fb0e8f62fc
With the upgrade to puppet 5, we can no longer use dots in the hieradata key lookups. This change updates the THT for firewall_rules, haproxy_endpoints and haproxy_userlists to use the colon notation. Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878 Related-Bug: #1803024
124 lines
3.6 KiB
YAML
124 lines
3.6 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: Enables IPSEC for the overcloud
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
|
|
IpsecVars:
|
|
default: {}
|
|
description: Hash of ansible-tripleo-ipsec variables used to
|
|
configure IPSec tunnels.
|
|
type: json
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the IPSEC service
|
|
value:
|
|
service_name: ipsec
|
|
config_settings:
|
|
tripleo::ipsec::firewall_rules:
|
|
'100 IPSEC IKE INPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE OUTPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC IKE NAT-Traversal INPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC ESP INPUT':
|
|
proto: esp
|
|
chain: INPUT
|
|
'100 IPSEC ESP OUTPUT':
|
|
proto: esp
|
|
chain: OUTPUT
|
|
'100 IPSEC Authentication Header INPUT':
|
|
proto: ah
|
|
chain: INPUT
|
|
'100 IPSEC Authentication Header OUTPUT':
|
|
proto: ah
|
|
chain: OUTPUT
|
|
upgrade_tasks: []
|
|
step_config: ''
|
|
external_deploy_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step == '1'
|
|
block:
|
|
- name: Generate PSK
|
|
command: openssl rand -base64 48
|
|
register: generated_psk
|
|
no_log: true
|
|
- name: generate ipsec global vars
|
|
set_fact:
|
|
ipsec_psk: "{{ generated_psk.stdout }}"
|
|
delegate_to: "{{item}}"
|
|
delegate_facts: true
|
|
no_log: true
|
|
with_items:
|
|
- "{{ groups.ipsec }}"
|
|
deploy_steps_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step == '1'
|
|
block:
|
|
- include_role:
|
|
name: tripleo-ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: false
|
|
ipsec_skip_firewall_rules: false
|
|
- {get_param: IpsecVars}
|
|
# In step 2 the pacemaker resources are created and the VIPs
|
|
# are assigned to the nodes. We need those VIPs to be assigned
|
|
# already before setting up the IPSEC tunnels. Hence we do this
|
|
# in step 3.
|
|
- name: IPSEC configuration on step 3
|
|
when: step == '3'
|
|
block:
|
|
- include_role:
|
|
name: tripleo-ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: true
|
|
ipsec_skip_firewall_rules: true
|
|
- {get_param: IpsecVars}
|