Implement skipping of networks
This adds the ipsec_skip_networks option which will not add the ipsec tunnels for the specified networks. Change-Id: I82cf1e1e81f364eb689507da46f52ba1877e0659 Co-Authored-By: Raildo Mascena <rmascena@redhat.com>
This commit is contained in:
parent
0f300190b3
commit
325d23340e
69
README.md
69
README.md
|
@ -42,6 +42,7 @@ Role Variables
|
|||
created in a previous run and replace them. Defaults to: `false`.
|
||||
* `ipsec_setup_resource_agents`: Determines whether the role should create the
|
||||
pacemaker resource agents or not. Defaults to: `true`.
|
||||
* `ipsec_skip_networks`: Determines which networks should be skipped. defaults to `[]`.
|
||||
* `ipsec_force_install_legacy`: Forces the legacy installation. Defaults to: `false`.
|
||||
* `overcloud_controller_identifier`: This identifies which nodes are
|
||||
controllers in the cluster and which aren't, and should be part of the
|
||||
|
@ -129,3 +130,71 @@ with the nodes in the overcloud. And However it comes with some inconveniences:
|
|||
|
||||
This assumes that you're deploying this playbook from the undercloud itself.
|
||||
Hence the undercloud group containing localhost.
|
||||
|
||||
Skipping networks
|
||||
=================
|
||||
|
||||
The `ipsec_skip_networks` variable allows the user to skip the tunnel setup
|
||||
for certain networks. This works by using the network name, which can vary
|
||||
depending on your type of setup.
|
||||
|
||||
Using the dynamic inventory (Queens and beyond)
|
||||
-----------------------------------------------
|
||||
|
||||
When using the dynamic inventory, the network names will be based on the names
|
||||
that are set in your `network_data.yaml` file, from tripleo-heat-templates.
|
||||
As mentioned in tripleo-heat-templates, this file will determine which networks
|
||||
you're setting up in your overall TripleO deployment, and will even specify
|
||||
which of those networks have VIPs attached to them.
|
||||
|
||||
The network names to use in the `ipsec_skip_networks` variable will be under
|
||||
the `name_lower` section of each network definition.
|
||||
|
||||
For instance, if you want to skip the storage management network, you'll see
|
||||
that the entry looks as follows:
|
||||
|
||||
```
|
||||
- name: StorageMgmt
|
||||
name_lower: storage_mgmt
|
||||
vip: true
|
||||
vlan: 40
|
||||
ip_subnet: '172.16.3.0/24'
|
||||
allocation_pools: [{'start': '172.16.3.4', 'end': '172.16.3.250'}]
|
||||
ipv6_subnet: 'fd00:fd00:fd00:4000::/64'
|
||||
ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:4000::10', 'end': 'fd00:fd00:fd00:4000:ffff:ffff:ffff:fffe'}]
|
||||
```
|
||||
|
||||
So, in this case, the variable you'll put in your ansible variables file will
|
||||
have the following entry:
|
||||
|
||||
```
|
||||
ipsec_skip_networks:
|
||||
- storage_mgmt
|
||||
```
|
||||
|
||||
You can add more networks by adding more items to that list.
|
||||
|
||||
Legacy setups
|
||||
-------------
|
||||
|
||||
If you're using a legacy setup (which would work in Newton), you'll need to
|
||||
note that the network names are hardcoded; so you'll have the following
|
||||
options available:
|
||||
|
||||
* internalapi
|
||||
* storage
|
||||
* storagemgmt
|
||||
* ctlplane
|
||||
|
||||
You can also explicitly skip creating the Redis VIP by adding the `redis` word
|
||||
to the list.
|
||||
|
||||
If you would want to skip the Storage and Storage Management networks, the
|
||||
variable you'll put in your ansible variables file will have the
|
||||
following entry:
|
||||
|
||||
```
|
||||
ipsec_skip_networks:
|
||||
- storage
|
||||
- storagemgmt
|
||||
```
|
||||
|
|
|
@ -8,3 +8,4 @@ ipsec_skip_firewall_rules: false
|
|||
ipsec_uninstall_tunnels: false
|
||||
ipsec_upgrade_tunnels: false
|
||||
use_opportunistic_ipsec: false
|
||||
ipsec_skip_networks: []
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
- name: Set private networks fact
|
||||
set_fact:
|
||||
private_networks: "{{ enabled_networks|difference(private_or_clear_networks) }}"
|
||||
private_networks: "{{ enabled_networks|difference(private_or_clear_networks)|difference(ipsec_skip_networks) }}"
|
||||
|
||||
- name: Are we using Opportunistic IPSEC tunnels?
