Adding generated passwd and akamai DNS workaround

Author: hgeaydem

defaults/main.yaml

@@ -1,3 +1,5 @@
 ---
 ocp4_aio_infra_role_deploy_bastion_retries: 10
 ocp4_aio_infra_role_deploy_bastion_delay: 30
+cloud_provider: none
+baremetal_provider: none

files/services/named-metal.conf

@@ -0,0 +1,80 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// See the BIND Administrator's Reference Manual (ARM) for details about the
+// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
+
+options {
+	listen-on { any;} ;
+	listen-on-v6 port 53 { ::1; };
+	forwarders { 192.168.123.1; };
+	directory	"/var/named";
+	dump-file	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	recursing-file  "/var/named/data/named.recursing";
+	secroots-file   "/var/named/data/named.secroots";
+	//allow-query     { localhost; 192.168.123.0/24; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable no;
+	dnssec-validation no;
+
+	/* Path to ISC DLV key */
+	bindkeys-file "/etc/named.root.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+	response-policy { zone "rpz"; };
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "aio.example.com" IN {
+         type master;
+         file "aio.example.com.db";
+         allow-update { none; };
+};
+
+zone "123.168.192.in-addr.arpa" IN {
+          type master;
+          file "123.168.192.db";
+          allow-update { none; };
+};
+
+zone "rpz" {
+          type master;
+          file "rpz.db";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

files/services/rpz.db

@@ -0,0 +1,12 @@
+$TTL 60
+@            IN    SOA  localhost. root.localhost.  (
+                          2015112501   ; serial
+                          1h           ; refresh
+                          30m          ; retry
+                          1w           ; expiry
+                          30m)         ; minimum
+                   IN     NS    localhost.
+
+localhost       A   127.0.0.1
+
+registry.redhat.io      A       104.124.109.202

tasks/deploy_bastion.yml

@@ -315,7 +315,7 @@
 
 - name: Set the root password on the centos8-kvm-cnv image
   ansible.builtin.command: >
-    virt-customize -a /var/lib/libvirt/images/centos8-kvm-cnv.qcow2 --root-password password:redhat
+    virt-customize -a /var/lib/libvirt/images/centos8-kvm-cnv.qcow2 --root-password password:{{ ocp4_aio_root_password }}
   when: not centos8_cnv.stat.exists
 
 - name: Convert centos8-kvm-cnv image to raw