Commit Graph

179 Commits

Author SHA1 Message Date
Ghanshyam Mann c992826604 Retire Tripleo: remove repo content
TripleO project is retiring
- https://review.opendev.org/c/openstack/governance/+/905145

this commit remove the content of this project repo

Change-Id: I4a6e97bc88f71be3de9af767a86cdd7290e9a0c4
2024-02-24 11:43:32 -08:00
Javier Pena b5559c8c86 Fix linters
Since version 5.0, ansible-lint seems to have stricter requirements
about role names in meta/main.yml, and it is causing errors in CI
[1].

Also, add no-tabs to the exclusion list.

[1] - https://github.com/ansible-community/ansible-lint/issues/1400

Change-Id: I8a3d5cad047ae36af071a6c8322026339d643cea
2021-03-04 11:52:55 +01:00
Hervé Beraud 3e445d6add Replace deprecated UPPER_CONSTRAINTS_FILE variable
UPPER_CONSTRAINTS_FILE is deprecated and TOX_CONSTRAINTS_FILE is
the new environment variable name that replaces it [1].

This allows to use upper-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

[1] https://zuul-ci.org/docs/zuul-jobs/python-roles.html#rolevar-tox.tox_constraints_file
[2] https://review.opendev.org/#/c/722814/

Change-Id: I4db793853e685015ee21d3ee0a7d9ce305faa03c
2020-11-09 18:05:05 +00:00
Alex Schultz e5f5da74ca Skip ansible-lint 106
This is not in a collection so we don't need this rule.

Change-Id: Ifccba459bd19c05cd7a4a616a8d8cbbb62f1d3e2
2020-11-09 11:04:55 -07:00
Juan Antonio Osorio Robles 0c8693cecc Replace "failed" and "succeeded" filters for assertions
In Ansible 2.9 these filters are no longer available, so lets replace
them for assertions.

Change-Id: Ied08114b1e70b116740eafa59c8491fd4374e712
2020-01-23 14:41:40 +02:00
Andreas Jaeger ffe104c743 Update linting jobs
The linters job did not run any tests at all since there was no
linters environment and the default environment only removes all pyc
files.

Add a linters environment that runs ansible-lint and syntax tests.

Remove the ansible-linters template, it's not needed anymore, the
linters jobs are enough.

The ansible-linters legacy jobs failed to detect some problems, mark
them with noqa for now.

Change-Id: Ibfa5ae179a98c57df2151cc633eb849ec8359a95
2019-05-13 17:17:55 +02:00
jacky06 a052773a2f Replace git.openstack.org URLs with opendev.org URLs
Change-Id: I6d287e221ea3f2e4df051b87ed2301f7ae2df86e
Closes-Bug: #1825920
2019-04-30 13:08:30 +08:00
OpenDev Sysadmins 8c1fdabeef OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:36:01 +00:00
Juan Antonio Osorio Robles f60ad6c201 Migrate README to rst
Releasing is failing cause setup.py expects the README to be rst and not
markdown.

Change-Id: If0857c399aab24db4152cb9ef366d1a5bfaed39c
2019-02-20 16:41:45 +02:00
Juan Antonio Osorio Robles 66d5ef042a Fix ansible-lint issues
Change-Id: I47859324efb82f80a64eaa2eeb4ade32cc7b6479
2019-02-20 16:17:08 +02:00
Doug Hellmann 8b37e93e53 fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.

We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.

We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.

Change-Id: I41ac9981a07dffdfb9d322f039f0f6e01fec3632
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2018-09-26 19:04:31 -04:00
qingszhao d2b92346c8 import zuul job settings from project-config
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.

Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.

Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.

See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html

Change-Id: Ib309507e9982e34cde1de5624587d9f0605bbde3
Story: #2002586
Task: #24341
2018-08-24 04:59:47 +00:00
Juan Antonio Osorio Robles 325d23340e Implement skipping of networks
This adds the ipsec_skip_networks option which will not add the
ipsec tunnels for the specified networks.

Change-Id: I82cf1e1e81f364eb689507da46f52ba1877e0659
Co-Authored-By: Raildo Mascena <rmascena@redhat.com>
2018-04-04 13:58:14 +00:00
Raildo Mascena 0f300190b3 Update to openstack-tox-linters job
tripleo-ipsec is a project with ansible roles, also we want to follow
the same job pattern as other projects do [1], so we want to run
openstack-tox-linters to ensure a good ansible code quality.

[1] fb5208f53c

Change-Id: I12202944da10cacbb9a23dd73169addb086cde29
2018-04-04 10:47:38 -03:00
Juan Antonio Osorio Robles 7a98f669fe Add pacemaker agent removal to uninstall process
Previsouly the uninstall process would just delete the tunnels, but
the resource agents would be left lingering there. This fixes that
by enabling the removal of these.

Change-Id: I2e3cc3aac6a5e4627f6b65ccf9c9fea7f196859f
Closes-Bug: #1751262
2018-03-15 11:45:54 +00:00
Juan Antonio Osorio Robles 61eac5e734 Add order constraint for stop operation in resource agent
We already have an order constraint for the start operation, apparently
we need another one for the stop operation too, as this assures that the
VIP is stopped before the tunnel is put down.

Change-Id: Ica9c2e9c0c2eb24b0f174d30a0d6af1e090768f4
Closes-Bug: #1751265
2018-02-26 11:29:31 +02:00
Juan Antonio Osorio Robles e3bdcc16fc Add fallback tunnel option to resource agent
This enables the resource agent to fall back to another tunnel when the
resource agent gets a stop operation. This effectively updates the xfrm
rules if done in the right order.

Change-Id: Ifa588455b354bd81d63b4fb1698b3a2e492e6473
Related-Bug: #1751265
2018-02-26 11:29:11 +02:00
Juan Antonio Osorio Robles 26cb6895ba Force ipsec resource agent overwrite
This takes the resource agent that's in the playbook as a priority,
allowing us to upgrade easier.

Change-Id: Iaca0231e61ffded7ff7f3d7dc9cbd03a2b4a2dfb
Related-Bug: #1751265
2018-02-23 15:13:32 +02:00
Juan Antonio Osorio Robles 00e9224b7e Change DPD action policy to restart for VIP tunnels
Using hold was blocking the connection when a VIP failover happens.

Change-Id: I24d33592e525059192c3b9706aea9f337158b00a
Closes-Bug: #1749705
2018-02-15 15:25:59 +02:00
Juan Antonio Osorio Robles db0225d7b0 Force restart of ipsec in legacy setup
Force a restart of the ipsec daemon(s) after the configuration is
persisted. This should be safe as the tunnels run in kernel-space; and
should effectively reload all the configurations.

Change-Id: I914ba8e18cd071a1dce7ebca4afb21a341cf2406
Closes-Bug: #1749703
2018-02-15 15:25:55 +02:00
Juan Antonio Osorio Robles 7815cc5108 Fix pacemaker_running boolean
In legacy deployments this caused the resource agents to fail being
installed because the role was trying to install it on non-pacemaker
nodes.

Change-Id: Ic841ead2132abfff4ce4c6d739d1afd0cca11ee5
Closes-Bug: #1748196
2018-02-08 15:45:44 +02:00
Andreas Jaeger e2ca161336 Fix Zuul v3 file name
Zuul v3 currently only parses .yaml files, rename the file.

remove the project name stanza, it is not needed and will harm with
project renames. The current automated changes will not catch this, as
this basically is a new name.

Also, remove .zuul.yaml - we don't need both files. And the noop
template is just wrong for this project since it has jobs.

Change-Id: I112711a28d9635cb9eaa6f788e1747b20596701b
2018-02-05 06:18:04 +01:00
Emilien Macchi 00df8e1adb Add missing [testenv:venv] in tox.ini
Change-Id: I694497f68ba05bf1073b3b66d808c51d39d66812
2018-01-29 19:38:00 -08:00
Juan Antonio Osorio Robles 5e80d4fd08 Enable IPSEC tunnels for Redis VIP
This was missing and was the last VIP needed to protect.

Change-Id: I876f3e94c06b335c6eabe9600f5078d61d356ca8
2018-01-17 14:25:10 +00:00
Juan Antonio Osorio Robles 9d4c4bcf6b Add flag to configure VIPs
This flag determines whether or not we configure the VIP tunnels.
This is useful if we want to do the deployment in several passes.

Change-Id: Ib9a134648c74e5dfcbd7a8ebd2d67bda87992497
2018-01-17 10:10:40 +00:00
Juan Antonio Osorio Robles 0b10ce8e45 Dont insist on IKEv2
For some reason, using IKEv2 causes issues with tunnels
that are on the same network going to different hosts.

This commit leaves then the usage of IKEv2 only for
opportunistic IPSEC configurations.

Closes-Bug: #1743693
Change-Id: Ic1b1dfa86fd9fb328a197211b114cd39ee12da3f
2018-01-17 09:04:03 +00:00
Juan Antonio Osorio Robles 3057b49c61 Ignore errors in whack listen
These are not fatal.

Change-Id: If52f454ef5db96ea4a64af5d240948fa15ea41bd
2018-01-16 14:27:30 +00:00
Juan Antonio Osorio Robles 8e68651557 Force restart IPSEC after config tasks
The restart handler was getting run in between the configuration
loop per network. This is not desirable, as we needed it to run
after all that was done. This resulted in some tunnels not being
loaded which caused errors. Thus the need to manually trigger
a restart.

Change-Id: Id464d2b57ddb74471bf4693acaa4eed5fc003c9d
2018-01-16 14:27:30 +00:00
Juan Antonio Osorio Robles 743f4ce023 Remove keyintries=1 from node-to-node template
Using that was prone to errors, since a temporary issue could screw
the setting up of the tunnels.

