From 10405004a5a2f35d74e9023749613048e6aa1d39 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 8 Feb 2019 09:49:18 -0800
Subject: [PATCH] Remove configure-unbound role

This role now lives in opendev/base-jobs so to reduce confusion we clean
it out of ozj.

Depends-On: https://review.openstack.org/635900
Change-Id: I27971ad1bd3ef93ea04aaede76e51afe9d770b5b
---
 roles/configure-unbound/README.rst            | 48 -----------
 roles/configure-unbound/defaults/main.yaml    | 24 ------
 roles/configure-unbound/handlers/main.yaml    |  5 --
 roles/configure-unbound/tasks/main.yaml       | 84 -------------------
 .../templates/forwarding.conf.j2              |  6 --
 roles/configure-unbound/templates/ttl.conf.j2 |  5 --
 roles/configure-unbound/vars/Debian.yaml      |  1 -
 roles/configure-unbound/vars/default.yaml     |  1 -
 tests/base.yaml                               |  1 -
 tests/configure-unbound.yaml                  | 48 -----------
 zuul.d/jobs.yaml                              |  2 -
 11 files changed, 225 deletions(-)
 delete mode 100644 roles/configure-unbound/README.rst
 delete mode 100644 roles/configure-unbound/defaults/main.yaml
 delete mode 100644 roles/configure-unbound/handlers/main.yaml
 delete mode 100644 roles/configure-unbound/tasks/main.yaml
 delete mode 100644 roles/configure-unbound/templates/forwarding.conf.j2
 delete mode 100644 roles/configure-unbound/templates/ttl.conf.j2
 delete mode 100644 roles/configure-unbound/vars/Debian.yaml
 delete mode 100644 roles/configure-unbound/vars/default.yaml
 delete mode 100644 tests/configure-unbound.yaml

diff --git a/roles/configure-unbound/README.rst b/roles/configure-unbound/README.rst
deleted file mode 100644
index 9e80061f..00000000
--- a/roles/configure-unbound/README.rst
+++ /dev/null
@@ -1,48 +0,0 @@
-An ansible role to dynamically configure DNS forwarders for the
-``unbound`` caching service.  IPv6 will be preferred when there is a
-usable IPv6 default route, otherwise IPv4.
-
-.. note:: This is not a standalone unbound configuration role.  Base
-          setup is done during image builds in
-          ``project-config:nodepool/elements/nodepool-base/finalise.d/89-unbound``;
-          here we just do dynamic configuration of forwarders based on
-          the interfaces available on the actual host.
-
-**Role Variables**
-
-.. zuul:rolevar:: unbound_primary_nameserver_v4
-   :default: 208.67.222.222 (OpenDNS)
-
-   The primary IPv4 nameserver for fowarding requests
-
-.. zuul:rolevar:: unbound_secondary_nameserver_v4
-   :default: 8.8.8.8 (Google)
-
-   The secondary IPv4 nameserver for fowarding requests
-
-.. zuul:rolevar:: unbound_primary_nameserver_v6
-   :default: 2620:0:ccc::2 (OpenDNS)
-
-   The primary IPv6 nameserver for fowarding requests
-
-.. zuul:rolevar:: unbound_secondary_nameserver_v6
-   :default: 2001:4860:4860::8888 (Google)
-
-   The seconary IPv6 nameserver for fowarding requests
-
-.. zuul:rolevar:: unbound_cache_max_ttl
-   :default: 86400
-
-   Maximum TTL in seconds to keep successful queries cached for.
-
-   This TTL will have precedence if the DNS record TTL is higher.
-   For example, a TTL of 90000 would be reduced to 86400.
-
-.. zuul:rolevar:: unbound_cache_min_ttl
-   :default: 0
-
-   Minimum TTL in seconds to keep queries cached for.
-   Note that this is effective for both successful and failed queries.
-
-   This TTL will have precedence if the DNS record TTL is lower.
-   For example, a TTL of 60 would be raised to 900.
diff --git a/roles/configure-unbound/defaults/main.yaml b/roles/configure-unbound/defaults/main.yaml
deleted file mode 100644
index e67192d1..00000000
--- a/roles/configure-unbound/defaults/main.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# OpenDNS
-unbound_primary_nameserver_v6: "2620:0:ccc::2"
-unbound_primary_nameserver_v4: "208.67.222.222"
-
-# Google
-unbound_secondary_nameserver_v6: "2001:4860:4860::8888"
-unbound_secondary_nameserver_v4: "8.8.8.8"
-
-# Time to live maximum for  RRsets  and  messages  in  the  cache.
-# Default  is  86400  seconds  (1  day).  If the maximum kicks in,
-# responses to clients still get decrementing TTLs  based  on  the
-# original  (larger)  values.   When the internal TTL expires, the
-# cache item has expired.  Can be set lower to force the  resolver
-# to query for data often, and not trust (very large) TTL values.
-unbound_cache_max_ttl: 86400
-
-# Time  to  live  minimum  for  RRsets  and messages in the cache.
-# Default is 0.  If the minimum kicks in, the data is  cached  for
-# longer than the domain owner intended, and thus less queries are
-# made to look up the data.  Zero makes sure the data in the cache
-# is  as the domain owner intended, higher values, especially more
-# than an hour or so, can lead to trouble as the data in the cache
-# does not match up with the actual data any more.
-unbound_cache_min_ttl: 0
diff --git a/roles/configure-unbound/handlers/main.yaml b/roles/configure-unbound/handlers/main.yaml
deleted file mode 100644
index 7199e29b..00000000
--- a/roles/configure-unbound/handlers/main.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Restart unbound
-  become: yes
-  service:
-    name: unbound
-    state: restarted
diff --git a/roles/configure-unbound/tasks/main.yaml b/roles/configure-unbound/tasks/main.yaml
deleted file mode 100644
index 6b66745b..00000000
--- a/roles/configure-unbound/tasks/main.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-# This role assumes that Unbound is already installed, fail early if it isn't.
-- name: Check that Unbound is installed
-  stat:
-    path: /etc/unbound
-  register: unbound_config
-
-- name: Ensure that Unbound is installed
-  assert:
-    that:
-      - unbound_config.stat.exists
-
-# ansible_default_ipv6 can either be undefined (no ipv6) or blank (no
-# routable address).  We only want to use ipv6 if it's available &
-# routable; combine these checks into this fact.
-- name: Check for IPv6
-  when:
-    - hostvars[inventory_hostname]['ansible_default_ipv6'] is defined
-    - hostvars[inventory_hostname]['ansible_default_ipv6']['address'] is defined
-  set_fact:
-    unbound_use_ipv6: True
-
-# Use *only* ipv6 resolvers if ipv6 is present and routable.  This
-# avoids traversing potential NAT when using ipv4 which can be
-# unreliable.
-- name: Set IPv6 nameservers
-  when:
-    - unbound_use_ipv6 is defined
-  set_fact:
-    unbound_primary_nameserver: '{{ unbound_primary_nameserver_v6 }}'
-    unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v6 }}'
-
-# Fallback to default ipv4 if there is no ipv6 available as this
-# causes timeouts and failovers that are unnecesary.
-- name: Set IPv4 nameservers
-  when:
-    - unbound_use_ipv6 is not defined
-  set_fact:
-    unbound_primary_nameserver: '{{ unbound_primary_nameserver_v4 }}'
-    unbound_secondary_nameserver: '{{ unbound_secondary_nameserver_v4 }}'
-
-- name: Include OS-specific variables
-  include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ ansible_distribution }}.yaml"
-    - "{{ ansible_os_family }}.yaml"
-    - "default.yaml"
-
-- name: Ensure Unbound conf.d directory exists
-  become: yes
-  file:
-    path: "{{ unbound_confd }}"
-    state: directory
-
-# TODO: Move this to /etc/unbound/conf.d ?
-- name: Configure unbound forwarding
-  become: yes
-  template:
-    dest: /etc/unbound/forwarding.conf
-    owner: root
-    group: root
-    mode: 0644
-    src: forwarding.conf.j2
-  register: forwarding_config
-  notify:
-    - Restart unbound
-
-- name: Configure unbound TTL
-  become: yes
-  template:
-    dest: "{{ unbound_confd }}/ttl.conf"
-    owner: root
-    group: root
-    mode: 0644
-    src: ttl.conf.j2
-  register: ttl_config
-  notify:
-    - Restart unbound
-
-- name: Start unbound
-  become: yes
-  service:
-    name: unbound
-    state: started
-    enabled: yes
diff --git a/roles/configure-unbound/templates/forwarding.conf.j2 b/roles/configure-unbound/templates/forwarding.conf.j2
deleted file mode 100644
index 3b52571e..00000000
--- a/roles/configure-unbound/templates/forwarding.conf.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-# {{ ansible_managed }}
-
-forward-zone:
-  name: "."
