blob: 77e1f3cc22140fb95214e7d07da5acea48fad0b7 [file] [log] [blame]
=================
Designate formula
=================
Designate provides DNSaaS services for OpenStack.
Sample pillars
==============
For Designate with BIND9 local backend:
.. code:: yaml
designate:
server:
enabled: true
region: RegionOne
domain_id: 5186883b-91fb-4891-bd49-e6769234a8fc
version: ocata
backend:
bind9:
rndc_key: 4pc+X4PDqb2q+5o72dISm72LM1Ds9X2EYZjqg+nmsS7FhdTwzFFY8l/iEDmHxnyjkA33EQC8H+z0fLLBunoitw==
rndc_algorithm: hmac-sha512
api:
base_uri: 'http://127.0.0.1:9001'
quotas_verify_project_id: False
admin_api:
enabled: true
enabled_extensions_admin: quotas
bind:
api:
address: 127.0.0.1
database:
engine: mysql
host: 127.0.0.1
port: 3306
name:
main_database: designate
pool_manager: designate_pool_manager
user: designate
password: passw0rd
identity:
engine: keystone
host: 127.0.0.1
port: 35357
tenant: service
user: designate
password: passw0rd
mdns:
address: 0.0.0.0
port: 5354
message_queue:
engine: rabbitmq
members:
- host: 127.0.0.1
user: openstack
password: password
virtual_host: '/openstack'
pools:
default:
description: 'default pool'
attributes:
service_tier: GOLD
ns_records:
- hostname: 'ns1.example.org.'
priority: 10
nameservers:
- host: 127.0.0.1
port: 53
targets:
default_target:
type: bind9
description: 'default target'
masters:
- host: 127.0.0.1
port: 5354
options:
host: 127.0.0.1
port: 53
rndc_host: 127.0.0.1
rndc_port: 953
rndc_key_file: /etc/designate/rndc.key
quota:
zones: 40
worker:
enabled: true
.. note::
*domain_id* parameter is UUID of DNS zone managed by designate-sink service. This zone will
be populated by A records for fixed and floating ip addresses of spawned VMs. After designate
is deployed and zone is created, this parameter should be updated accordingly to UUID of
newly created zone. Then designate state should be reapplied.
.. note::
*server:api:base_uri* allows to set URL which is returned in designate-api responses, it is
useful in cases when, designate-api is deployed under proxy server. If not overriden in reclass,
it defaults to http://*server:bind:api:address*:9001/.
.. note::
*server:mdns:address* and *server:mdns:port* options allow to change MDNS listening address and
port. Changes to server:pools:*:targets will be also required if the MDNS's address and port are
being used there.
.. note::
*worker:enabled* sets worker role and installs designate-worker and designate-producer packages
which services will push changes to backend DNS servers.
*pool_manager:enabled* should be a default role for older releases of OpenStack, older than
Newton in which designate-worker and designate-producer were represented.
In releases starting from Newton, only Designate pool manager service still allows live syncs
with Power DNS server for now.
.. note::
*server:quota:zones* allows to set default value for zones quota for all projects and users.
In case with Designate tempest plugin (0.2.0) zones quota should be increased to 40, so all
tests can pass.
.. note::
*server:api:quotas_verify_project_id* allows to enable project id verification when setting quotas
for project, when Designate will ask Keystone if the project id is valid
Pools pillar for BIND9 master and multiple slaves setup:
.. code:: yaml
pools:
default:
description: 'default pool'
attributes:
service_tier: GOLD
ns_records:
- hostname: 'ns1.example.org.'
priority: 10
nameservers:
- host: 192.168.0.1
port: 53
- host: 192.168.0.2
port: 53
- host: 192.168.0.3
port: 53
targets:
default_target:
type: bind9
description: 'default target'
masters:
- host: 192.168.0.4
port: 5354
options:
host: 192.168.0.4
port: 53
rndc_host: 192.168.0.4
rndc_port: 953
rndc_key_file: /etc/designate/rndc.key
Enhanced logging with logging.conf
----------------------------------
By default logging.conf is disabled.
That is possible to enable per-binary logging.conf with new variables:
* openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
* openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
Only WatchedFileHandler and FluentHandler are available.
Also it is possible to configure this with pillar:
.. code-block:: yaml
designate:
server:
logging:
log_appender: true
log_handlers:
watchedfile:
enabled: true
fluentd:
enabled: true
Usage
=====
Create server
.. code:: bash
designate server-create --name ns.example.com.
Create domain
.. code:: bash
designate domain-create --name example.com. --email mail@example.com
Create record
.. code:: bash
designate record-create example.com. --name test.example.com. --type A --data 10.2.14.15
Test it
.. code:: bash
dig @127.0.0.1 test.example.com.
Enable x509 and ssl communication between Designate and Galera cluster.
---------------------
By default communication between Designate and Galera is unsecure.
designate:
server:
database:
x509:
enabled: True
You able to set custom certificates in pillar:
designate:
server:
database:
x509:
cacert: (certificate content)
cert: (certificate content)
key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
Documentation and Bugs
======================
To learn how to install and update salt-formulas, consult the documentation
available online at:
http://salt-formulas.readthedocs.io/
In the unfortunate event that bugs are discovered, they should be reported to
the appropriate issue tracker. Use Github issue tracker for specific salt
formula:
https://github.com/salt-formulas/salt-formula-letsencrypt/issues
For feature requests, bug reports or blueprints affecting entire ecosystem,
use Launchpad salt-formulas project:
https://launchpad.net/salt-formulas
You can also join salt-formulas-users team and subscribe to mailing list:
https://launchpad.net/~salt-formulas-users
Developers wishing to work on the salt-formulas projects should always base
their work on master branch and submit pull request against specific formula.
https://github.com/salt-formulas/salt-formula-letsencrypt
Any questions or feedback is always welcome so feel free to join our IRC
channel:
#salt-formulas @ irc.freenode.net