3b87c5cc6f
A new label named `master_lb_allowed_cidrs` is added to control the IP range which can access the k8s api and etcd load balancers. It's a good security enhancement. Task: 39188 Story: 2007414 Change-Id: I157a3b01d169e550e79b94316803fde8ddf77b03
77 lines
1.8 KiB
YAML
77 lines
1.8 KiB
YAML
# etcd service load balancer doesn't have floating IP associated.
|
|
heat_template_version: queens
|
|
|
|
conditions:
|
|
allowed_cidrs_enabled:
|
|
not:
|
|
allowed_cidrs_disabled
|
|
|
|
allowed_cidrs_disabled:
|
|
equals:
|
|
- get_param: allowed_cidrs
|
|
- []
|
|
|
|
parameters:
|
|
|
|
fixed_subnet:
|
|
type: string
|
|
|
|
protocol:
|
|
type: string
|
|
default: TCP
|
|
constraints:
|
|
- allowed_values: ["TCP", "HTTP"]
|
|
|
|
port:
|
|
type: number
|
|
|
|
allowed_cidrs:
|
|
type: comma_delimited_list
|
|
description: The allowed CIDR list for master load balancer
|
|
|
|
resources:
|
|
loadbalancer:
|
|
type: Magnum::Optional::Neutron::LBaaS::LoadBalancer
|
|
properties:
|
|
vip_subnet: {get_param: fixed_subnet}
|
|
|
|
listener:
|
|
condition: allowed_cidrs_disabled
|
|
type: Magnum::Optional::Neutron::LBaaS::Listener
|
|
properties:
|
|
loadbalancer: {get_resource: loadbalancer}
|
|
protocol: {get_param: protocol}
|
|
protocol_port: {get_param: port}
|
|
|
|
listener_with_allowed_cidrs:
|
|
condition: allowed_cidrs_enabled
|
|
type: Magnum::Optional::Neutron::LBaaS::Listener
|
|
properties:
|
|
loadbalancer: {get_resource: loadbalancer}
|
|
protocol: {get_param: protocol}
|
|
protocol_port: {get_param: port}
|
|
allowed_cidrs: {get_param: allowed_cidrs}
|
|
|
|
pool:
|
|
type: Magnum::Optional::Neutron::LBaaS::Pool
|
|
properties:
|
|
lb_algorithm: ROUND_ROBIN
|
|
listener: {if: ["allowed_cidrs_enabled", {get_resource: listener_with_allowed_cidrs}, {get_resource: listener}]}
|
|
protocol: {get_param: protocol}
|
|
|
|
monitor:
|
|
type: Magnum::Optional::Neutron::LBaaS::HealthMonitor
|
|
properties:
|
|
type: TCP
|
|
delay: 5
|
|
max_retries: 5
|
|
timeout: 5
|
|
pool: { get_resource: pool }
|
|
|
|
outputs:
|
|
pool_id:
|
|
value: {get_resource: pool}
|
|
|
|
address:
|
|
value: {get_attr: [loadbalancer, vip_address]}
|