openstack/openstack-helm-infra
Code Issues Proposed changes
cf4a143e1b
openstack-helm-infra/roles/deploy-env/tasks/client_cluster_tunnel.yaml
Vladimir Kozhukalov 5b1879aa09 Refactor deploy-env role 
- Make it less mixed. Each task file
  deploys one feature.
- Deploy Metallb
- Deploy Openstack provider network gateway

Change-Id: I41f0353b286f817cb562b3bd59992e4baa473568
2024-03-25 14:45:00 -05:00

74 lines
3.7 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Set cluster IP
set_fact:
cluster_default_ip: "{{ (groups['k8s_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']))[0] }}"
- name: Set client IP
set_fact:
client_default_ip: "{{ (groups['primary'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']))[0] }}"
- name: Setup wireguard tunnel between primary and cluster control-plane node
when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
block:
- name: Generate wireguard key pair
shell: |
wg genkey | tee /root/wg-private-key | wg pubkey > /root/wg-public-key
chmod 600 /root/wg-private-key
when: (inventory_hostname in (groups['primary'] | default([]))) or (inventory_hostname in (groups['k8s_control_plane'] | default([])))
- name: Register public wireguard key variable
command: cat /root/wg-public-key
register: wg_public_key
when: (inventory_hostname in (groups['primary'] | default([]))) or (inventory_hostname in (groups['k8s_control_plane'] | default([])))
- name: Set primary wireguard public key
set_fact:
client_wg_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['wg_public_key', 'stdout']))[0] }}"
when: inventory_hostname in (groups['k8s_control_plane'] | default([]))
- name: Set cluster wireguard public key
set_fact:
cluster_wg_public_key: "{{ (groups['k8s_control_plane'] | map('extract', hostvars, ['wg_public_key', 'stdout']))[0] }}"
when: inventory_hostname in (groups['primary'] | default([]))
- name: Set up wireguard tunnel on cluster control-plane node
shell: |
cat > /tmp/configure_cluster_tunnel.sh <<EOF
ip link add client-wg type wireguard
ip addr add {{ tunnel_cluster_cidr }} dev client-wg
wg set client-wg listen-port 51820 private-key /root/wg-private-key peer {{ client_wg_public_key }} allowed-ips {{ tunnel_network_cidr }} endpoint {{ client_default_ip }}:51820
ip link set client-wg up
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -I FORWARD -o client-gw -j ACCEPT
EOF
chmod +x /tmp/configure_cluster_tunnel.sh
/tmp/configure_cluster_tunnel.sh
when: inventory_hostname in (groups['k8s_control_plane'] | default([]))
- name: Set up wireguard tunnel on primary node
shell: |
cat > /tmp/configure_client_tunnel.sh <<EOF
ip link add client-wg type wireguard
ip addr add {{ tunnel_client_cidr }} dev client-wg
wg set client-wg listen-port 51820 private-key /root/wg-private-key peer {{ cluster_wg_public_key }} allowed-ips {{ tunnel_network_cidr }},{{ openstack_provider_network_cidr }},{{ metallb_pool_cidr }} endpoint {{ cluster_default_ip }}:51820
ip link set client-wg up
ip route add {{ metallb_pool_cidr }} via {{ tunnel_cluster_cidr | ipaddr('address') }} dev client-wg
ip route add {{ openstack_provider_network_cidr }} via {{ tunnel_cluster_cidr | ipaddr('address') }} dev client-wg
EOF
chmod +x /tmp/configure_client_tunnel.sh
/tmp/configure_client_tunnel.sh
when: inventory_hostname in (groups['primary'] | default([]))
...
View Git Blame Copy Permalink