114 lines
3.7 KiB
YAML
114 lines
3.7 KiB
YAML
---
|
|
# NOTE: This is only here because we currently don't have pluggable auth.
|
|
- name: Check for PSK variable
|
|
fail:
|
|
msg: Please provide the PSK key via the 'ipsec_psk' variable
|
|
when: ipsec_psk is not defined
|
|
|
|
- name: Set network name fact
|
|
set_fact:
|
|
network: "{{ item }}"
|
|
|
|
- name: Set IP/VIP variable key facts
|
|
set_fact:
|
|
ip_var_key: "{{ item + '_ip' }}"
|
|
vip_var_key: "{{ item + '_vip' }}"
|
|
|
|
- name: Set current IP fact
|
|
set_fact:
|
|
current_ip: "{{ hostvars[inventory_hostname][ip_var_key] }}"
|
|
|
|
# This effectively skips the configuration if we're in a network that's
|
|
# not actually enabled. We can notice that if the IP has fallen back to
|
|
# the control plane's IP.
|
|
- when: current_ip != ctlplane_ip or network == 'ctlplane'
|
|
block:
|
|
- name: Set IP with prefix register
|
|
shell: "ip addr show | grep {{ current_ip }} | awk '{print $2}'"
|
|
register:
|
|
ip_with_prefix_register
|
|
|
|
- name: Set net CIDR fact
|
|
set_fact:
|
|
current_subnet: "{{ ip_with_prefix_register.stdout | ipaddr('subnet') }}"
|
|
|
|
# Gets the IPs for the other nodes in the network. It skips the current IP and
|
|
# also skips the nodes that are not in the subnet (which fall back to the
|
|
# ctlplane network by default).
|
|
- name: Set other IPs fact
|
|
set_fact:
|
|
other_ips: "{{ hostvars|json_query(other_ips_query)|difference([current_ip])|ipaddr(current_subnet) }}"
|
|
vars:
|
|
other_ips_query: '*.{{ ip_var_key }}'
|
|
|
|
- name: Set VIP fact
|
|
set_fact:
|
|
current_vip:
|
|
name: "{{ network }}"
|
|
ip: "{{ hostvars[inventory_hostname][vip_var_key]|default('') }}"
|
|
|
|
- name: Remove {{ network}} from virtual-private setting in ipsec setup configuration
|
|
replace:
|
|
path: /etc/ipsec.conf
|
|
regexp: '(^\s+.*)%v4:{{ current_subnet|regex_replace("\.", "\.") }},(.*)$'
|
|
replace: '\1\2'
|
|
backup: yes
|
|
notify:
|
|
- Listen for IPSEC connections
|
|
|
|
- name: Write ipsec tunnel policy for the {{ network }} network
|
|
template:
|
|
src: policy.j2
|
|
dest: /etc/ipsec.d/policies/overcloud-{{ policy }}-{{ network }}-ip
|
|
mode: '0640'
|
|
when:
|
|
- other_ips != []
|
|
- type == 'opportunistic'
|
|
notify:
|
|
- Listen for IPSEC connections
|
|
|
|
- name: Write ipsec tunnel secrets for the {{ network }} network
|
|
template:
|
|
src: ipsec-{{ type }}-tunnels.secrets.j2
|
|
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-tunnels.secrets
|
|
mode: '0600'
|
|
when:
|
|
- other_ips != []
|
|
- type != 'opportunistic'
|
|
notify:
|
|
- Listen for IPSEC connections
|
|
|
|
- name: Write ipsec tunnel configuration for the {{ network }} network
|
|
template:
|
|
src: ipsec-{{ type }}-{{ policy }}.conf.j2
|
|
dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
|
|
mode: '0640'
|
|
when: other_ips != []
|
|
|
|
- name: Write VIP ipsec secrets file for the {{ network }} network
|
|
template:
|
|
src: ipsec-vip-tunnels.secrets.j2
|
|
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.secrets
|
|
mode: '0600'
|
|
when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool
|
|
notify:
|
|
- Listen for IPSEC connections
|
|
|
|
- name: Write VIP ipsec tunnel configuration for the {{ network }} network
|
|
template:
|
|
src: ipsec-vip-tunnels.conf.j2
|
|
dest: /etc/ipsec.d/overcloud-{{ current_vip.name }}-vip-tunnels.conf
|
|
mode: '0640'
|
|
when: current_vip.ip != '' and type != 'opportunistic' and ipsec_configure_vips|bool
|
|
notify:
|
|
- Listen for IPSEC connections
|
|
|
|
- include_tasks: resource-agent.yml
|
|
when:
|
|
- pacemaker_running
|
|
- type != 'opportunistic'
|
|
- current_vip.ip != ''
|
|
- inventory_hostname == groups['pacemaker'][0]
|
|
- ipsec_setup_resource_agents|bool
|
|
- ipsec_configure_vips|bool
|