|
||||
set_fact:
|
||||
|
|
|
@ -6,43 +6,46 @@
|
|||
controllers: "{{ item.controllers }}"
|
||||
vips: "{{ item.vips }}"
|
||||
|
||||
- name: Write node-to-node ipsec secrets file for the {{ network }} network
|
||||
template:
|
||||
src: legacy-ipsec-node-to-node-tunnels.secrets.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.secrets
|
||||
mode: '0600'
|
||||
when: controllers != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
- name: Add legacy {{network }} tunnel configuration if not in skip list
|
||||
when: network not in ipsec_skip_networks
|
||||
block:
|
||||
- name: Write node-to-node ipsec secrets file for the {{ network }} network
|
||||
template:
|
||||
src: legacy-ipsec-node-to-node-tunnels.secrets.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.secrets
|
||||
mode: '0600'
|
||||
when: controllers != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write node-to-node ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: legacy-ipsec-node-to-node-tunnels.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.conf
|
||||
mode: '0640'
|
||||
when: controllers != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
- name: Write node-to-node ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: legacy-ipsec-node-to-node-tunnels.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.conf
|
||||
mode: '0640'
|
||||
when: controllers != []
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write VIP ipsec secrets file for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-vip-tunnels.secrets.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
|
||||
mode: '0600'
|
||||
with_items: "{{ vips }}"
|
||||
loop_control:
|
||||
loop_var: current_vip
|
||||
notify:
|
||||
- Restart ipsec
|
||||
- name: Write VIP ipsec secrets file for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-vip-tunnels.secrets.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
|
||||
mode: '0600'
|
||||
with_items: "{{ vips }}"
|
||||
loop_control:
|
||||
loop_var: current_vip
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
- name: Write VIP ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-vip-tunnels.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
|
||||
mode: '0640'
|
||||
with_items: "{{ vips }}"
|
||||
loop_control:
|
||||
loop_var: current_vip
|
||||
notify:
|
||||
- Restart ipsec
|
||||
- name: Write VIP ipsec tunnel configuration for the {{ network }} network
|
||||
template:
|
||||
src: ipsec-vip-tunnels.conf.j2
|
||||
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
|
||||
mode: '0640'
|
||||
with_items: "{{ vips }}"
|
||||
loop_control:
|
||||
loop_var: current_vip
|
||||
notify:
|
||||
- Restart ipsec
|
||||
|
||||
|
|
|
@ -11,39 +11,42 @@
|
|||
fallback_tunnel: overcloud-{{ current_vip.name }}-node-to-vip-tunnel
|
||||
specific_vip: "{{ current_vip.ip }}"
|
||||
|
||||
- name: Was the {{ resource_agent_name }} Resource Agent added already?
|
||||
command: pcs resource show {{ resource_agent_name }}
|
||||
ignore_errors: yes
|
||||
register: found_resource_agent
|
||||
changed_when: found_resource_agent|failed
|
||||
- name: Add {{ current_vip.name }} resource agent if not in skip list
|
||||
when: current_vip.name not in ipsec_skip_networks
|
||||
block:
|
||||
- name: Was the {{ resource_agent_name }} Resource Agent added already?
|
||||
command: pcs resource show {{ resource_agent_name }}
|
||||
ignore_errors: yes
|
||||
register: found_resource_agent
|
||||
changed_when: found_resource_agent|failed
|
||||
|
||||
- name: Delete {{ resource_agent_name }} Resource Agent
|
||||
command: pcs resource delete {{ resource_agent_name }}
|
||||
when:
|
||||
- resource_agent.changed
|
||||
- found_resource_agent|succeeded
|
||||
- name: Delete {{ resource_agent_name }} Resource Agent
|
||||
command: pcs resource delete {{ resource_agent_name }}
|
||||
when:
|
||||
- resource_agent.changed
|
||||
- found_resource_agent|succeeded
|
||||
|
||||
- name: Add {{ resource_agent_name }} pacemaker resource agent
|
||||
command: pcs resource create {{ resource_agent_name }} ocf:heartbeat:ipsec tunnel={{ specific_tunnel }} vip={{ specific_vip }} fallbacktunnel={{ fallback_tunnel }} --disabled
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
- name: Add {{ resource_agent_name }} pacemaker resource agent
|
||||
command: pcs resource create {{ resource_agent_name }} ocf:heartbeat:ipsec tunnel={{ specific_tunnel }} vip={{ specific_vip }} fallbacktunnel={{ fallback_tunnel }} --disabled
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
|
||||
- name: Add collocation rule with VIP ( {{ resource_agent_name }} )
|
||||
command: pcs constraint colocation add {{ resource_agent_name }} with ip-{{ specific_vip }}
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
- name: Add collocation rule with VIP ( {{ resource_agent_name }} )
|
||||
command: pcs constraint colocation add {{ resource_agent_name }} with ip-{{ specific_vip }}
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
|
||||
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for start operation
|
||||
command: pcs constraint order start ip-{{ specific_vip }} then start {{ resource_agent_name }} symmetrical=false
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for start operation
|
||||
command: pcs constraint order start ip-{{ specific_vip }} then start {{ resource_agent_name }} symmetrical=false
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
|
||||
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for stop operation
|
||||
command: pcs constraint order stop ip-{{ specific_vip }} then stop {{ resource_agent_name }} symmetrical=false
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
- name: Add ordering rule with VIP ( {{ resource_agent_name }} ) for stop operation
|
||||
command: pcs constraint order stop ip-{{ specific_vip }} then stop {{ resource_agent_name }} symmetrical=false
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
|
||||
- name: Enable {{ resource_agent_name }} resource agent
|
||||
command: pcs resource enable {{ resource_agent_name }}
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
- name: Enable {{ resource_agent_name }} resource agent
|
||||
command: pcs resource enable {{ resource_agent_name }}
|
||||
when:
|
||||
- resource_agent.changed or found_resource_agent|failed
|
||||
|
|
Loading…
Reference in New Issue