Change-Id: I87bd590313a21a34eaba1385f28cfcd524c2fb70
2018-01-05 16:45:04 +00:00
Juan Antonio Osorio Robles 40b2f4e049 Force IPSEC connection initiation between hosts
This prevents other services from experiencing timeouts due to the
tunnels being lazily initiated.

Change-Id: Ic21f38938e21472c42d6cf70787124f9468d46ea
2018-01-05 12:03:56 +00:00
Juan Antonio Osorio Robles 5e87cef7c5 Force flush handlers after persisting ipsec configuration
This will immediately restart ipsec and attempt to listen for
connections.

In further steps we can force initialization of those connections
to avoid timeouts.

Change-Id: I89b643b563570b0defa74d9e11082806de073f40
2018-01-05 08:16:26 +00:00
Juan Antonio Osorio Robles b5ffd14a04 Persist role in a path discoverable by ansible
This persists the role in /usr/share/ansible/roles/tripleo-ipsec
which should be discoverable by ansible.

Change-Id: I46c1d701a4f486cf4a2fed857c0cb9f4aa3a2f64
2017-12-07 08:25:01 +00:00
Juan Antonio Osorio Robles f7dd5d2c8b Update website from setup.cfg
It was still pointing to github.

Change-Id: I0bff5ed7977095fadcee522c589ad6b65707c475
2017-12-07 08:09:41 +02:00
Zuul ebea01af5b Merge "Add zuul.d directory with openstack-ansible-linter jobs" 2017-12-04 18:22:27 +00:00
Juan Antonio Osorio Robles dd26777ae4 Only do force listen on pacemaker nodes
Only the nodes that run pacemaker (and the VIPs) should do whack
--listen. This is not something the computes should do as it will
restart the SAs.

Change-Id: Id295d18fe8caec3446f57bf9a99ccd301f8d2728
2017-12-04 11:11:43 +02:00
Juan Antonio Osorio Robles 3e40bc4093 Add zuul.d directory with openstack-ansible-linter jobs
Change-Id: I20e72ec496c9aacf4856a3859fce6a503b854559
2017-12-04 09:07:32 +02:00
Zuul 34ea5a38c1 Merge "Remove unused task file" 2017-12-04 07:05:40 +00:00
Zuul 0c557fe5b2 Merge "Add gitreview file" 2017-12-04 07:05:40 +00:00
Zuul d782be965d Merge "WORKAROUND: Use include_tasks instead of calling role" 2017-12-04 07:03:28 +00:00
Juan Antonio Osorio Robles 4f412b55e5 Remove unused task file
This file was never actually used.

Change-Id: If60d518aa4382e82bb87f849a7f56c40ba1db1c0
2017-12-04 08:47:45 +02:00
Juan Antonio Osorio Robles a969b443d0 Add gitreview file
Change-Id: I6f7f1298225226b3937ac1325f8f4da81ba17109
2017-12-04 08:47:45 +02:00
Juan Antonio Osorio Robles b1c48e9364 WORKAROUND: Use include_tasks instead of calling role
It was referencing the old playbook's role name. And for some
reason, the legacy lint job installs the job in a directory called
"workspace", which is not ideal since it's what it uses as the role
name. So instead of using the actual role name, we call the task
directly.

Note that it also fixes a trailing whitespace from the meta/mail.yml
file

Change-Id: I89a42b72be08a1171e2c1dc7b7c0a14caad8d634
2017-12-04 08:47:25 +02:00
Juan Antonio Osorio Robles 6f64a500ad Listen for IPSEC connections in handler
Besides restarting IPSEC, doing whack --listen forces connections
to listen.
2017-12-01 09:53:57 +00:00
Juan Antonio Osorio Robles e30e6c05ce Remove usage of "include" in favor of include_tasks and import_tasks
"include" was deprecated and we shouldn't use it anymore.
2017-12-01 07:00:56 +00:00
Juan Antonio Osorio Robles 0b4ad4c94c Make VIP tunnels use IKEv2 2017-12-01 06:32:19 +00:00
Juan Antonio Osorio Robles 9b81b5cf85 Move firewall setup to main.yml
I left it in the legacy setup, expecting to do the same in the newer
one. But I didn't. So this turned out problematic.

I moved it tot he main.yml file since it's an overall feature of the
role, and this way it's also explicit that it applies to both the newer
and the legacy setups.
2017-12-01 05:56:46 +00:00
Juan Antonio Osorio Robles 07072321ae Update PSK setup in README
The file is no longer hardcoded, so we can just pass it via the command
line while still using Ansible Vault.
2017-11-30 15:58:02 +02:00
Juan Antonio Osorio Robles 22b7da16e6 Remove trailing whitespace from README 2017-11-30 15:56:43 +02:00
Juan Antonio Osorio Robles fc188e2396 Small additions tot he README file 2017-11-30 15:49:11 +02:00
Juan Antonio Osorio Robles 8a83517642 Add ansible galaxy metadata 2017-11-30 15:49:11 +02:00