Support allowed_cidrs for Octavia listener

Support ``allowed_cidrs`` property for the resource ``OS::Octavia::Listener``, the property is allowed to be updated as well. The property 'allowed_cidrs' was introduced in Octavia since Train release. The default value is empty list if it is not specified in Heat template. Task: 38952 Story: 2007378 Change-Id: I9d38716b236b0782f0d09097b7a0f615fe5be041
2020-03-05 20:50:37 +13:00 · 2020-03-05 20:50:37 +13:00 · dd29c9508c
commit dd29c9508c
parent 920c4877bf
4 changed files with 27 additions and 2 deletions
--- a/heat/engine/resources/openstack/octavia/listener.py
+++ b/heat/engine/resources/openstack/octavia/listener.py
@ -17,6 +17,7 @@ from heat.engine import attributes
 from heat.engine import constraints
 from heat.engine import properties
 from heat.engine.resources.openstack.octavia import octavia_base
+from heat.engine import support
 from heat.engine import translation


@ -30,11 +31,11 @@ class Listener(octavia_base.OctaviaBase):
    PROPERTIES = (
        PROTOCOL_PORT, PROTOCOL, LOADBALANCER, DEFAULT_POOL, NAME,
        ADMIN_STATE_UP, DESCRIPTION, DEFAULT_TLS_CONTAINER_REF,
-        SNI_CONTAINER_REFS, CONNECTION_LIMIT, TENANT_ID
+        SNI_CONTAINER_REFS, CONNECTION_LIMIT, TENANT_ID, ALLOWED_CIDRS
    ) = (
        'protocol_port', 'protocol', 'loadbalancer', 'default_pool', 'name',
        'admin_state_up', 'description', 'default_tls_container_ref',
-        'sni_container_refs', 'connection_limit', 'tenant_id'
+        'sni_container_refs', 'connection_limit', 'tenant_id', 'allowed_cidrs'
    )

    SUPPORTED_PROTOCOLS = (TCP, HTTP, HTTPS, TERMINATED_HTTPS, PROXY, UDP) = (
@ -121,6 +122,20 @@ class Listener(octavia_base.OctaviaBase):
            properties.Schema.STRING,
            _('The ID of the tenant who owns the listener.')
        ),
+        ALLOWED_CIDRS: properties.Schema(
+            properties.Schema.LIST,
+            _('A list of IPv4, IPv6 or mix of both CIDRs. The default is all '
+              'allowed. When a list of CIDRs is provided, the default '
+              'switches to deny all.'),
+            update_allowed=True,
+            schema=properties.Schema(
+                properties.Schema.STRING,
+                constraints=[
+                    constraints.CustomConstraint('net_cidr')
+                ]
+            ),
+            support_status=support.SupportStatus(version='14.0.0'),
+        )
    }

    attributes_schema = {
--- a/heat/tests/openstack/octavia/inline_templates.py
+++ b/heat/tests/openstack/octavia/inline_templates.py
@ -48,6 +48,9 @@ resources:
        - ref2
      connection_limit: -1
      tenant_id: 1234
+      allowed_cidrs:
+        - 10.10.0.0/16
+        - 192.168.0.0/16
 '''

 POOL_TEMPLATE = '''
--- a/heat/tests/openstack/octavia/test_listener.py
+++ b/heat/tests/openstack/octavia/test_listener.py
@ -75,6 +75,7 @@ class ListenerTest(common.HeatTestCase):
                'sni_container_refs': ['ref1', 'ref2'],
                'connection_limit': -1,
                'tenant_id': '1234',
+                'allowed_cidrs': ['10.10.0.0/16', '192.168.0.0/16']
            }
        }

--- a/releasenotes/notes/support-allowed-cidrs-for-octavia-listener-d563a759d34da8b0.yaml
+++ b/releasenotes/notes/support-allowed-cidrs-for-octavia-listener-d563a759d34da8b0.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - Support ``allowed_cidrs`` property for the resource
+    ``OS::Octavia::Listener``, the property is allowed to be updated as well.
+    The property 'allowed_cidrs' was introduced in Octavia since Train release.
+    The default value is empty list if it is not specified in Heat template.