This commit adds an upgrade-script to enable and configure IPsec on
multi-node systems. It is required that IPsec is enabled on systems
after all upgrade-scripts are executed to prevent any occurrence of
network instability.
This script should prepare active controller environment and execute
initial-auth operation on each node pending to be IPsec configured.
An ansible-playbook is executed to contact and trigger initial-auth
operation request from other nodes to IPsec server. As a result of
the execution of the playbook, IPsec is configured on nodes. If any
node is missing to be configured, the script exits w/ an exception.
Notice that mtce_heartbeat_failure is updated to its default value
only after IPsec is successfully enabled per the execution of this
ansible-playbook.
The IPsec server port is set to 64764 as 54724 may be used for k8s
services.
Test Plan:
PASS: Deploy AIO-DX system and upgrade software version from stx 8 to
stx 9. Observe that 100-enable-ipsec-on-hosts.py script is
executed successfully and IPsec is enabled/configured on all
nodes. The nodes remain online on unlocked enabled available
state.
PASS: Deploy AIO-DX system on stx 9 version and manually execute
100-enable-ipsec-on-hosts.py script. Observe that IPsec is
already enabled/configured on all nodes, script is successfully
executed with no additional changes applied on system and nodes
remain online on unlocked enabled available state.
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/923294
Story: 2010940
Task: 50720
Change-Id: I3b3fde8f18d6c3f6d9f3ad548ff633aaabf40362
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
8dfed5b6bb