openstack
/
tripleo-ipsec
Code Issues Proposed changes

Implement skipping of networks 

This adds the ipsec_skip_networks option which will not add the
ipsec tunnels for the specified networks.

Change-Id: I82cf1e1e81f364eb689507da46f52ba1877e0659
Co-Authored-By: Raildo Mascena <rmascena@redhat.com>
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-04 11:27:47 +00:00
parent 0f300190b3
commit 325d23340e
5 changed files with 143 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
README.md
View File

@ -42,6 +42,7 @@ Role Variables
created in a previous run and replace them. Defaults to: `false`.
* `ipsec_setup_resource_agents`: Determines whether the role should create the
pacemaker resource agents or not. Defaults to: `true`.
* `ipsec_skip_networks`: Determines which networks should be skipped. defaults to `[]`.
* `ipsec_force_install_legacy`: Forces the legacy installation. Defaults to: `false`.
* `overcloud_controller_identifier`: This identifies which nodes are
controllers in the cluster and which aren't, and should be part of the
@ -129,3 +130,71 @@ with the nodes in the overcloud. And However it comes with some inconveniences:
This assumes that you're deploying this playbook from the undercloud itself.
Hence the undercloud group containing localhost.
Skipping networks
=================
The `ipsec_skip_networks` variable allows the user to skip the tunnel setup
for certain networks. This works by using the network name, which can vary
depending on your type of setup.
Using the dynamic inventory (Queens and beyond)
-----------------------------------------------
When using the dynamic inventory, the network names will be based on the names
that are set in your `network_data.yaml` file, from tripleo-heat-templates.
As mentioned in tripleo-heat-templates, this file will determine which networks
you're setting up in your overall TripleO deployment, and will even specify
which of those networks have VIPs attached to them.
The network names to use in the `ipsec_skip_networks` variable will be under
the `name_lower` section of each network definition.
For instance, if you want to skip the storage management network, you'll see
that the entry looks as follows:
```
- name: StorageMgmt
name_lower: storage_mgmt
vip: true
vlan: 40
ip_subnet: '172.16.3.0/24'
allocation_pools: [{'start': '172.16.3.4', 'end': '172.16.3.250'}]
ipv6_subnet: 'fd00:fd00:fd00:4000::/64'
ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:4000::10', 'end': 'fd00:fd00:fd00:4000:ffff:ffff:ffff:fffe'}]
```
So, in this case, the variable you'll put in your ansible variables file will
have the following entry:
```
ipsec_skip_networks:
- storage_mgmt
```
You can add more networks by adding more items to that list.
Legacy setups
-------------
If you're using a legacy setup (which would work in Newton), you'll need to
note that the network names are hardcoded; so you'll have the following
options available:
* internalapi
* storage
* storagemgmt
* ctlplane
You can also explicitly skip creating the Redis VIP by adding the `redis` word
to the list.
If you would want to skip the Storage and Storage Management networks, the
variable you'll put in your ansible variables file will have the
following entry:
```
ipsec_skip_networks:
- storage
- storagemgmt
```

1
defaults/main.yml
View File

@ -8,3 +8,4 @@ ipsec_skip_firewall_rules: false
ipsec_uninstall_tunnels: false
ipsec_upgrade_tunnels: false
use_opportunistic_ipsec: false
ipsec_skip_networks: []

2
tasks/ipsec.yml
View File

@ -6,7 +6,7 @@
- name: Set private networks fact
set_fact:
private_networks: "{{ enabled_networks|difference(private_or_clear_networks) }}"
private_networks: "{{ enabled_networks|difference(private_or_clear_networks)|difference(ipsec_skip_networks) }}"
- name: Are we using Opportunistic IPSEC tunnels?
set_fact:

