Since version 5.0, ansible-lint seems to have stricter requirements
about role names in meta/main.yml, and it is causing errors in CI
[1].
Also, add no-tabs to the exclusion list.
[1] - https://github.com/ansible-community/ansible-lint/issues/1400
Change-Id: I8a3d5cad047ae36af071a6c8322026339d643cea
The linters job did not run any tests at all since there was no
linters environment and the default environment only removes all pyc
files.
Add a linters environment that runs ansible-lint and syntax tests.
Remove the ansible-linters template, it's not needed anymore, the
linters jobs are enough.
The ansible-linters legacy jobs failed to detect some problems, mark
them with noqa for now.
Change-Id: Ibfa5ae179a98c57df2151cc633eb849ec8359a95
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I41ac9981a07dffdfb9d322f039f0f6e01fec3632
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Change-Id: Ib309507e9982e34cde1de5624587d9f0605bbde3
Story: #2002586
Task: #24341
This adds the ipsec_skip_networks option which will not add the
ipsec tunnels for the specified networks.
Change-Id: I82cf1e1e81f364eb689507da46f52ba1877e0659
Co-Authored-By: Raildo Mascena <rmascena@redhat.com>
tripleo-ipsec is a project with ansible roles, also we want to follow
the same job pattern as other projects do [1], so we want to run
openstack-tox-linters to ensure a good ansible code quality.
[1] fb5208f53c
Change-Id: I12202944da10cacbb9a23dd73169addb086cde29
Previsouly the uninstall process would just delete the tunnels, but
the resource agents would be left lingering there. This fixes that
by enabling the removal of these.
Change-Id: I2e3cc3aac6a5e4627f6b65ccf9c9fea7f196859f
Closes-Bug: #1751262
We already have an order constraint for the start operation, apparently
we need another one for the stop operation too, as this assures that the
VIP is stopped before the tunnel is put down.
Change-Id: Ica9c2e9c0c2eb24b0f174d30a0d6af1e090768f4
Closes-Bug: #1751265
This enables the resource agent to fall back to another tunnel when the
resource agent gets a stop operation. This effectively updates the xfrm
rules if done in the right order.
Change-Id: Ifa588455b354bd81d63b4fb1698b3a2e492e6473
Related-Bug: #1751265
This takes the resource agent that's in the playbook as a priority,
allowing us to upgrade easier.
Change-Id: Iaca0231e61ffded7ff7f3d7dc9cbd03a2b4a2dfb
Related-Bug: #1751265
Force a restart of the ipsec daemon(s) after the configuration is
persisted. This should be safe as the tunnels run in kernel-space; and
should effectively reload all the configurations.
Change-Id: I914ba8e18cd071a1dce7ebca4afb21a341cf2406
Closes-Bug: #1749703
In legacy deployments this caused the resource agents to fail being
installed because the role was trying to install it on non-pacemaker
nodes.
Change-Id: Ic841ead2132abfff4ce4c6d739d1afd0cca11ee5
Closes-Bug: #1748196
Zuul v3 currently only parses .yaml files, rename the file.
remove the project name stanza, it is not needed and will harm with
project renames. The current automated changes will not catch this, as
this basically is a new name.
Also, remove .zuul.yaml - we don't need both files. And the noop
template is just wrong for this project since it has jobs.
Change-Id: I112711a28d9635cb9eaa6f788e1747b20596701b
This flag determines whether or not we configure the VIP tunnels.
This is useful if we want to do the deployment in several passes.
Change-Id: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497
For some reason, using IKEv2 causes issues with tunnels
that are on the same network going to different hosts.
This commit leaves then the usage of IKEv2 only for
opportunistic IPSEC configurations.
Closes-Bug: #1743693
Change-Id: Ic1b1dfa86fd9fb328a197211b114cd39ee12da3f
The restart handler was getting run in between the configuration
loop per network. This is not desirable, as we needed it to run
after all that was done. This resulted in some tunnels not being
loaded which caused errors. Thus the need to manually trigger
a restart.
Change-Id: Id464d2b57ddb74471bf4693acaa4eed5fc003c9d
Using that was prone to errors, since a temporary issue could screw
the setting up of the tunnels.
Change-Id: I87bd590313a21a34eaba1385f28cfcd524c2fb70
This prevents other services from experiencing timeouts due to the
tunnels being lazily initiated.
Change-Id: Ic21f38938e21472c42d6cf70787124f9468d46ea
This will immediately restart ipsec and attempt to listen for
connections.
In further steps we can force initialization of those connections
to avoid timeouts.
Change-Id: I89b643b563570b0defa74d9e11082806de073f40
This persists the role in /usr/share/ansible/roles/tripleo-ipsec
which should be discoverable by ansible.
Change-Id: I46c1d701a4f486cf4a2fed857c0cb9f4aa3a2f64
Only the nodes that run pacemaker (and the VIPs) should do whack
--listen. This is not something the computes should do as it will
restart the SAs.
Change-Id: Id295d18fe8caec3446f57bf9a99ccd301f8d2728
It was referencing the old playbook's role name. And for some
reason, the legacy lint job installs the job in a directory called
"workspace", which is not ideal since it's what it uses as the role
name. So instead of using the actual role name, we call the task
directly.
Note that it also fixes a trailing whitespace from the meta/mail.yml
file
Change-Id: I89a42b72be08a1171e2c1dc7b7c0a14caad8d634
I left it in the legacy setup, expecting to do the same in the newer
one. But I didn't. So this turned out problematic.
I moved it tot he main.yml file since it's an overall feature of the
role, and this way it's also explicit that it applies to both the newer
and the legacy setups.