Add Opportunistic IPSEC tunnels to use with dynamic inventory

This adds the alternative that, when the dynamic inventory is used,
opportunistic IPSEC tunnels will be created.

Currently, it works with no authentication and sets up private-or-clear
policies; but this will change soon.

tasks/inventory-network-discover.yml

@@ -0,0 +1,34 @@
+---
+#
+# This gets the network related information of the nodes from variables provided by
+# the dynamic inventory.
+
+- name: Set the networks IPs facts
+  set_fact:
+    networks:
+      - name: internalapi
+        current_ip: "{{current_internalapi_ip_register.stdout}}"
+        controllers: "{{internalapi_controllers_register.stdout_lines}}"
+        vips:
+          - name: internalapi
+            ip: "{{internalapi_vip_register.stdout}}"
+          - name: redis
+            ip: "{{redis_vip_register.stdout}}"
+      - name: storage
+        current_ip: "{{current_storage_ip_register.stdout}}"
+        controllers: "{{storage_controllers_register.stdout_lines}}"
+        vips:
+          - name: storage
+            ip: "{{storage_vip_register.stdout}}"
+      - name: storagemgmt
+        current_ip: "{{current_storagemgmt_ip_register.stdout}}"
+        controllers: "{{storagemgmt_controllers_register.stdout_lines}}"
+        vips:
+          - name: storagemgmt
+            ip: "{{storagemgmt_vip_register.stdout}}"
+      - name: ctlplane
+        current_ip: "{{current_ctlplane_ip_register.stdout}}"
+        controllers: []
+        vips:
+          - name: ctlplane
+            ip: "{{ctlplane_vip_register.stdout}}"

tasks/legacy-ipsec-conf.yml

@@ -8,7 +8,7 @@
 
 - name: Write node-to-node ipsec secrets file for the {{ network }} network
   template:
-    src: ipsec-node-to-node-tunnels.secrets.j2
+    src: legacy-ipsec-node-to-node-tunnels.secrets.j2
     dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.secrets
     mode: '0600'
   when: controllers != []
@@ -17,7 +17,7 @@
 
 - name: Write node-to-node ipsec tunnel configuration for the {{ network }} network
   template:
-    src: ipsec-node-to-node-tunnels.conf.j2
+    src: legacy-ipsec-node-to-node-tunnels.conf.j2
     dest: /etc/ipsec.d/overcloud-{{ network }}-node-to-node-tunnels.conf
     mode: '0640'
   when: controllers != []

tasks/legacy.yml

@@ -0,0 +1,67 @@
+---
+# This contains the "legacy" code for setting up IPSEC tunnels before
+# IPSEC 3.20
+
+- name: Check for PSK variable
+  fail:
+    msg: Please provide the PSK key via the 'ipsec_psk' variable
+  when: ipsec_psk is not defined
+
+# This gets the network information, which should come in a structure
+# with the following format:
+#
+#   networks:
+#     - name: <Network name>
+#       current_ip: <The IP of this node for this network>
+#       controllers: <The IPs for this network for the rest of the controllers>
+#       vips:
+#         - name: <Name of the VIP for this network>
+#           ip: <Actual VIP>
+#         - name: <Another name of the VIP for this network>
+#           ip: <Another actual VIP>
+- include: hardcoded-network-discover.yml
+
+- name: Get pacemaker status
+  systemd:
+    name: pacemaker
+  register: pacemaker_status
+
+- name: Determine if pacemaker is running
+  set_fact:
+    pacemaker_running: pacemaker_status.status.ActiveState == 'active'
+
+# This returns the hostname (short) of the node hosting the VIP
+- name: Determine which node is hosting the VIP
+  shell: pcs status | grep ip- | sed 's/ip-//' | awk '{print $1"\t"$4}' | grep "{{ networks[0]['vips'][0]['ip'] }}" | awk '{print $2}'
+  register: node_hosting_the_vip
+  when: pacemaker_running
+
+- name: Add uniqueids = no to ipsec setup configuration
+  lineinfile:
+    dest: /etc/ipsec.conf
+    regexp: '^\s+uniqueids'
+    insertafter: '^config setup'
+    line: "\tuniqueids=no"
+  notify:
+  - Restart ipsec
+
+- include: legacy-ipsec-conf.yml
+  with_items: "{{ networks }}"
+
+- include: firewall.yml
+  when: not ipsec_skip_firewall_rules
+
+- meta: flush_handlers
+
+# Permissions gotten from http://www.linux-ha.org/doc/dev-guides/_installing_and_packaging_resource_agents.html
+- name: Install TripleO IPSEC resource agent
+  copy:
+    src: ipsec-resource-agent.sh
+    dest: /usr/lib/ocf/resource.d/heartbeat/ipsec
+    mode: '0755'
+  register: resource_agent
+
+# This queries the VIPs for all networks and flattens them into a list
+# that contains a dict with the "name" and "ip" for each VIP entry.
+- include: resource-agent.yml
+  with_items: "{{ networks|default([])|json_query('[*].vips[]')|list }}"

tasks/main.yml

@@ -3,69 +3,11 @@
   block:
   - include: setup.yml
 
-  - name: Check for PSK variable
-    fail:
-      msg: Please provide the PSK key via the 'ipsec_psk' variable
-    when: ipsec_psk is not defined
+  - include: legacy.yml
+    when: enabled_networks is not defined
 
-  # This gets the network information, which should come in a structure
-  # with the following format:
-  #
-  #   networks:
-  #     - name: <Network name>
-  #       current_ip: <The IP of this node for this network>
-  #       controllers: <The IPs for this network for the rest of the controllers>
-  #       vips:
-  #         - name: <Name of the VIP for this network>
-  #           ip: <Actual VIP>
-  #         - name: <Another name of the VIP for this network>
-  #           ip: <Another actual VIP>
-  - include: hardcoded-network-discover.yml
-
-  - name: Get pacemaker status
-    systemd:
-      name: pacemaker
-    register: pacemaker_status
-
-  - name: Determine if pacemaker is running
-    set_fact:
-      pacemaker_running: pacemaker_status.status.ActiveState == 'active'
-
-  # This returns the hostname (short) of the node hosting the VIP
-  - name: Determine which node is hosting the VIP
-    shell: pcs status | grep ip- | sed 's/ip-//' | awk '{print $1"\t"$4}' | grep "{{ networks[0]['vips'][0]['ip'] }}" | awk '{print $2}'
-    register: node_hosting_the_vip
-    when: pacemaker_running
-
-  - name: Add uniqueids = no to ipsec setup configuration
-    lineinfile:
-      dest: /etc/ipsec.conf
-      regexp: '^\s+uniqueids'
-      insertafter: '^config setup'
-      line: "\tuniqueids=no"
-    notify:
-    - Restart ipsec
-
-  - include: ipsec-conf.yml
-    with_items: "{{ networks }}"
-
-  - include: firewall.yml
-    when: not ipsec_skip_firewall_rules
-
-  - meta: flush_handlers
-
-  # Permissions gotten from http://www.linux-ha.org/doc/dev-guides/_installing_and_packaging_resource_agents.html
-  - name: Install TripleO IPSEC resource agent
-    copy:
-      src: ipsec-resource-agent.sh
-      dest: /usr/lib/ocf/resource.d/heartbeat/ipsec
-      mode: '0755'
-    register: resource_agent
-
-  # This queries the VIPs for all networks and flattens them into a list
-  # that contains a dict with the "name" and "ip" for each VIP entry.
-  - include: resource-agent.yml
-    with_items: "{{ networks|default([])|json_query('[*].vips[]')|list }}"
+  - include: opportunistic-ipsec.yml
+    when: enabled_networks is defined
 
 - when: ipsec_uninstall_tunnels|bool
   block:

tasks/opportunistic-ipsec-conf.yml

@@ -0,0 +1,45 @@
+---
+- name: Set network name fact
+  set_fact:
+    network: "{{ item }}"
+    ip_var_key: "{{ item + '_ip' }}"
+
+- name: Set current IP fact
+  set_fact:
+    current_ip: "{{ hostvars[inventory_hostname][ip_var_key] }}"
+
+- name: Set other IPs fact
+  set_fact:
+    other_ips: "{{ hostvars|json_query(other_ips_query)|difference([current_ip]) }}"
+  vars:
+    other_ips_query: '*.{{ ip_var_key }}'
+
+- name: Set IP with prefix register
+  shell: "ip addr show | grep {{ current_ip }} | awk '{print $2}'"
+  register:
+    ip_with_prefix_register
+
+- name: Set net CIDR fact
+  set_fact:
+    current_net: "{{ ip_with_prefix_register.stdout | ipaddr('network') }}"
+    current_prefix: "{{ ip_with_prefix_register.stdout | ipaddr('prefix') }}"
+
+- name: Write ipsec tunnel configuration for the {{ network }} network
+  template:
+    src: ipsec-opportunistic-private.conf.j2
+    dest: /etc/ipsec.d/overcloud-{{ network }}-opportunistic-private-tunnels.conf
+    mode: '0640'
+  when: other_ips != []
+  notify:
+  - Restart ipsec
+
+- name: Write ipsec tunnel policy for the {{ network }} network
+  template:
+    src: policy.j2
+    dest: /etc/ipsec.d/policies/overcloud-private-{{ network }}-ip
+    mode: '0640'
+  vars:
+    net_with_prefix: "{{ current_net + '/' + current_prefix }}"
+  when: other_ips != []
+  notify:
+  - Restart ipsec

tasks/opportunistic-ipsec.yml

@@ -0,0 +1,11 @@
+---
+- name: Set private-or-clear networks fact
+  set_fact:
+    private_or_clear_networks: ["ctlplane"]
+
+- name: Set private networks fact
+  set_fact:
+    private_networks: "{{ enabled_networks|difference(private_or_clear_networks) }}"
+
+- include: opportunistic-ipsec-conf.yml
+  with_items: "{{ private_networks }}"

templates/ipsec-opportunistic-private.conf.j2

@@ -0,0 +1,40 @@
+# Generated by Ansible.
+# This contains the Opportunistic IPSEC configuration from this node's
+# in the {{ network }} to every other node.
+conn overcloud-private-{{ network }}-ip
+        type=tunnel
+        authby=null
+        leftid=%null
+        rightid=%null
+        left={{ current_ip }}
+        right=%opportunisticgroup
+        negotiationshunt=passthrough
+        failureshunt=passthrough
+        ikev2=insist
+        auto=start
+        keyingtries=1
+        retransmit-timeout=2s
+        # To support being behind NAT
+        leftmodecfgclient=yes
+        leftcat=yes
+        narrowing=yes
+{% for other_ip in other_ips %}
+
+conn overcloud-{{ network }}-node-to-node
+        type=tunnel
+        authby=null
+        leftid=%null
+        rightid=%null
+        left={{ current_ip }}
+        right={{ other_ip }}
+        negotiationshunt=passthrough
+        failureshunt=passthrough
+        ikev2=insist
+        auto=start
+        keyingtries=1
+        retransmit-timeout=2s
+        # To support being behind NAT
+        leftmodecfgclient=yes
+        leftcat=yes
+        narrowing=yes
+{% endfor %}

templates/policy.j2

@@ -0,0 +1,3 @@
+# Generated by Ansible
+# This contains the policy file for the {{ network }} tunnel
+{{ net_with_prefix }}