Add flag to configure VIPs

This flag determines whether or not we configure the VIP tunnels. This is useful if we want to do the deployment in several passes. Change-Id: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497
2018-01-15 11:45:46 +00:00 · 2018-01-15 11:45:46 +00:00 · 9d4c4bcf6b
parent 0b10ce8e45
commit 9d4c4bcf6b
4 changed files with 9 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -31,6 +31,8 @@ Role Variables
 * `ipsec_algorithm`: Defines the encryption algorithm to use in the phase2alg
  configuration option for the tunnels. Defaults to: `aes_gcm128-null`.
  The possible values should be checked in libreswan's documentation.
+* `ipsec_configure_vips`: Determines whether or not the role should configure
+  the tunnels for the VIPs. Defaults to: `true`.
 * `ipsec_skip_firewall_rules`: Determines whether the role should skip
  or not the firewall rules. Defaults to: `false`.
 * `ipsec_uninstall_tunnels`: Determines whether the role should remove the IPSEC
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,9 +1,10 @@
 ---
 overcloud_controller_identifier: controller
 ipsec_algorithm: 'aes_gcm128-null'
+ipsec_configure_vips: true
+ipsec_force_install_legacy: false
+ipsec_setup_resource_agents: true
 ipsec_skip_firewall_rules: false
 ipsec_uninstall_tunnels: false
-ipsec_setup_resource_agents: true
-ipsec_force_install_legacy: false
 ipsec_upgrade_tunnels: false
 use_opportunistic_ipsec: false
--- a/tasks/init-connections.yml
+++ b/tasks/init-connections.yml
@ -43,5 +43,5 @@

  - name: Ping {{ current_vip.name }} VIP
    command: "ping -c 5 {{ current_vip.ip }}"
-    when: current_vip.ip != ''
+    when: current_vip.ip != '' and ipsec_configure_vips|bool
    ignore_errors: true
--- a/tasks/ipsec-conf.yml
+++ b/tasks/ipsec-conf.yml
@ -90,7 +90,7 @@
      src: ipsec-vip-tunnels.secrets.j2
      dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
      mode: '0600'
-    when: current_vip.ip != '' and type != 'opportunistic'
+    when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool
    notify:
    - Listen for IPSEC connections

@ -99,7 +99,7 @@
      src: ipsec-vip-tunnels.conf.j2
      dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
      mode: '0640'
-    when: current_vip.ip != '' and type != 'opportunistic'
+    when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool
    notify:
    - Listen for IPSEC connections

@ -110,3 +110,4 @@
    - current_vip.ip != ''
    - inventory_hostname == groups['pacemaker'][0]
    - ipsec_setup_resource_agents|bool
+    - ipsec_configure_vips|bool