b253d564f7
This simplifies the ServiceNetMap/VipSubnetMap interfaces to use parameter merge strategy and removes the *Defaults interfaces. Change-Id: Ic73628a596e9051b5c02435b712643f9ef7425e3
119 lines
3.5 KiB
YAML
119 lines
3.5 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: Enables IPSEC for the overcloud
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
|
|
IpsecVars:
|
|
default: {}
|
|
description: Hash of ansible-tripleo-ipsec variables used to
|
|
configure IPSec tunnels.
|
|
type: json
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the IPSEC service
|
|
value:
|
|
service_name: ipsec
|
|
firewall_rules:
|
|
'100 IPSEC IKE INPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE OUTPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC IKE NAT-Traversal INPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC ESP INPUT':
|
|
proto: esp
|
|
chain: INPUT
|
|
'100 IPSEC ESP OUTPUT':
|
|
proto: esp
|
|
chain: OUTPUT
|
|
'100 IPSEC Authentication Header INPUT':
|
|
proto: ah
|
|
chain: INPUT
|
|
'100 IPSEC Authentication Header OUTPUT':
|
|
proto: ah
|
|
chain: OUTPUT
|
|
upgrade_tasks: []
|
|
external_deploy_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- name: Generate PSK
|
|
command: openssl rand -base64 48
|
|
register: generated_psk
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
- name: generate ipsec global vars
|
|
set_fact:
|
|
ipsec_psk: "{{ generated_psk.stdout }}"
|
|
delegate_to: "{{item}}"
|
|
delegate_facts: true
|
|
no_log: "{{ hide_sensitive_logs | bool }}"
|
|
with_items:
|
|
- "{{ groups.ipsec }}"
|
|
deploy_steps_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: tripleo_ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: false
|
|
ipsec_skip_firewall_rules: false
|
|
- {get_param: IpsecVars}
|
|
# In step 2 the pacemaker resources are created and the VIPs
|
|
# are assigned to the nodes. We need those VIPs to be assigned
|
|
# already before setting up the IPSEC tunnels. Hence we do this
|
|
# in step 3.
|
|
- name: IPSEC configuration on step 3
|
|
when: step|int == 3
|
|
block:
|
|
- include_role:
|
|
name: tripleo_ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: true
|
|
ipsec_skip_firewall_rules: true
|
|
- {get_param: IpsecVars}
|