-  forward-addr: {{ unbound_primary_nameserver }}
-  forward-addr: {{ unbound_secondary_nameserver }}
diff --git a/roles/configure-unbound/templates/ttl.conf.j2 b/roles/configure-unbound/templates/ttl.conf.j2
deleted file mode 100644
index 34b5881a..00000000
--- a/roles/configure-unbound/templates/ttl.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-
-server:
-    cache-min-ttl: {{ unbound_cache_min_ttl }}
-    cache-max-ttl: {{ unbound_cache_max_ttl }}
diff --git a/roles/configure-unbound/vars/Debian.yaml b/roles/configure-unbound/vars/Debian.yaml
deleted file mode 100644
index ccb6146a..00000000
--- a/roles/configure-unbound/vars/Debian.yaml
+++ /dev/null
@@ -1 +0,0 @@
-unbound_confd: /etc/unbound/unbound.conf.d
diff --git a/roles/configure-unbound/vars/default.yaml b/roles/configure-unbound/vars/default.yaml
deleted file mode 100644
index 48bfc75a..00000000
--- a/roles/configure-unbound/vars/default.yaml
+++ /dev/null
@@ -1 +0,0 @@
-unbound_confd: /etc/unbound/conf.d
diff --git a/tests/base.yaml b/tests/base.yaml
index a2b802ac..03b7f7a6 100644
--- a/tests/base.yaml
+++ b/tests/base.yaml
@@ -6,7 +6,6 @@
 # Note: set-zuul-log-path-fact is tested by emit-job-header.yaml
 - include: emit-job-header.yaml
 - include: ensure-output-dirs.yaml
-- include: configure-unbound.yaml
 - include: use-cached-repos.yaml
 - include: mirror-info.yaml
 - include: configure-mirrors.yaml
diff --git a/tests/configure-unbound.yaml b/tests/configure-unbound.yaml
deleted file mode 100644
index d40315ea..00000000
--- a/tests/configure-unbound.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-- name: Test the configure-unbound role
-  hosts: all
-  roles:
-    - role: configure-unbound
-  post_tasks:
-    - name: Check that unbound is started
-      become: yes
-      service:
-        name: unbound
-        state: started
-      register: unbound_service
-
-    - name: Ensure that unbound is started
-      assert:
-        that:
-          - unbound_service is not changed
-
-    # Until nodepool no longer embeds a forwarding.conf in the image, it is
-    # safe to assume that we'll be changing the forwarding configuration
-    # because the role has logic to use v6 *or* v4 nameservers while nodepool
-    # puts all four nameservers.
-    - name: Ensure that configuration was installed
-      assert:
-        that:
-          - forwarding_config is changed
-          - ttl_config is changed
-
-    - name: Check if /etc/unbound/forwarding.conf exists
-      stat:
-        path: /etc/unbound/forwarding.conf
-      register: forwarding_file
-
-    - name: Check if /etc/unbound/conf.d/ttl.conf exists
-      stat:
-        path: "{{ unbound_confd }}/ttl.conf"
-      register: ttl_file
-
-    - name: Ensure that configuration files exist
-      assert:
-        that:
-          - forwarding_file.stat.exists
-          - ttl_file.stat.exists
-
-    # This is self-tested, no need to assert
-    - name: Do a host lookup (sanity check)
-      command: host openstack.org
-      changed_when: false
-
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 58b289bd..7897aa05 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -20,7 +20,6 @@
     run: tests/base.yaml
     files:
       - ^roles/configure-mirrors/.*
-      - ^roles/configure-unbound/.*
       - ^roles/emit-job-header/.*
       - ^roles/ensure-output-dirs/.*
       - ^roles/fetch-zuul-cloner/.*
@@ -100,7 +99,6 @@
     run: tests/multinode.yaml
     files:
       - ^roles/configure-mirrors/.*
-      - ^roles/configure-unbound/.*
       - ^roles/emit-job-header/.*
       - ^roles/ensure-output-dirs/.*
       - ^roles/fetch-zuul-cloner/.*