2f3554cdcb
... and move the services into the deployment directory. The extraconfig/services directory was initially created for experimental services using an interface that was work in progress but is now stable enough, so the services can live among the others for simplification. Change-Id: I2bd0b169ed18ea2fccfea4475402dd73076924c8
124 lines
3.6 KiB
YAML
124 lines
3.6 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: Enables IPSEC for the overcloud
|
|
|
|
parameters:
|
|
RoleNetIpMap:
|
|
default: {}
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
|
|
IpsecVars:
|
|
default: {}
|
|
description: Hash of ansible-tripleo-ipsec variables used to
|
|
configure IPSec tunnels.
|
|
type: json
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the IPSEC service
|
|
value:
|
|
service_name: ipsec
|
|
config_settings:
|
|
tripleo::ipsec::firewall_rules:
|
|
'100 IPSEC IKE INPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE OUTPUT':
|
|
dport: 500
|
|
sport: 500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC IKE NAT-Traversal INPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: INPUT
|
|
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
|
dport: 4500
|
|
sport: 4500
|
|
proto: udp
|
|
chain: OUTPUT
|
|
'100 IPSEC ESP INPUT':
|
|
proto: esp
|
|
chain: INPUT
|
|
'100 IPSEC ESP OUTPUT':
|
|
proto: esp
|
|
chain: OUTPUT
|
|
'100 IPSEC Authentication Header INPUT':
|
|
proto: ah
|
|
chain: INPUT
|
|
'100 IPSEC Authentication Header OUTPUT':
|
|
proto: ah
|
|
chain: OUTPUT
|
|
upgrade_tasks: []
|
|
step_config: ''
|
|
external_deploy_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- name: Generate PSK
|
|
command: openssl rand -base64 48
|
|
register: generated_psk
|
|
no_log: true
|
|
- name: generate ipsec global vars
|
|
set_fact:
|
|
ipsec_psk: "{{ generated_psk.stdout }}"
|
|
delegate_to: "{{item}}"
|
|
delegate_facts: true
|
|
no_log: true
|
|
with_items:
|
|
- "{{ groups.ipsec }}"
|
|
deploy_steps_tasks:
|
|
- name: IPSEC configuration on step 1
|
|
when: step|int == 1
|
|
block:
|
|
- include_role:
|
|
name: tripleo-ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: false
|
|
ipsec_skip_firewall_rules: false
|
|
- {get_param: IpsecVars}
|
|
# In step 2 the pacemaker resources are created and the VIPs
|
|
# are assigned to the nodes. We need those VIPs to be assigned
|
|
# already before setting up the IPSEC tunnels. Hence we do this
|
|
# in step 3.
|
|
- name: IPSEC configuration on step 3
|
|
when: step|int == 3
|
|
block:
|
|
- include_role:
|
|
name: tripleo-ipsec
|
|
vars:
|
|
map_merge:
|
|
- ipsec_configure_vips: true
|
|
ipsec_skip_firewall_rules: true
|
|
- {get_param: IpsecVars}
|