Browse Source

Add IPSEC composable service

This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
changes/63/521863/13
Juan Antonio Osorio Robles 4 years ago
parent
commit
898ad4f54b
  1. 1
      environments/hyperconverged-ceph.yaml
  2. 2
      environments/ipsec.yaml
  3. 114
      extraconfig/services/ipsec.yaml
  4. 1
      overcloud-resource-registry-puppet.j2.yaml
  5. 1
      roles/BlockStorage.yaml
  6. 1
      roles/CephStorage.yaml
  7. 1
      roles/Compute.yaml
  8. 1
      roles/ComputeHCI.yaml
  9. 1
      roles/ComputeOvsDpdk.yaml
  10. 1
      roles/ComputeSriov.yaml
  11. 1
      roles/Controller.yaml
  12. 1
      roles/ControllerOpenstack.yaml
  13. 1
      roles/Database.yaml
  14. 1
      roles/IronicConductor.yaml
  15. 1
      roles/Messaging.yaml
  16. 1
      roles/Networker.yaml
  17. 1
      roles/ObjectStorage.yaml
  18. 1
      roles/Telemetry.yaml
  19. 5
      roles_data.yaml

1
environments/hyperconverged-ceph.yaml

@ -42,6 +42,7 @@ parameter_defaults:
- OS::TripleO::Services::SensuClient
- OS::TripleO::Services::SkydiveAgent
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::AuditD
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::CephOSD

2
environments/ipsec.yaml

@ -0,0 +1,2 @@
resource_registry:
OS::TripleO::Services::Ipsec: ../extraconfig/services/ipsec.yaml

114
extraconfig/services/ipsec.yaml

@ -0,0 +1,114 @@
heat_template_version: pike
description: Enables IPSEC for the overcloud
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: Role data for the IPSEC service
value:
service_name: ipsec
config_settings:
tripleo.ipsec.firewall_rules:
'100 IPSEC IKE INPUT':
dport: 500
sport: 500
proto: udp
chain: INPUT
'100 IPSEC IKE OUTPUT':
dport: 500
sport: 500
proto: udp
chain: OUTPUT
'100 IPSEC IKE NAT-Traversal INPUT':
dport: 4500
sport: 4500
proto: udp
chain: INPUT
'100 IPSEC IKE NAT-Traversal OUTPUT':
dport: 4500
sport: 4500
proto: udp
chain: OUTPUT
'100 IPSEC ESP INPUT':
proto: esp
chain: INPUT
'100 IPSEC ESP OUTPUT':
proto: esp
chain: OUTPUT
'100 IPSEC Authentication Header INPUT':
proto: ah
chain: INPUT
'100 IPSEC Authentication Header OUTPUT':
proto: ah
chain: OUTPUT
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: IPSEC configuration on step 1
when: step == '1'
block:
# FIXME: Remove this once it's vailable in the undercloud
- name: Ensure roles directory is present
file:
path: "{{ playbook_dir }}/roles"
state: directory
# FIXME: Remove this once it's vailable in the undercloud
- name: clone tripleo-ipsec repo
git:
repo: https://git.openstack.org/openstack/tripleo-ipsec
dest: "{{ playbook_dir }}/roles/tripleo-ipsec"
update: no
- name: Generate PSK
command: openssl rand -base64 48
register: generated_psk
no_log: true
- name: generate ipsec global vars
set_fact:
ipsec_psk: "{{ generated_psk.stdout }}"
ipsec_skip_firewall_rules: true
delegate_to: "{{item}}"
delegate_facts: true
no_log: true
with_items:
- "{{ groups.ipsec }}"
deploy_steps_tasks:
# In step 2 the pacemaker resources are created and the VIPs
# are assigned to the nodes. We need those VIPs to be assigned
# already before setting up the IPSEC tunnels. Hence we do this
# in step 3.
- name: IPSEC configuration on step 3
when: step == '3'
block:
- include_role:
name: tripleo-ipsec

1
overcloud-resource-registry-puppet.j2.yaml

@ -234,6 +234,7 @@ resource_registry:
OS::TripleO::Services::UndercloudGnocchiStatsd: OS::Heat::None
# Services that are disabled by default (use relevant environment files):
OS::TripleO::Services::Fluentd: OS::Heat::None
OS::TripleO::Services::Ipsec: OS::Heat::None
OS::TripleO::Services::Collectd: OS::Heat::None
OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml
OS::TripleO::Services::ManilaApi: OS::Heat::None

1
roles/BlockStorage.yaml

@ -17,6 +17,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs

1
roles/CephStorage.yaml

@ -15,6 +15,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient

1
roles/Compute.yaml

@ -34,6 +34,7 @@
- OS::TripleO::Services::ComputeNeutronOvsAgent
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs

1
roles/ComputeHCI.yaml

@ -25,6 +25,7 @@
- OS::TripleO::Services::ComputeNeutronOvsAgent
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs

1
roles/ComputeOvsDpdk.yaml

@ -25,6 +25,7 @@
- OS::TripleO::Services::ComputeNeutronOvsDpdk
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs

1
roles/ComputeSriov.yaml

@ -25,6 +25,7 @@
- OS::TripleO::Services::ComputeNeutronOvsAgent
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs

1
roles/Controller.yaml

@ -69,6 +69,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::Horizon
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicPxe

1
roles/ControllerOpenstack.yaml

@ -45,6 +45,7 @@
- OS::TripleO::Services::Ec2Api
- OS::TripleO::Services::Etcd
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd

1
roles/Database.yaml

@ -15,6 +15,7 @@
- OS::TripleO::Services::Clustercheck
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL

1
roles/IronicConductor.yaml

@ -12,6 +12,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Kernel

1
roles/Messaging.yaml

@ -14,6 +14,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Ntp

1
roles/Networker.yaml

@ -15,6 +15,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient

1
roles/ObjectStorage.yaml

@ -23,6 +23,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient

1
roles/Telemetry.yaml

@ -20,6 +20,7 @@
- OS::TripleO::Services::GnocchiApi
- OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL

5
roles_data.yaml

@ -72,6 +72,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::Horizon
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::IronicApi
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicPxe
@ -186,6 +187,7 @@
- OS::TripleO::Services::ComputeNeutronOvsAgent
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
@ -230,6 +232,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
@ -270,6 +273,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
@ -303,6 +307,7 @@
- OS::TripleO::Services::Collectd
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Ipsec
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient

Loading…
Cancel
Save