From 1363eda063bcfda48180f640f547501d9e929a9d Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 17 Jan 2018 10:10:56 +0000 Subject: [PATCH] Split IPSEC deployment in two The first phase sets up the node-to-node tunnels at step 1; this ensures that the corosync cluster setup is done over the tunnels and prevents any timeouts that were happening when the setup was done after the cluster was up. This has the added value that all the pacemaker communication is encrypted from the beginning. The second phase is the VIP tunnel setup, which is in step 3. This is because we need the VIPs to be setup by pacemaker, and we also need pacemaker to be up. Depends-On: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497 Change-Id: Ic402dc73044e2426b097ed0eaf57a77c5e6eef24 --- extraconfig/services/ipsec.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/extraconfig/services/ipsec.yaml b/extraconfig/services/ipsec.yaml index 5739bbde2c..90e8365264 100644 --- a/extraconfig/services/ipsec.yaml +++ b/extraconfig/services/ipsec.yaml @@ -85,13 +85,20 @@ outputs: - name: generate ipsec global vars set_fact: ipsec_psk: "{{ generated_psk.stdout }}" - ipsec_skip_firewall_rules: true delegate_to: "{{item}}" delegate_facts: true no_log: true with_items: - "{{ groups.ipsec }}" deploy_steps_tasks: + - name: IPSEC configuration on step 1 + when: step == '1' + block: + - include_role: + name: tripleo-ipsec + vars: + ipsec_configure_vips: false + ipsec_skip_firewall_rules: false # In step 2 the pacemaker resources are created and the VIPs # are assigned to the nodes. We need those VIPs to be assigned # already before setting up the IPSEC tunnels. Hence we do this @@ -101,3 +108,6 @@ outputs: block: - include_role: name: tripleo-ipsec + vars: + ipsec_configure_vips: true + ipsec_skip_firewall_rules: true