cc38db4c99
This would allow external_(deploy/update/upgrade)_tasks to honor excluded nodes during deploy/update/upgrade. Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/856407 Change-Id: Ia9d3c8d0a3098191b2d8b12fc24eee4517c6c521
119 lines
3.5 KiB
YAML
119 lines
3.5 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: Enables IPSEC for the overcloud
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
|
|
IpsecVars:
|
|
default: {}
|
|
description: Hash of ansible-tripleo-ipsec variables used to
|
|
configure IPSec tunnels.
|
|
type: json
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the IPSEC service
|
|
value:
|
|
service_name: ipsec
|
|
firewall_rules:
|
|
'100 IPSEC IKE INPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE OUTPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC IKE NAT-Traversal INPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC ESP INPUT':
|
|
proto: esp
|
|
chain: INPUT
|
|
'100 IPSEC ESP OUTPUT':
|
|
proto: esp
|
|
chain: OUTPUT
|
|
'100 IPSEC Authentication Header INPUT':
|
|
proto: ah
|
|
chain: INPUT
|
|
'100 IPSEC Authentication Header OUTPUT':
|
|
proto: ah
|
|
chain: OUTPUT
|
|
upgrade_tasks: []
|
|
external_deploy_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- name: Generate PSK
|
|
command: openssl rand -base64 48
|
|
register: generated_psk
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
- name: generate ipsec global vars
|
|
set_fact:
|
|
ipsec_psk: "{{ generated_psk.stdout }}"
|
|
delegate_to: "{{item}}"
|
|
delegate_facts: true
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
with_items:
|
|
- "{{ groups['ipsec'] | difference(groups['excluded_overcloud']) }}"
|
|
deploy_steps_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: tripleo_ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: false
|
|
ipsec_skip_firewall_rules: false
|
|
- {get_param: IpsecVars}
|
|
# In step 2 the pacemaker resources are created and the VIPs
|
|
# are assigned to the nodes. We need those VIPs to be assigned
|
|
# already before setting up the IPSEC tunnels. Hence we do this
|
|
# in step 3.
|
|
- name: IPSEC configuration on step 3
|
|
when: step|int == 3
|
|
block:
|
|
- include_role:
|
|
name: tripleo_ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: true
|
|
ipsec_skip_firewall_rules: true
|
|
- {get_param: IpsecVars}
|