Merge "Allow to provide custom configuration for VPNaaS"

2022-06-20 16:13:20 +00:00 · 2022-06-20 16:13:20 +00:00 · 36a2f02561
commit 36a2f02561
parent 1700cc37ca 26b768ea5b
4 changed files with 87 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -455,6 +455,14 @@ neutron_nova_metadata_insecure: "{{ nova_metadata_insecure | default(False) }}"
 neutron_driver_vpnaas: "{{ _neutron_driver_vpnaas }}"
 neutron_vpnaas_service_provider: "{{ _neutron_vpnaas_service_provider }}"

+#Set this variable to use custom config file for strongswan/openswan
+# neutron_vpnaas_custom_config:
+#   - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
+#     dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
+#     condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
+
+neutron_vpnaas_custom_config: []
+
 # Calico Felix agent upstream settings
 calico_felix_url: "https://github.com/projectcalico/felix/releases/download/{{ calico_felix_version }}/calico-felix-amd64"
 calico_felix_version: v3.21.2
--- a/doc/source/configure-network-services.rst
+++ b/doc/source/configure-network-services.rst
@ -117,8 +117,8 @@ Follow the steps below to deploy FWaaS v2:
       # openstack-ansible os-neutron-install.yml


-Virtual private network service (optional)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Virtual private network service - VPNaaS (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 The following procedure describes how to modify the
 ``/etc/openstack_deploy/user_variables.yml`` file to enable VPNaaS.
@ -180,6 +180,37 @@ dict.

 .. _conf override: https://docs.openstack.org/openstack-ansible/latest/admin/openstack-operations.html

+You can also define customized configuration files for VPN service with the variable
+``neutron_vpnaas_custom_config``:
+
+.. code-block:: yaml
+
+   neutron_vpnaas_custom_config:
+      - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
+        dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
+        condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
+      - src: "/etc/openstack_deploy/strongswan/strongswan.d"
+        dest: "/etc/strongswan.d"
+        condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
+      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
+        dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
+      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
+        dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
+
+With that ``neutron_l3_agent_ini_overrides`` should be also defined in 'user_variables.yml'
+to tell ``l3_agent`` use the new config file:
+
+.. code-block:: yaml
+
+   neutron_l3_agent_ini_overrides:
+         ipsec:
+            enable_detailed_logging: True
+         strongswan:
+            strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
+         openswan:
+            ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"
+
+
 BGP Dynamic Routing service (optional)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/releasenotes/notes/neutron-vpnaas-custom-config-ad991bb02b9ed655.yaml
+++ b/releasenotes/notes/neutron-vpnaas-custom-config-ad991bb02b9ed655.yaml
@ -0,0 +1,33 @@
+---
+features:
+  - |
+    Neutron VPN as a Service (VPNaaS) with customized configuration files
+    can now be defined with the variable ``neutron_vpnaas_custom_config``.
+    deployers should define ``neutron_vpnaas_custom_config`` in 'user_variables.yml'.
+    Example:
+
+    .. code-block:: yaml
+
+      neutron_vpnaas_custom_config:
+        - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
+          dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
+        - src: "/etc/openstack_deploy/strongswan/strongswan.d"
+          dest: "/etc/strongswan.d"
+        - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
+          dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
+        - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
+          dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
+
+    We should be also define ``neutron_l3_agent_ini_overrides`` in 'user_variables.yml'
+    to tell ``l3_agent`` use the new config file.
+    Example:
+
+    .. code-block:: yaml
+
+      neutron_l3_agent_ini_overrides:
+        ipsec:
+          enable_detailed_logging: True
+        strongswan:
+          strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
+        openswan:
+          ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -195,6 +195,19 @@
  when:
    - "'bgpvpn' in neutron_plugin_base"

+- name: Copy vpnaas custom config files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "{{ neutron_system_group_name }}"
+    mode: "0640"
+  loop: "{{ neutron_vpnaas_custom_config }}"
+  when:
+    - neutron_vpnaas_custom_config | length > 0
+    - neutron_services['neutron-l3-agent']['group'] in group_name
+    - item.condition | default(True)
+
 - name: Stop haproxy service on debian derivatives with standalone network nodes
  service:
    name: haproxy