diff --git a/heat/engine/resources/openstack/octavia/listener.py b/heat/engine/resources/openstack/octavia/listener.py index c001caa73b..ae3d00bdd3 100644 --- a/heat/engine/resources/openstack/octavia/listener.py +++ b/heat/engine/resources/openstack/octavia/listener.py @@ -17,6 +17,7 @@ from heat.engine import attributes from heat.engine import constraints from heat.engine import properties from heat.engine.resources.openstack.octavia import octavia_base +from heat.engine import support from heat.engine import translation @@ -30,11 +31,11 @@ class Listener(octavia_base.OctaviaBase): PROPERTIES = ( PROTOCOL_PORT, PROTOCOL, LOADBALANCER, DEFAULT_POOL, NAME, ADMIN_STATE_UP, DESCRIPTION, DEFAULT_TLS_CONTAINER_REF, - SNI_CONTAINER_REFS, CONNECTION_LIMIT, TENANT_ID + SNI_CONTAINER_REFS, CONNECTION_LIMIT, TENANT_ID, ALLOWED_CIDRS ) = ( 'protocol_port', 'protocol', 'loadbalancer', 'default_pool', 'name', 'admin_state_up', 'description', 'default_tls_container_ref', - 'sni_container_refs', 'connection_limit', 'tenant_id' + 'sni_container_refs', 'connection_limit', 'tenant_id', 'allowed_cidrs' ) SUPPORTED_PROTOCOLS = (TCP, HTTP, HTTPS, TERMINATED_HTTPS, PROXY, UDP) = ( @@ -121,6 +122,20 @@ class Listener(octavia_base.OctaviaBase): properties.Schema.STRING, _('The ID of the tenant who owns the listener.') ), + ALLOWED_CIDRS: properties.Schema( + properties.Schema.LIST, + _('A list of IPv4, IPv6 or mix of both CIDRs. The default is all ' + 'allowed. When a list of CIDRs is provided, the default ' + 'switches to deny all.'), + update_allowed=True, + schema=properties.Schema( + properties.Schema.STRING, + constraints=[ + constraints.CustomConstraint('net_cidr') + ] + ), + support_status=support.SupportStatus(version='14.0.0'), + ) } attributes_schema = { diff --git a/heat/tests/openstack/octavia/inline_templates.py b/heat/tests/openstack/octavia/inline_templates.py index a2b99748f7..c6453bd1d9 100644 --- a/heat/tests/openstack/octavia/inline_templates.py +++ b/heat/tests/openstack/octavia/inline_templates.py @@ -48,6 +48,9 @@ resources: - ref2 connection_limit: -1 tenant_id: 1234 + allowed_cidrs: + - 10.10.0.0/16 + - 192.168.0.0/16 ''' POOL_TEMPLATE = ''' diff --git a/heat/tests/openstack/octavia/test_listener.py b/heat/tests/openstack/octavia/test_listener.py index e4ddc85c76..a126ec98a4 100644 --- a/heat/tests/openstack/octavia/test_listener.py +++ b/heat/tests/openstack/octavia/test_listener.py @@ -75,6 +75,7 @@ class ListenerTest(common.HeatTestCase): 'sni_container_refs': ['ref1', 'ref2'], 'connection_limit': -1, 'tenant_id': '1234', + 'allowed_cidrs': ['10.10.0.0/16', '192.168.0.0/16'] } } diff --git a/releasenotes/notes/support-allowed-cidrs-for-octavia-listener-d563a759d34da8b0.yaml b/releasenotes/notes/support-allowed-cidrs-for-octavia-listener-d563a759d34da8b0.yaml new file mode 100644 index 0000000000..f115bb3511 --- /dev/null +++ b/releasenotes/notes/support-allowed-cidrs-for-octavia-listener-d563a759d34da8b0.yaml @@ -0,0 +1,6 @@ +--- +features: + - Support ``allowed_cidrs`` property for the resource + ``OS::Octavia::Listener``, the property is allowed to be updated as well. + The property 'allowed_cidrs' was introduced in Octavia since Train release. + The default value is empty list if it is not specified in Heat template.