From 9d4c4bcf6b0ebd763ca72e3d6c1d2afd124fb38d Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 15 Jan 2018 11:45:46 +0000 Subject: [PATCH] Add flag to configure VIPs This flag determines whether or not we configure the VIP tunnels. This is useful if we want to do the deployment in several passes. Change-Id: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497 --- README.md | 2 ++ defaults/main.yml | 5 +++-- tasks/init-connections.yml | 2 +- tasks/ipsec-conf.yml | 5 +++-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index cbe3f9d..1448854 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ Role Variables * `ipsec_algorithm`: Defines the encryption algorithm to use in the phase2alg configuration option for the tunnels. Defaults to: `aes_gcm128-null`. The possible values should be checked in libreswan's documentation. +* `ipsec_configure_vips`: Determines whether or not the role should configure + the tunnels for the VIPs. Defaults to: `true`. * `ipsec_skip_firewall_rules`: Determines whether the role should skip or not the firewall rules. Defaults to: `false`. * `ipsec_uninstall_tunnels`: Determines whether the role should remove the IPSEC diff --git a/defaults/main.yml b/defaults/main.yml index 1daf52a..e154543 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,9 +1,10 @@ --- overcloud_controller_identifier: controller ipsec_algorithm: 'aes_gcm128-null' +ipsec_configure_vips: true +ipsec_force_install_legacy: false +ipsec_setup_resource_agents: true ipsec_skip_firewall_rules: false ipsec_uninstall_tunnels: false -ipsec_setup_resource_agents: true -ipsec_force_install_legacy: false ipsec_upgrade_tunnels: false use_opportunistic_ipsec: false diff --git a/tasks/init-connections.yml b/tasks/init-connections.yml index 1d52c7b..9de76e2 100644 --- a/tasks/init-connections.yml +++ b/tasks/init-connections.yml @@ -43,5 +43,5 @@ - name: Ping {{ current_vip.name }} VIP command: "ping -c 5 {{ current_vip.ip }}" - when: current_vip.ip != '' + when: current_vip.ip != '' and ipsec_configure_vips|bool ignore_errors: true diff --git a/tasks/ipsec-conf.yml b/tasks/ipsec-conf.yml index da301b0..aec16d2 100644 --- a/tasks/ipsec-conf.yml +++ b/tasks/ipsec-conf.yml @@ -90,7 +90,7 @@ src: ipsec-vip-tunnels.secrets.j2 dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets mode: '0600' - when: current_vip.ip != '' and type != 'opportunistic' + when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool notify: - Listen for IPSEC connections @@ -99,7 +99,7 @@ src: ipsec-vip-tunnels.conf.j2 dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf mode: '0640' - when: current_vip.ip != '' and type != 'opportunistic' + when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool notify: - Listen for IPSEC connections @@ -110,3 +110,4 @@ - current_vip.ip != '' - inventory_hostname == groups['pacemaker'][0] - ipsec_setup_resource_agents|bool + - ipsec_configure_vips|bool