Add IPSEC composable service

This service is tied to the external_deploy_tasks (such as the k8s service); and it deploys IPSEC in the overcloud. bp ipsec Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-11-21 14:39:12 +00:00 · 2017-11-21 14:39:12 +00:00 · 898ad4f54b
parent 0524c86353
commit 898ad4f54b
19 changed files with 137 additions and 0 deletions
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -42,6 +42,7 @@ parameter_defaults:
    - OS::TripleO::Services::SensuClient
    - OS::TripleO::Services::SkydiveAgent
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::AuditD
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::CephOSD
--- a/environments/ipsec.yaml
+++ b/environments/ipsec.yaml
@ -0,0 +1,2 @@
 resource_registry:
  OS::TripleO::Services::Ipsec: ../extraconfig/services/ipsec.yaml
--- a/extraconfig/services/ipsec.yaml
+++ b/extraconfig/services/ipsec.yaml
@ -0,0 +1,114 @@
 heat_template_version: pike
 description: Enables IPSEC for the overcloud
 parameters:
  RoleNetIpMap:
    default: {}
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
 outputs:
  role_data:
    description: Role data for the IPSEC service
    value:
      service_name: ipsec
      config_settings:
        tripleo.ipsec.firewall_rules:
          '100 IPSEC IKE INPUT':
            dport: 500
            sport: 500
            proto: udp
            chain: INPUT
          '100 IPSEC IKE OUTPUT':
            dport: 500
            sport: 500
            proto: udp
            chain: OUTPUT
          '100 IPSEC IKE NAT-Traversal INPUT':
            dport: 4500
            sport: 4500
            proto: udp
            chain: INPUT
          '100 IPSEC IKE NAT-Traversal OUTPUT':
            dport: 4500
            sport: 4500
            proto: udp
            chain: OUTPUT
          '100 IPSEC ESP INPUT':
            proto: esp
            chain: INPUT
          '100 IPSEC ESP OUTPUT':
            proto: esp
            chain: OUTPUT
          '100 IPSEC Authentication Header INPUT':
            proto: ah
            chain: INPUT
          '100 IPSEC Authentication Header OUTPUT':
            proto: ah
            chain: OUTPUT
      upgrade_tasks: []
      step_config: ''
      external_deploy_tasks:
        - name: IPSEC configuration on step 1
          when: step == '1'
          block:
          # FIXME: Remove this once it's vailable in the undercloud
          - name: Ensure roles directory is present
            file:
              path: "{{ playbook_dir }}/roles"
              state: directory
          # FIXME: Remove this once it's vailable in the undercloud
          - name: clone tripleo-ipsec repo
            git:
              repo: https://git.openstack.org/openstack/tripleo-ipsec
              dest: "{{ playbook_dir }}/roles/tripleo-ipsec"
              update: no
          - name: Generate PSK
            command: openssl rand -base64 48
            register: generated_psk
            no_log: true
          - name: generate ipsec global vars
            set_fact:
              ipsec_psk: "{{ generated_psk.stdout }}"
              ipsec_skip_firewall_rules: true
            delegate_to: "{{item}}"
            delegate_facts: true
            no_log: true
            with_items:
            - "{{ groups.ipsec }}"
      deploy_steps_tasks:
        # In step 2 the pacemaker resources are created and the VIPs
        # are assigned to the nodes. We need those VIPs to be assigned
        # already before setting up the IPSEC tunnels. Hence we do this
        # in step 3.
        - name: IPSEC configuration on step 3
          when: step == '3'
          block:
          - include_role:
              name: tripleo-ipsec
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -234,6 +234,7 @@ resource_registry:
  OS::TripleO::Services::UndercloudGnocchiStatsd: OS::Heat::None
  # Services that are disabled by default (use relevant environment files):
  OS::TripleO::Services::Fluentd: OS::Heat::None
  OS::TripleO::Services::Ipsec: OS::Heat::None
  OS::TripleO::Services::Collectd: OS::Heat::None
  OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml
  OS::TripleO::Services::ManilaApi: OS::Heat::None
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -17,6 +17,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -34,6 +34,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsDpdk
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -25,6 +25,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -69,6 +69,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -45,6 +45,7 @@
    - OS::TripleO::Services::Ec2Api
    - OS::TripleO::Services::Etcd
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::Clustercheck
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQL
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -12,6 +12,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
    - OS::TripleO::Services::Kernel
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -14,6 +14,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::Ntp
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -23,6 +23,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
--- a/roles/Telemetry.yaml
+++ b/roles/Telemetry.yaml
@ -20,6 +20,7 @@
    - OS::TripleO::Services::GnocchiApi
    - OS::TripleO::Services::GnocchiMetricd
    - OS::TripleO::Services::GnocchiStatsd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Keystone
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQL
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -72,6 +72,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Horizon
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::IronicApi
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
@ -186,6 +187,7 @@
    - OS::TripleO::Services::ComputeNeutronOvsAgent
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
@ -230,6 +232,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
@ -270,6 +273,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
@ -303,6 +307,7 @@
    - OS::TripleO::Services::Collectd
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Ipsec
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
		`@ -0,0 +1,2 @@`
							`resource_registry:`
							`OS::TripleO::Services::Ipsec: ../extraconfig/services/ipsec.yaml`