75
tasks/legacy-ipsec-conf.yml
View File

@ -6,43 +6,46 @@
controllers: "{{ item.controllers }}"
vips: "{{ item.vips }}"
- name: Write node-to-node ipsec secrets file for the {{ network }} network
template:
src: legacy-ipsec-node-to-node-tunnels.secrets.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.secrets
mode: '0600'
when: controllers != []
notify:
- Restart ipsec
- name: Add legacy {{network }} tunnel configuration if not in skip list
when: network not in ipsec_skip_networks
block:
- name: Write node-to-node ipsec secrets file for the {{ network }} network
template:
src: legacy-ipsec-node-to-node-tunnels.secrets.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.secrets
mode: '0600'
when: controllers != []
notify:
- Restart ipsec
- name: Write node-to-node ipsec tunnel configuration for the {{ network }} network
template:
src: legacy-ipsec-node-to-node-tunnels.conf.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.conf
mode: '0640'
when: controllers != []
notify:
- Restart ipsec
- name: Write node-to-node ipsec tunnel configuration for the {{ network }} network
template:
src: legacy-ipsec-node-to-node-tunnels.conf.j2
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.conf
mode: '0640'
when: controllers != []
notify:
- Restart ipsec
- name: Write VIP ipsec secrets file for the {{ network }} network
template:
src: ipsec-vip-tunnels.secrets.j2
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
mode: '0600'
with_items: "{{ vips }}"
loop_control:
loop_var: current_vip
notify:
- Restart ipsec
- name: Write VIP ipsec secrets file for the {{ network }} network
template:
src: ipsec-vip-tunnels.secrets.j2
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
mode: '0600'
with_items: "{{ vips }}"
loop_control:
loop_var: current_vip
notify:
- Restart ipsec
- name: Write VIP ipsec tunnel configuration for the {{ network }} network
template:
src: ipsec-vip-tunnels.conf.j2
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
mode: '0640'
with_items: "{{ vips }}"
loop_control:
loop_var: current_vip
notify:
- Restart ipsec
- name: Write VIP ipsec tunnel configuration for the {{ network }} network
template:
src: ipsec-vip-tunnels.conf.j2
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
mode: '0640'
with_items: "{{ vips }}"
loop_control:
loop_var: current_vip
notify:
- Restart ipsec

63
tasks/resource-agent.yml
View File

@ -11,39 +11,42 @@
fallback_tunnel: overcloud-{{ current_vip.name }}-node-to-vip-tunnel
specific_vip: "{{ current_vip.ip }}"
- name: Was the {{ resource_agent_name }} Resource Agent added already?
command: pcs resource show {{ resource_agent_name }}
ignore_errors: yes
register: found_resource_agent
changed_when: found_resource_agent|failed
- name: Add {{ current_vip.name }} resource agent if not in skip list
when: current_vip.name not in ipsec_skip_networks
block:
- name: Was the {{ resource_agent_name }} Resource Agent added already?
command: pcs resource show {{ resource_agent_name }}
ignore_errors: yes
register: found_resource_agent
changed_when: found_resource_agent|failed
- name: Delete {{ resource_agent_name }} Resource Agent
command: pcs resource delete {{ resource_agent_name }}
when:
- resource_agent.changed
- found_resource_agent|succeeded
- name: Delete {{ resource_agent_name }} Resource Agent
command: pcs resource delete {{ resource_agent_name }}
when:
- resource_agent.changed
- found_resource_agent|succeeded
- name: Add {{ resource_agent_name }} pacemaker resource agent
command: pcs resource create {{ resource_agent_name }} ocf:heartbeat:ipsec tunnel={{ specific_tunnel }} vip={{ specific_vip }} fallbacktunnel={{ fallback_tunnel }} --disabled
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add {{ resource_agent_name }} pacemaker resource agent
command: pcs resource create {{ resource_agent_name }} ocf:heartbeat:ipsec tunnel={{ specific_tunnel }} vip={{ specific_vip }} fallbacktunnel={{ fallback_tunnel }} --disabled
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add collocation rule with VIP ( {{ resource_agent_name }} )
command: pcs constraint colocation add {{ resource_agent_name }} with ip-{{ specific_vip }}
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add collocation rule with VIP ( {{ resource_agent_name }} )
command: pcs constraint colocation add {{ resource_agent_name }} with ip-{{ specific_vip }}
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for start operation
command: pcs constraint order start ip-{{ specific_vip }} then start {{ resource_agent_name }} symmetrical=false
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for start operation
command: pcs constraint order start ip-{{ specific_vip }} then start {{ resource_agent_name }} symmetrical=false
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for stop operation
command: pcs constraint order stop ip-{{ specific_vip }} then stop {{ resource_agent_name }} symmetrical=false
when:
- resource_agent.changed or found_resource_agent|failed
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for stop operation
command: pcs constraint order stop ip-{{ specific_vip }} then stop {{ resource_agent_name }} symmetrical=false
when:
- resource_agent.changed or found_resource_agent|failed
- name: Enable {{ resource_agent_name }} resource agent
command: pcs resource enable {{ resource_agent_name }}
when:
- resource_agent.changed or found_resource_agent|failed
- name: Enable {{ resource_agent_name }} resource agent
command: pcs resource enable {{ resource_agent_name }}
when:
- resource_agent.changed or found_resource_agent|failed