From f7f5c2f4c50fb715ef535fe0fb2acfe6eb862a5d Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Mon, 2 Feb 2026 19:51:02 +0000
Subject: [PATCH 1/2] Add step in playbook for installing and configuring
 dnsmasq on first node

---
 .../runtime/playbooks/cluster-bloom.yaml      | 62 ++++++++++++++++++-
 1 file changed, 61 insertions(+), 1 deletion(-)

diff --git a/pkg/ansible/runtime/playbooks/cluster-bloom.yaml b/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
index 69dd14a..fe450f9 100644
--- a/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
+++ b/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
@@ -24,7 +24,7 @@
     OIDC_URL: ""
     RKE2_EXTRA_CONFIG: ""
     CLUSTERFORGE_RELEASE: "none"
-
+    DNSMASQ: true
     rocm_base_url: "https://repo.radeon.com/amdgpu-install/6.3.3/ubuntu/"
     rocm_deb_package: "amdgpu-install_6.3.60303-1_all.deb"
     rke2_installation_url: "https://get.rke2.io"
@@ -517,6 +517,66 @@
           set_fact:
             node_ip: "{{ node_ip_result.stdout if node_ip_result.stdout != '' else ansible_default_ipv4.address }}"
 
+        - name: Install and configure dnsmasq
+          when: DNSMASQ and FIRST_NODE and DOMAIN != ""
+          block:
+            - name: Disable systemd-resolve 
+              shell: systemctl disable --now systemd-resolved
+              register: systemd_stopped
+              failed_when: false
+              changed_when: systemd_stopped.rc == 0
+            - name: Install dnsmasq
+              apt:
+                name:
+                  - dnsmasq
+                state: present
+              environment:
+                DEBIAN_FRONTEND: noninteractive
+                NEEDRESTART_MODE: a
+                NEEDRESTART_SUSPEND: "1"
+            - name: Create dnsmasq directory for keycloak
+              file:
+                path: /etc/dnsmasq.d/keycloak.conf
+                state: directory
+                mode: '0755'
+            - name: Create dnsmasq configuration file
+              copy: 
+                content: |
+                  address=/{{ DOMAIN }}/{{ node_ip }} # Keycloak Internal Resolution
+                  server=/cluster.local/10.243.0.10 # Forward cluster.local to CoreDNS
+                  server=8.8.8.8 # External DNS fallback
+                  server=1.1.1.1 # External DNS fallback
+                  listen-address=127.0.0.1
+                  bind-interfaces
+                  cache-size=1000
+                  no-resolv
+                dest: /etc/dnsmasq.d/keycloak.conf
+                mode: "0644"
+            - name: Make resolv file mutable
+              file:
+                path: /etc/resolv.conf
+                attributes: -i
+            - name: Write resolv configuration file
+              copy: 
+                content: |
+                  nameserver 127.0.0.1
+                  search cluster.local svc.cluster.local
+                dest: /etc/resolv.conf
+                mode: "0644"
+            - name: Make resolv file immutable
+              file:
+                path: /etc/resolv.conf
+                attributes: +i
+            - name: Enable dnsmasq service
+              shell: systemctl enable --now dnsmasq
+              register: dnsmasq_started
+              failed_when: false
+              changed_when: dnsmasq_started.rc == 0
+            - name: Restart dnsmasq service 
+              shell: systemctl restart dnsmasq
+              register: dnsmasq_started
+              failed_when: false
+              changed_when: dnsmasq_restarted.rc == 0
         - name: Create RKE2 config.yaml
           copy:
             content: |

From aa28bdabd97593e8beaf1d03f2ca1e37c4b8582b Mon Sep 17 00:00:00 2001
From: Pontus Wistbacka <pontus.wistbacka@amd.com>
Date: Tue, 3 Feb 2026 16:17:00 +0000
Subject: [PATCH 2/2] Add the DNSMASQ option to inputs. Fix a few typos.

---
 pkg/ansible/runtime/playbooks/cluster-bloom.yaml | 4 ++--
 pkg/config/bloom.yaml.schema.yaml                | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/ansible/runtime/playbooks/cluster-bloom.yaml b/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
index fe450f9..53dba65 100644
--- a/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
+++ b/pkg/ansible/runtime/playbooks/cluster-bloom.yaml
@@ -536,7 +536,7 @@
                 NEEDRESTART_SUSPEND: "1"
             - name: Create dnsmasq directory for keycloak
               file:
-                path: /etc/dnsmasq.d/keycloak.conf
+                path: /etc/dnsmasq.d/
                 state: directory
                 mode: '0755'
             - name: Create dnsmasq configuration file
@@ -574,7 +574,7 @@
               changed_when: dnsmasq_started.rc == 0
             - name: Restart dnsmasq service 
               shell: systemctl restart dnsmasq
-              register: dnsmasq_started
+              register: dnsmasq_restarted
               failed_when: false
               changed_when: dnsmasq_restarted.rc == 0
         - name: Create RKE2 config.yaml
diff --git a/pkg/config/bloom.yaml.schema.yaml b/pkg/config/bloom.yaml.schema.yaml
index 462a72e..4535844 100644
--- a/pkg/config/bloom.yaml.schema.yaml
+++ b/pkg/config/bloom.yaml.schema.yaml
@@ -141,6 +141,13 @@ schema:
       desc: ClusterForge version URL or 'none'
       section: "⚙️ Advanced Configuration"
 
+    DNSMASQ:
+      type: bool
+      default: true
+      desc: Install dnsmasq to allow use of local OIDC server
+      applicable: when(FIRST_NODE == true)
+      section: "⚙️ Advanced Configuration"
+
     CF_VALUES:
       type: str
       default: ""