Add FreeIPA DNS for ECS role (#257)

Signed-off-by: Webster Mudge <[email protected]>

Author: wmudge

roles/freeipa_server_ecs/README.md

@@ -0,0 +1,83 @@
+# freeipa_server_ecs
+
+Configure DNS zones and wildcard records for Cloudera ECS.
+
+This role configures DNS zones and wildcard records within a **FreeIPA** server, which is a key step for Cloudera on Premise **Embedded Container Service (ECS)**. It simplifies the process of setting up name resolution for applications and services within a specific domain by automatically creating a DNS zone and populating it with wildcard DNS records pointing to a single IP address.
+
+The role will:
+- Authenticate to a FreeIPA server using the provided administrative credentials.
+- Create a new DNS zone based on the `ipaserver_domain` and the `zone_name` defined in the `freeipa_dns_records` list.
+- Add wildcard DNS records (`*` records) to the specified zone.
+- Point these wildcard records to the target IP address defined in `freeipa_dns_records_address`.
+- Optionally, skip a check for overlapping DNS zones if `dnszone_skip_overlap_check` is set to `true`.
+- Execute all commands via the FreeIPA API, either on a client or server context.
+
+## Requirements
+
+- A running and accessible **FreeIPA server**.
+- The `ipaadmin_principal` must have permissions to create DNS zones and records within the FreeIPA environment.
+- Network connectivity from the Ansible controller (or the `ipaapi_context` host) to the FreeIPA server.
+
+## Dependencies
+
+None.
+
+## Parameters
+
+| Variable | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `ipaadmin_password` | `str` | `True` | | **FreeIPA** administrative password for authentication. |
+| `ipaadmin_principal` | `str` | `False` | `admin` | **FreeIPA** administrative principal (user) for authentication. |
+| `ipaserver_host` | `str` | `False` | `inventory_hostname` | Hostname or IP address of the **FreeIPA** server to connect to. Defaults to the current host. |
+| `ipaserver_domain` | `str` | `True` | | The **FreeIPA** domain under which the DNS zone will be created (e.g., `example.internal`). |
+| `freeipa_dns_records` | `list` of `dict` | `False` | `[{'zone_name': 'apps.{{ ipaserver_domain }}', 'record_name': '*', 'record_type': 'A'}, {'zone_name': '{{ ipaserver_domain }}', 'record_name': '*', 'record_type': 'A'}]` | A list of DNS records to create within the specified **FreeIPA** domain. Each dictionary defines a record with its `zone_name`, `record_name`, and `record_type`. Defaults to creating two wildcard A records. |
+| `freeipa_dns_records_address` | `str` | `True` | | The target IP address for the DNS records defined in `freeipa_dns_records`. All records will point to this address. |
+| `dnszone_skip_overlap_check` | `bool` | `False` | `false` | A flag to skip the overlap check when creating DNS zones, which can be useful in specific configurations but should be used with caution. |
+| `ipaapi_context` | `str` | `False` | - | The **FreeIPA** role of the host where the DNS Zone creation command will be executed. Choices are `client` or `server`. |
+
+## Example Playbook
+
+```yaml
+- hosts: ipaserver_host
+  tasks:
+    - name: Configure FreeIPA DNS for ECS with default wildcard records
+      ansible.builtin.import_role:
+        name: cloudera.exe.freeipa_server_ecs
+      vars:
+        ipaadmin_password: "MySuperSecretAdminPassword" # Use Ansible Vault for this
+        ipaserver_domain: "example.internal"
+        freeipa_dns_records_address: "10.0.0.100"
+        # The role will automatically create '*' records for 'apps.example.internal' and 'example.internal'
+
+    - name: Configure a single custom DNS record for ECS
+      ansible.builtin.import_role:
+        name: cloudera.exe.freeipa_server_ecs
+      vars:
+        ipaadmin_password: "MySuperSecretAdminPassword"
+        ipaserver_domain: "example.internal"
+        freeipa_dns_records_address: "10.0.0.200"
+        freeipa_dns_records:
+          - zone_name: "custom.{{ ipaserver_domain }}"
+            record_name: "customapp"
+            record_type: "A"
+        dnszone_skip_overlap_check: true
+        ipaapi_context: "client"
+```
+
+## License
+
+```
+Copyright 2025 Cloudera, Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+```

roles/freeipa_server_ecs/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ipaadmin_principal: admin
+ipaadmin_password: "{{ undef(hint='Please define the FreeIPA adminstrator principal password') }}"
+ipaserver_domain: "{{ undef(hint='Please define the FreeIPA server domain') }}"
+ipaserver_host: "{{ inventory_hostname }}"
+# ipaapi_context:
+
+dnszone_skip_overlap_check: false
+
+freeipa_dns_records:
+  - zone_name: "apps.{{ ipaserver_domain }}"
+    record_name: "*"
+    record_type: "A"
+
+freeipa_dns_records_address: "{{ undef(hint='Please define the FreeIPA DNS records target IP address for ECS') }}"

roles/freeipa_server_ecs/meta/argument_specs.yml

@@ -0,0 +1,73 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Configure DNS zones and wildcard records for ECS
+    description:
+      - Ensures that DNS zones and wildcard records are set up in FreeIPA for ECS.
+      - Creates a specified DNS zone and adds wildcard DNS records.
+    author: Cloudera Labs
+    version_added: 3.0.0
+    options:
+      ipaadmin_password:
+        description: FreeIPA admin password used for authentication.
+        required: true
+      ipaadmin_principal:
+        description: FreeIPA admin principal used for authentication.
+        default: admin
+      ipaserver_host:
+        description: Hostname or IP address of the FreeIPA server.
+        default: C(inventory_hostname)
+      ipaserver_domain:
+        description: The FreeIPA domain to use for creating the DNS zone and records.
+        required: true
+      freeipa_dns_records:
+        description: DNS records to create within the FreeIPA domain, i.e. DNS zone.
+        type: list
+        elements: dict
+        options:
+          zone_name:
+            description: Name of the DNS zone to create the record in.
+            required: true
+          record_name:
+            description: Name of the DNS record (use C(*) for a wildcard record).
+            required: true
+          record_type:
+            description: Type of the DNS record (e.g., A, AAAA).
+            required: true
+        default:
+          - zone_name: "apps.C(ipaserver_domain)"
+            record_name: "*"
+            record_type: "A"
+          - zone_name: "C(ipaserver_domain)"
+            record_name: "*"
+            record_type: "A"
+      freeipa_dns_records_address:
+        description: DNS records target IP address for the records defined in O(freeipa_dns_records).
+        type: str
+        required: true
+      dnszone_skip_overlap_check:
+        description: Skip overlap check when creating DNS zones.
+        type: bool
+        required: false
+        default: false
+      ipaapi_context:
+        description: The FreeIPA role of the host where the DNS Zone creation will execute.
+        type: str
+        required: false
+        choices:
+          - client
+          - server

roles/freeipa_server_ecs/molecule/default/converge.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Converge
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Provision ECS DNS entries
+      ansible.builtin.import_role:
+        name: cloudera.exe.freeipa_server_ecs
+      vars:
+        freeipa_dns_records_address: "{{ ansible_default_ipv4.address }}"