Conversation
|
Let's see how smart my review tool is getting, I ran it over this draft as it's a good playground for it: Ansible Role — copy module src path
Ansible Role — service not enabled
Missing obsah metadata
|
And yet it works… https://docs.ansible.com/projects/ansible/latest/playbook_guide/playbook_pathing.html#id3 is more complicated than "it will look in
Technically correct, but nothing reboots the VM.
And yet it works… ;) (Yes, those are all valid points, but their criticality and impact is way off) |
evgeni
force-pushed
the
rndc
branch
4 times, most recently
from
a07bb03 to
809c5ed
Compare
evgeni
changed the title
| parameter: --dns-provider | ||
| help: DNS provider to use. | ||
| choices: | ||
| - nsupdate |
There was a problem hiding this comment.
The provider names are really dns_<name>, so dns_nsupdate, but it felt rather cumbersome to me to make the user add the (imho redundant) prefix here. Instead whenever foreman_proxy_dns_provider is used, it needs to be prefixed with dns_
| - [certificates_custom_server_certificate, certificates_custom_server_key, certificates_custom_server_ca_certificate] | ||
| forbidden_if: | ||
| - [certificates_source, installer, [certificates_custom_server_certificate, certificates_custom_server_key, certificates_custom_server_ca_certificate]] | ||
| # FIXME: this only should trigger if the dns feature is on |
There was a problem hiding this comment.
obsah can't do required_if on a feature, but it should?
| - name: Include tasks for {{ foreman_proxy_dns_provider }} | ||
| ansible.builtin.include_tasks: feature.yaml |
There was a problem hiding this comment.
is this too much of a "clever" hack? a feature (dns) enabling a "sub" feature (dns_nsupdate)?
There was a problem hiding this comment.
In https://github.com/theforeman/puppet-foreman_proxy I made a distinction of modules and providers.
But what you're talking about here also has precedent: https://github.com/theforeman/puppet-foreman_proxy/blob/5e4fcc4200ec540cbe033e7258aecc60083554d8/manifests/config.pp#L19-L32. As the person who wrote that and is happy with it: not too clever in my book.
|
|
||
|
|
||
| @pytest.mark.feature('dns') | ||
| def test_dns_nsupdate(server, certificates, server_fqdn): |
There was a problem hiding this comment.
This effectively implements a subset of https://github.com/theforeman/forklift/blob/master/bats/fb-proxy-dns.bats. It's a good start but I'd love to see it expanded in the future
There was a problem hiding this comment.
You're saying we should test all supported DNS types and also their deletion etc? Can do, sure.
BTW, you don't happen to have an Python implementation of Foreman's ProxyAPI implementation at hand? ;)
There was a problem hiding this comment.
You're saying we should test all supported DNS types and also their deletion etc? Can do, sure.
I think that would be great. And for PTR both IPv4 and IPv6.
BTW, you don't happen to have an Python implementation of Foreman's ProxyAPI implementation at hand? ;)
Sorry, I don't.
There was a problem hiding this comment.
Anyway, added all but PTR (was too lazy to add a .arpa domain to the setup)
| - name: Include tasks for {{ foreman_proxy_dns_provider }} | ||
| ansible.builtin.include_tasks: feature.yaml |
There was a problem hiding this comment.
In https://github.com/theforeman/puppet-foreman_proxy I made a distinction of modules and providers.
But what you're talking about here also has precedent: https://github.com/theforeman/puppet-foreman_proxy/blob/5e4fcc4200ec540cbe033e7258aecc60083554d8/manifests/config.pp#L19-L32. As the person who wrote that and is happy with it: not too clever in my book.
evgeni
force-pushed
the
rndc
branch
2 times, most recently
from
edc8cba to
591b419
Compare
evgeni
force-pushed
the
rndc
branch
2 times, most recently
from
dfd0a70 to
ed04896
Compare
| - [certificates_source, installer, [certificates_custom_server_certificate, certificates_custom_server_key, certificates_custom_server_ca_certificate]] | ||
|
|
||
| required_in_list: | ||
| - [[[features, dns], [foreman_proxy_dns_provider, nsupdate]], [foreman_proxy_dns_keyfile, foreman_proxy_dns_server]] |
There was a problem hiding this comment.
this uses theforeman/obsah#119, but I am not 100% satisfied with it. partially because this only works when the user passes both --add-feature dns and --dns-provider nsupdate explicitly. Relying on the default dns provider being nsupdate doesn't work, as then the "required" check doesn't trigger.
