diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index 077b4ca6b8..c55f9dac06 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -42,6 +42,7 @@ parameter_defaults: - OS::TripleO::Services::SensuClient - OS::TripleO::Services::SkydiveAgent - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::AuditD - OS::TripleO::Services::Collectd - OS::TripleO::Services::CephOSD diff --git a/environments/ipsec.yaml b/environments/ipsec.yaml new file mode 100644 index 0000000000..2aa17afea7 --- /dev/null +++ b/environments/ipsec.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::Ipsec: ../extraconfig/services/ipsec.yaml diff --git a/extraconfig/services/ipsec.yaml b/extraconfig/services/ipsec.yaml new file mode 100644 index 0000000000..49cfd5ec9b --- /dev/null +++ b/extraconfig/services/ipsec.yaml @@ -0,0 +1,114 @@ +heat_template_version: pike + +description: Enables IPSEC for the overcloud + +parameters: + RoleNetIpMap: + default: {} + type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the IPSEC service + value: + service_name: ipsec + config_settings: + tripleo.ipsec.firewall_rules: + '100 IPSEC IKE INPUT': + dport: 500 + sport: 500 + proto: udp + chain: INPUT + '100 IPSEC IKE OUTPUT': + dport: 500 + sport: 500 + proto: udp + chain: OUTPUT + '100 IPSEC IKE NAT-Traversal INPUT': + dport: 4500 + sport: 4500 + proto: udp + chain: INPUT + '100 IPSEC IKE NAT-Traversal OUTPUT': + dport: 4500 + sport: 4500 + proto: udp + chain: OUTPUT + '100 IPSEC ESP INPUT': + proto: esp + chain: INPUT + '100 IPSEC ESP OUTPUT': + proto: esp + chain: OUTPUT + '100 IPSEC Authentication Header INPUT': + proto: ah + chain: INPUT + '100 IPSEC Authentication Header OUTPUT': + proto: ah + chain: OUTPUT + upgrade_tasks: [] + step_config: '' + external_deploy_tasks: + - name: IPSEC configuration on step 1 + when: step == '1' + block: + # FIXME: Remove this once it's vailable in the undercloud + - name: Ensure roles directory is present + file: + path: "{{ playbook_dir }}/roles" + state: directory + # FIXME: Remove this once it's vailable in the undercloud + - name: clone tripleo-ipsec repo + git: + repo: https://git.openstack.org/openstack/tripleo-ipsec + dest: "{{ playbook_dir }}/roles/tripleo-ipsec" + update: no + - name: Generate PSK + command: openssl rand -base64 48 + register: generated_psk + no_log: true + - name: generate ipsec global vars + set_fact: + ipsec_psk: "{{ generated_psk.stdout }}" + ipsec_skip_firewall_rules: true + delegate_to: "{{item}}" + delegate_facts: true + no_log: true + with_items: + - "{{ groups.ipsec }}" + deploy_steps_tasks: + # In step 2 the pacemaker resources are created and the VIPs + # are assigned to the nodes. We need those VIPs to be assigned + # already before setting up the IPSEC tunnels. Hence we do this + # in step 3. + - name: IPSEC configuration on step 3 + when: step == '3' + block: + - include_role: + name: tripleo-ipsec diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 099ffeacaf..436122c346 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -234,6 +234,7 @@ resource_registry: OS::TripleO::Services::UndercloudGnocchiStatsd: OS::Heat::None # Services that are disabled by default (use relevant environment files): OS::TripleO::Services::Fluentd: OS::Heat::None + OS::TripleO::Services::Ipsec: OS::Heat::None OS::TripleO::Services::Collectd: OS::Heat::None OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml OS::TripleO::Services::ManilaApi: OS::Heat::None diff --git a/roles/BlockStorage.yaml b/roles/BlockStorage.yaml index f16bff1792..ea6dbcfa2e 100644 --- a/roles/BlockStorage.yaml +++ b/roles/BlockStorage.yaml @@ -17,6 +17,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/CephStorage.yaml b/roles/CephStorage.yaml index e7efd5f3db..adc9084714 100644 --- a/roles/CephStorage.yaml +++ b/roles/CephStorage.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient diff --git a/roles/Compute.yaml b/roles/Compute.yaml index 7bcab4d6c9..2a94ee7031 100644 --- a/roles/Compute.yaml +++ b/roles/Compute.yaml @@ -34,6 +34,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/ComputeHCI.yaml b/roles/ComputeHCI.yaml index 3e6242cc4f..300e9b28af 100644 --- a/roles/ComputeHCI.yaml +++ b/roles/ComputeHCI.yaml @@ -25,6 +25,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/ComputeOvsDpdk.yaml b/roles/ComputeOvsDpdk.yaml index ff90a55b5d..001224e4b8 100644 --- a/roles/ComputeOvsDpdk.yaml +++ b/roles/ComputeOvsDpdk.yaml @@ -25,6 +25,7 @@ - OS::TripleO::Services::ComputeNeutronOvsDpdk - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml index 1082c49bae..f42dbf8f26 100644 --- a/roles/ComputeSriov.yaml +++ b/roles/ComputeSriov.yaml @@ -25,6 +25,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs diff --git a/roles/Controller.yaml b/roles/Controller.yaml index 590b186a56..6bd6fd5b16 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -69,6 +69,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 1d59aee831..40bc5a7fd8 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -45,6 +45,7 @@ - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::Etcd - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd diff --git a/roles/Database.yaml b/roles/Database.yaml index e890272f25..a5384474a1 100644 --- a/roles/Database.yaml +++ b/roles/Database.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::Clustercheck - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml index 6463a68a63..83b6580eaf 100644 --- a/roles/IronicConductor.yaml +++ b/roles/IronicConductor.yaml @@ -12,6 +12,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Kernel diff --git a/roles/Messaging.yaml b/roles/Messaging.yaml index 519d0a6c0e..455fe5faa7 100644 --- a/roles/Messaging.yaml +++ b/roles/Messaging.yaml @@ -14,6 +14,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Ntp diff --git a/roles/Networker.yaml b/roles/Networker.yaml index 5b129dc70a..fa324f93fe 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient diff --git a/roles/ObjectStorage.yaml b/roles/ObjectStorage.yaml index 136fe626d3..a515018442 100644 --- a/roles/ObjectStorage.yaml +++ b/roles/ObjectStorage.yaml @@ -23,6 +23,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient diff --git a/roles/Telemetry.yaml b/roles/Telemetry.yaml index aa0284cf2b..ddd864bc81 100644 --- a/roles/Telemetry.yaml +++ b/roles/Telemetry.yaml @@ -20,6 +20,7 @@ - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Keystone - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL diff --git a/roles_data.yaml b/roles_data.yaml index ffe6211bdc..10518140fb 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -72,6 +72,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Horizon + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::IronicApi - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe @@ -186,6 +187,7 @@ - OS::TripleO::Services::ComputeNeutronOvsAgent - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs @@ -230,6 +232,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs @@ -270,6 +273,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient @@ -303,6 +307,7 @@ - OS::TripleO::Services::Collectd - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd + - OS::TripleO::Services::Ipsec - OS::TripleO::Services::Kernel - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient