Puppet Class: role::ipsec

Defined in:
modules/role/manifests/ipsec.pp

Overview

Parameters:

  • hosts (Any) (defaults to: undef)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'modules/role/manifests/ipsec.pp', line 1

class role::ipsec ($hosts = undef) {
    $puppet_certname = $::fqdn

    # Host IPsec/strongswan alerts are now aggregated into an "Aggregate IPsec Tunnel Status" check which is driven by prometheus
    include profile::prometheus::ipsec_exporter

    file { '/usr/local/lib/nagios/plugins/check_strongswan':
        ensure => absent,
    }

    if $hosts != undef {
        $targets = $hosts
    } else {
        # The cache-cluster ipsec associations are still manually-defined, so
        # any changes to cache cluster routing schemes beyond our present
        # plans (which only have codfw or eqiad backing other caches) must
        # make changes here to secure the traffic.
        # The current ipsec association scheme below is basically:
        #    eqiad <=> codfw
        #    eqiad+codfw <=> esams+ulsfo+eqsin

        if $::hostname =~ /^cp/ {
            $ipsec_cluster = hiera('cache::cluster')
            $cluster_nodes = hiera('cache::nodes')[$ipsec_cluster]

            if $::site == 'esams' or $::site == 'ulsfo' or $::site == 'eqsin' {
                $targets = array_concat(
                    $cluster_nodes['eqiad'],
                    $cluster_nodes['codfw']
                )
            } elsif $::site == 'codfw' {
                $targets = array_concat(
                    $cluster_nodes['esams'],
                    $cluster_nodes['ulsfo'],
                    $cluster_nodes['eqsin'],
                    $cluster_nodes['eqiad']
                )
            } elsif $::site == 'eqiad' {
                $targets = array_concat(
                    $cluster_nodes['esams'],
                    $cluster_nodes['ulsfo'],
                    $cluster_nodes['eqsin'],
                    $cluster_nodes['codfw']
                )
            }
        }
    }
    # Change the MTU for all cp* servers, ignore the rest (mc*, etc)
    if $::hostname =~ /^cp/ {
        $mtu_value = 1450
    } else {
        $mtu_value = undef
    }

    class { '::strongswan':
        puppet_certname => $puppet_certname,
        hosts           => $targets.filter |$target| { $target != '' },
        mtu_hosts       => $mtu_value,
    }
}