There was a problem hiding this comment.
That means only foremanctl deploy --add-feature dns would fail?
There was a problem hiding this comment.
So I tested foremanctl deploy --add-feature foreman-proxy --add-feature dns it works --dns-provider nsupdate is selected by default.
But it fails with
The task includes an option with an undefined variable. The error was: 'foreman_proxy_dns_server' is undefined. 'foreman_proxy_dns_server' is undefined. 'foreman_proxy_dns_server' is undefined. 'foreman_proxy_dns_server' is undefined
Which is expected since I didn't pass --dns-server. But i think this validation should happen earlier not in the later stage. What do you think?
Also, why there are 4 undefined statements in the error?
evgeni
force-pushed
the
rndc
branch
3 times, most recently
from
041d5d0 to
6fd746e
Compare
| if dns_type == 'PTR': | ||
| expected = dns_name | ||
| query = dns_value | ||
| else: | ||
| expected = dns_value | ||
| query = dns_name |
There was a problem hiding this comment.
This reminds me of https://projects.theforeman.org/issues/18398. Actually the inspiration for me to expose capabilities in the registration protocol: signify the Smart Proxy supports a DNS v2 API. That never happened, but we have used the registration protocol v2.
evgeni
force-pushed
the
rndc
branch
3 times, most recently
from
e763aa3 to
bfcb8fc
Compare
ekohl
left a comment
ekohl
left a comment
There was a problem hiding this comment.
Not a blocker for this, but I wonder about downstream vs upstream supported providers. What if it differs? Perhaps a question for https://community.theforeman.org/t/container-based-downstreams/46492.
| - name: Include tasks for {{ foreman_proxy_dns_provider_name }} | ||
| ansible.builtin.include_tasks: feature.yaml | ||
| vars: | ||
| feature_enabled: "true" |
There was a problem hiding this comment.
How about making this value dependent on whether the provider is selected? Then you can list every provider and include disable steps. Not a blocker for this PR, but thinking about the pattern here.
There was a problem hiding this comment.
At first I was like "wth is he talking about", but then 💡 came.
You mean something like:
- name: Include tasks for {{ item }}
ansible.builtin.include_tasks: feature.yaml
vars:
feature_enabled: "{{ foreman_proxy_dns_provider_name == item }}"
loop:
- every
- possible
- dns
- providerThere was a problem hiding this comment.
I didn't even think about a loop, but that's even nicer.
My naïve reply would be:
(no, this is not implemented right now, but would be possible without too much of a headache) Edit: you'd also have to override the params definition to skip the unsupported ones. Which we can't do today. Ugh. |
| | `--foreman-proxy-dns-server` | Configure the target DNS server | `--foreman-proxy-dns-server` | | ||
| | `--foreman-proxy-keyfile` | Confogure the key for the target DNS server | `--foreman-proxy-keyfile` | |
There was a problem hiding this comment.
| | `--foreman-proxy-dns-server` | Configure the target DNS server | `--foreman-proxy-dns-server` | | |
| | `--foreman-proxy-keyfile` | Confogure the key for the target DNS server | `--foreman-proxy-keyfile` | | |
| | `--dns-server` | Configure the target DNS server | `--foreman-proxy-dns-server` | | |
| | `--dns-keyfile` | Configure the key for the target DNS server | `--foreman-proxy-keyfile` | |
| - [certificates_source, installer, [certificates_custom_server_certificate, certificates_custom_server_key, certificates_custom_server_ca_certificate]] | ||
|
|
||
| required_in_list: | ||
| - [[[features, dns], [foreman_proxy_dns_provider, nsupdate]], [foreman_proxy_dns_keyfile, foreman_proxy_dns_server]] |
There was a problem hiding this comment.
That means only foremanctl deploy --add-feature dns would fail?
5 participants
Why are you introducing these changes? (Problem description, related links)
What are the changes introduced in this pull request?
How to test this pull request
Steps to reproduce:
Checklist