4 files changed, 35 insertions, 27 deletions

diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml
index 2a4ef3a45..4831d6bc4 100644
--- a/roles/openstack-stack/defaults/main.yml
+++ b/roles/openstack-stack/defaults/main.yml
@@ -9,4 +9,5 @@ num_masters: 1
 num_nodes: 1
 num_dns: 1
 num_infra: 1
+nodes_to_remove: []
 etcd_volume_size: 2
diff --git a/roles/openstack-stack/tasks/main.yml b/roles/openstack-stack/tasks/main.yml
index 71c7bbe0d..a53e6350b 100644
--- a/roles/openstack-stack/tasks/main.yml
+++ b/roles/openstack-stack/tasks/main.yml
@@ -35,6 +35,11 @@
     template: "{{ stack_template_path }}"
     wait: yes
 
+# NOTE(bogdando) OS::Neutron::Subnet doesn't support live updates for
+# dns_nameservers, so we can't do that for the "create stack" task.
+- include: subnet_update_dns_servers.yaml
+  when: private_dns_server is defined
+
 - name: cleanup temp files
   file:
     path: "{{ stack_template_pre.path }}"
diff --git a/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml b/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml
new file mode 100644
index 000000000..be4f07b97
--- /dev/null
+++ b/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml
@@ -0,0 +1,8 @@
+---
+- name: Live update the subnet's DNS servers
+  os_subnet:
+    name: openshift-ansible-{{ stack_name }}-subnet
+    network_name: openshift-ansible-{{ stack_name }}-net
+    state: present
+    use_default_subnetpool: yes
+    dns_nameservers: "{{ [private_dns_server|default(public_dns_nameservers[0])]|union(public_dns_nameservers)|unique }}"
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index cba03e2ca..8bf76b57c 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -61,18 +61,13 @@ outputs:
         - dns
         - name
 
-  dns_floating_ip:
-    description: Floating IP of the DNS
-    value:
-      get_attr:
-        - dns
-        - addresses
-        - str_replace:
-            template: openshift-ansible-cluster_id-net
-            params:
-              cluster_id: {{ stack_name }}
-        - 1
-        - addr
+  dns_floating_ips:
+    description: Floating IPs of the DNS
+    value: { get_attr: [ dns, floating_ip ] }
+
+  dns_private_ips:
+    description: Private IPs of the DNS
+    value: { get_attr: [ dns, private_ip ] }
 
 resources:
 
@@ -111,9 +106,9 @@ resources:
               params:
                 subnet_24_prefix: {{ subnet_prefix }}
       dns_nameservers:
-      {% for nameserver in dns_nameservers %}
+{% for nameserver in dns_nameservers %}
         - {{ nameserver }}
-      {% endfor %}
+{% endfor %}
 
   router:
     type: OS::Neutron::Router
@@ -152,7 +147,7 @@ resources:
             cluster_id: {{ stack_name }}
       description:
         str_replace:
-          template: Basic ssh/dns security group for cluster_id OpenShift cluster
+          template: Basic ssh/icmp security group for cluster_id OpenShift cluster
           params:
             cluster_id: {{ stack_name }}
       rules:
@@ -162,13 +157,8 @@ resources:
           port_range_max: 22
           remote_ip_prefix: {{ ssh_ingress_cidr }}
         - direction: ingress
-          protocol: tcp
-          port_range_min: 53
-          port_range_max: 53
-        - direction: ingress
-          protocol: udp
-          port_range_min: 53
-          port_range_max: 53
+          protocol: icmp
+          remote_ip_prefix: {{ ssh_ingress_cidr }}
 
 {% if openstack_flat_secgrp|bool %}
   flat-secgrp:
@@ -423,11 +413,6 @@ resources:
             cluster_id: {{ stack_name }}
       rules:
         - direction: ingress
-          protocol: tcp
-          port_range_min: 22
-          port_range_max: 22
-          remote_ip_prefix: {{ ssh_ingress_cidr }}
-        - direction: ingress
           protocol: udp
           port_range_min: 53
           port_range_max: 53
@@ -602,6 +587,8 @@ resources:
     type: OS::Heat::ResourceGroup
     properties:
       count: {{ num_nodes }}
+      removal_policies:
+      - resource_list: {{ nodes_to_remove }}
       resource_def:
         type: server.yaml
         properties:
@@ -674,6 +661,12 @@ resources:
           net:         { get_resource: net }
           subnet:      { get_resource: subnet }
           secgrp:
+# TODO(bogdando) filter only required node rules into infra-secgrp
+{% if openstack_flat_secgrp|bool %}
+            - { get_resource: flat-secgrp }
+{% else %}
+            - { get_resource: node-secgrp }
+{% endif %}
             - { get_resource: infra-secgrp }
             - { get_resource: common-secgrp }
           floating_network: {{ external_network }}
@@ -715,6 +708,7 @@ resources:
           subnet:      { get_resource: subnet }
           secgrp:
             - { get_resource: dns-secgrp }
+            - { get_resource: common-secgrp }
           floating_network: {{ external_network }}
           net_name:
             str_replace: