From 5e80d4fd08070029e5ddc8a27c8f256a7c4b2aee Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 17 Jan 2018 13:36:37 +0000 Subject: [PATCH] Enable IPSEC tunnels for Redis VIP This was missing and was the last VIP needed to protect. Change-Id: I876f3e94c06b335c6eabe9600f5078d61d356ca8 --- tasks/ipsec-conf.yml | 49 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/tasks/ipsec-conf.yml b/tasks/ipsec-conf.yml index aec16d2..960af5f 100644 --- a/tasks/ipsec-conf.yml +++ b/tasks/ipsec-conf.yml @@ -111,3 +111,52 @@ - inventory_hostname == groups['pacemaker'][0] - ipsec_setup_resource_agents|bool - ipsec_configure_vips|bool + + - name: Filter redis VIP through current subnet + set_fact: + redis_net_filter: "{{ redis_vip|ipaddr(current_subnet) }}" + + - name: Set fact to check if redis is part of this subnet + set_fact: + redis_in_subnet: "{{ redis_vip == redis_net_filter }}" + + - name: Set Redis VIP fact + set_fact: + current_vip: + name: redis + ip: "{{ redis_vip }}" + when: + - redis_in_subnet|bool + + - name: Write Redis VIP ipsec secrets file for the {{ network }} network + template: + src: ipsec-vip-tunnels.secrets.j2 + dest: /etc/ipsec.d/overcloud-redis-vip-tunnels.secrets + mode: '0600' + when: + - redis_in_subnet|bool + - type != 'opportunistic' + - ipsec_configure_vips|bool + notify: + - Listen for IPSEC connections + + - name: Write Redis VIP ipsec tunnel configuration for the {{ network }} network + template: + src: ipsec-vip-tunnels.conf.j2 + dest: /etc/ipsec.d/overcloud-redis-vip-tunnels.conf + mode: '0640' + when: + - redis_in_subnet|bool + - type != 'opportunistic' + - ipsec_configure_vips|bool + notify: + - Listen for IPSEC connections + + - include_tasks: resource-agent.yml + when: + - pacemaker_running + - type != 'opportunistic' + - redis_in_subnet|bool + - inventory_hostname == groups['pacemaker'][0] + - ipsec_setup_resource_agents|bool + - ipsec_configure_vips|bool