibm.com', 'ceph002.ipmi.ceph.ibm.com', 'ceph003.ipmi.ceph.ibm.com']"
+}
+```
+
+## Troubleshooting
+- **Secrets Not Loading**: Verify `secrets_path` points to the correct directory and the file is encrypted correctly. Check vault password access.
+- **MAAS CLI Errors**: Ensure the MAAS CLI is installed and the API credentials are valid.
+- **Inventory Issues**: Confirm that any inventory group hosts have `ip` and `ipmi` variables defined.
+
+---

roles/maas_nameserver/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+maas_api_url: "http://localhost:5240/MAAS/api/2.0/"  # Default, overridden by secrets
+maas_profile: "admin"  # Default, overridden by secrets
+allowed_domains:
+  - "maas"

roles/maas_nameserver/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: secrets

roles/maas_nameserver/tasks/main.yml

@@ -0,0 +1,95 @@
+---
+- name: Ensure MAAS CLI is logged in
+  ansible.builtin.command: "maas login {{ maas_profile }} {{ maas_api_url }} {{ maas_api_key }}"
+  register: maas_login
+  changed_when: maas_login.rc == 0
+  failed_when: maas_login.rc != 0 and maas_login.stderr != "Profile already exists"
+
+- name: Get existing DNS resources
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresources read"
+  register: existing_resources
+  changed_when: false
+
+- name: Initialize DNS records list
+  ansible.builtin.set_fact:
+    dns_records: []
+
+- name: Build DNS records for Ceph nodes
+  ansible.builtin.set_fact:
+    dns_records: "{{ dns_records + [{'name': host.split('.')[0], 'ip': hostvars[host]['ip'], 'type': 'A', 'domain': dns_domains.ceph}] }}"
+  loop: "{{ groups['ceph'] }}"
+  loop_control:
+    loop_var: host
+
+- name: Build DNS records for IPMI interfaces
+  ansible.builtin.set_fact:
+    dns_records: "{{ dns_records + [{'name': host.split('.')[0], 'ip': hostvars[host]['ipmi'], 'type': 'A', 'domain': dns_domains.ipmi}] }}"
+  loop: "{{ groups['ceph'] }}"
+  loop_control:
+    loop_var: host
+  when: "'ipmi' in hostvars[host]"
+
+- name: Parse desired FQDNs
+  ansible.builtin.set_fact:
+    desired_fqdns: "{{ dns_records | map(attribute='name') | zip(dns_records | map(attribute='domain')) | map('join', '.') | list }}"
+
+- name: Debug desired FQDNs
+  ansible.builtin.debug:
+    msg: "Desired FQDNs: {{ desired_fqdns }}"
+
+- name: Remove unwanted DNS records
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresource delete {{ item.id }}"
+  loop: "{{ existing_resources.stdout | from_json }}"
+  when: >
+    item.fqdn not in desired_fqdns and
+    item.ip_addresses | map(attribute='ip') | first not in (dns_records | map(attribute='ip') | list)
+  register: dns_deletion
+  failed_when: dns_deletion.rc != 0 and "does not exist" not in dns_deletion.stderr
+
+- name: Get updated DNS resources after deletions
+  ansible.builtin.command: "maas {{ maas_profile }} dnsresources read"
+  register: updated_resources
+  changed_when: false
+
+- name: Get existing DNS domains
+  ansible.builtin.command: "maas {{ maas_profile }} domains read"
+  register: existing_domains
+  changed_when: false
+
+- name: Parse existing domains
+  ansible.builtin.set_fact:
+    current_domains: "{{ existing_domains.stdout | from_json | map(attribute='name') | list }}"
+
+- name: Remove unwanted domains
+  ansible.builtin.command: "maas {{ maas_profile }} domain delete {{ item.id }}"
+  loop: "{{ existing_domains.stdout | from_json }}"
+  when: >
+    item.name not in allowed_domains and
+    item.name not in dns_domains.values() and
+    item.resource_record_count == 0
+  register: domain_deletion
+  failed_when: domain_deletion.rc != 0 and "does not exist" not in domain_deletion.stderr and "protected foreign keys" not in domain_deletion.stderr
+
+- name: Ensure new DNS domains exist
+  ansible.builtin.command: "maas {{ maas_profile }} domains create name={{ item.value }}"
+  loop: "{{ dns_domains | dict2items }}"
+  when: item.value not in current_domains
+  register: domain_creation
+  failed_when: domain_creation.rc != 0 and "already exists" not in domain_creation.stderr
+
+- name: Ensure DNS records exist
+  ansible.builtin.command: >
+    maas {{ maas_profile }} dnsresources create
+    fqdn={{ item.name }}.{{ item.domain }}
+    ip_addresses={{ item.ip }}
+  loop: "{{ dns_records }}"
+  when: >
+    (item.name + '.' + item.domain) not in 
+    (updated_resources.stdout | from_json | map(attribute='fqdn') | list)
+  register: dns_creation
+  failed_when: dns_creation.rc != 0 and "already exists" not in dns_creation.stderr
+
+- name: Logout from MAAS
+  ansible.builtin.command: "maas logout {{ maas_profile }}"
+  when: maas_login is success
+  changed_when: true

roles/maas_nameserver/vars/main.yml

@@ -0,0 +1,4 @@
+---
+dns_domains:
+  ceph: "{{ (groups['ceph'] | first | split('.'))[-4:] | join('.') }}"  # internal.ceph.ibm.com
+  ipmi: "ipmi.ceph.ibm.com"  # New IPMI domain

roles/secrets/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Include encrypted secrets for the maas nameserver role
+  ansible.builtin.include_vars:
+    file: "{{ secrets_path }}/maas.yml"
+  no_log: true  # Prevents sensitive data from appearing in logs