Add iptables_extra_allowed_groups

This adds a new variable for the iptables role that allows us to indicate all members of an ansible inventory group should have iptables rules added. It also removes the unused zuul-executor-opendev group, and some unused variables related to the snmp rule. Also, collect the generated iptables rules for debugging. Change-Id: I48746a6527848a45a4debf62fd833527cc392398 Depends-On: https://review.opendev.org/728952
2020-05-08 14:15:01 -07:00
parent 09935ff328
commit 085856e318
12 changed files with 65 additions and 365 deletions
--- a/playbooks/roles/iptables/README.rst
+++ b/playbooks/roles/iptables/README.rst
@@ -11,7 +11,26 @@ Install and configure iptables
   .. zuul:rolevar:: hostname

      The hostname to allow.  It will automatically be resolved, and
-      all IP addresses will be added to the firewall.
+      the inventory IP address will be added to the firewall.
+
+   .. zuul:rolevar:: protocol
+
+      One of "tcp" or "udp".
+
+   .. zuul:rolevar:: port
+
+      The port number.
+
+.. zuul:rolevar:: iptables_allowed_groups
+   :default: []
+
+   A list of dictionaries, each item in the list is a rule to add for
+   a host/port combination.  The format of the dictionary is:
+
+   .. zuul:rolevar:: group
+
+      The ansible inventory group to add.  Every host in the group will
+      be added to the firewall.

   .. zuul:rolevar:: protocol

--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@@ -27,5 +27,12 @@
 -A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
 {% endfor -%}
 {% endfor -%}
+{% for group in iptables_allowed_groups -%}
+{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v4') -%}
+{% if addr -%}
+-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
+{% endif -%}
+{% endfor -%}
+{% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@@ -26,5 +26,12 @@
 -A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
 {% endfor -%}
 {% endfor -%}
+{% for group in iptables_allowed_groups -%}
+{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v6') -%}
+{% if addr -%}
+-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
+{% endif -%}
+{% endfor -%}
+{% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT