Add resource templates for port-security
This allows the use of OVB on newer clouds (at least Newton and up) without changing the host cloud firewall_driver in Neutron. Sample resource registry entries are added to the example env file.
This commit is contained in:
parent
56d1530aba
commit
13621ebfbe
120
templates/baremetal-ports-all-port-security.yaml
Normal file
120
templates/baremetal-ports-all-port-security.yaml
Normal file
@ -0,0 +1,120 @@
|
||||
heat_template_version: 2015-10-15
|
||||
|
||||
parameters:
|
||||
|
||||
baremetal_prefix:
|
||||
type: string
|
||||
|
||||
provision_net:
|
||||
type: string
|
||||
|
||||
public_net:
|
||||
type: string
|
||||
description: Name of external network
|
||||
default: public
|
||||
|
||||
suffix:
|
||||
type: string
|
||||
|
||||
overcloud_internal_net:
|
||||
type: string
|
||||
description: Name of internal API network
|
||||
default: overcloud_internal
|
||||
|
||||
overcloud_storage_net:
|
||||
type: string
|
||||
description: Name of storage network
|
||||
default: overcloud_storage
|
||||
|
||||
overcloud_storage_mgmt_net:
|
||||
type: string
|
||||
description: Name of storage management network
|
||||
default: overcloud_storage_mgmt
|
||||
|
||||
overcloud_tenant_net:
|
||||
type: string
|
||||
description: Name of tenant network
|
||||
default: overcloud_tenant
|
||||
|
||||
resources:
|
||||
|
||||
provision_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: provision_net}
|
||||
port_security_enabled: False
|
||||
|
||||
internal_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - internal_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_internal_net}
|
||||
port_security_enabled: False
|
||||
|
||||
storage_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - storage_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_storage_net}
|
||||
port_security_enabled: False
|
||||
|
||||
storage_mgmt_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - storage_mgmt_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_storage_mgmt_net}
|
||||
port_security_enabled: False
|
||||
|
||||
tenant_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - tenant_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_tenant_net}
|
||||
port_security_enabled: False
|
||||
|
||||
public_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - public_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: public_net}
|
||||
port_security_enabled: False
|
||||
|
||||
outputs:
|
||||
ports:
|
||||
value:
|
||||
- {port: {get_resource: provision_port}}
|
||||
- {port: {get_resource: public_port}}
|
||||
- {port: {get_resource: internal_port}}
|
||||
- {port: {get_resource: storage_port}}
|
||||
- {port: {get_resource: storage_mgmt_port}}
|
||||
- {port: {get_resource: tenant_port}}
|
35
templates/baremetal-ports-default-port-security.yaml
Normal file
35
templates/baremetal-ports-default-port-security.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
heat_template_version: 2015-10-15
|
||||
|
||||
parameters:
|
||||
|
||||
baremetal_prefix:
|
||||
type: string
|
||||
|
||||
provision_net:
|
||||
type: string
|
||||
|
||||
public_net:
|
||||
type: string
|
||||
description: Name of external network
|
||||
default: public
|
||||
|
||||
suffix:
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
provision_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: provision_net}
|
||||
port_security_enabled: False
|
||||
|
||||
outputs:
|
||||
ports:
|
||||
value:
|
||||
- {port: {get_resource: provision_port}}
|
133
templates/baremetal-ports-public-bond-port-security.yaml
Normal file
133
templates/baremetal-ports-public-bond-port-security.yaml
Normal file
@ -0,0 +1,133 @@
|
||||
heat_template_version: 2015-10-15
|
||||
|
||||
parameters:
|
||||
|
||||
baremetal_prefix:
|
||||
type: string
|
||||
|
||||
provision_net:
|
||||
type: string
|
||||
|
||||
public_net:
|
||||
type: string
|
||||
description: Name of external network
|
||||
default: public
|
||||
|
||||
suffix:
|
||||
type: string
|
||||
|
||||
overcloud_internal_net:
|
||||
type: string
|
||||
description: Name of internal API network
|
||||
default: overcloud_internal
|
||||
|
||||
overcloud_storage_net:
|
||||
type: string
|
||||
description: Name of storage network
|
||||
default: overcloud_storage
|
||||
|
||||
overcloud_storage_mgmt_net:
|
||||
type: string
|
||||
description: Name of storage management network
|
||||
default: overcloud_storage_mgmt
|
||||
|
||||
overcloud_tenant_net:
|
||||
type: string
|
||||
description: Name of tenant network
|
||||
default: overcloud_tenant
|
||||
|
||||
resources:
|
||||
|
||||
provision_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: provision_net}
|
||||
port_security_enabled: False
|
||||
|
||||
internal_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - internal_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_internal_net}
|
||||
port_security_enabled: False
|
||||
|
||||
storage_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - storage_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_storage_net}
|
||||
port_security_enabled: False
|
||||
|
||||
storage_mgmt_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - storage_mgmt_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_storage_mgmt_net}
|
||||
port_security_enabled: False
|
||||
|
||||
tenant_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - tenant_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: overcloud_tenant_net}
|
||||
port_security_enabled: False
|
||||
|
||||
public_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - public_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: public_net}
|
||||
port_security_enabled: False
|
||||
|
||||
public_bond_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- ''
|
||||
- - public_
|
||||
- {get_param: baremetal_prefix}
|
||||
- {get_param: suffix}
|
||||
network: {get_param: public_net}
|
||||
port_security_enabled: False
|
||||
|
||||
outputs:
|
||||
ports:
|
||||
value:
|
||||
- {port: {get_resource: provision_port}}
|
||||
- {port: {get_resource: public_port}}
|
||||
- {port: {get_resource: public_bond_port}}
|
||||
- {port: {get_resource: internal_port}}
|
||||
- {port: {get_resource: storage_port}}
|
||||
- {port: {get_resource: storage_mgmt_port}}
|
||||
- {port: {get_resource: tenant_port}}
|
29
templates/bmc-port-port-security.yaml
Normal file
29
templates/bmc-port-port-security.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
heat_template_version: 2015-10-15
|
||||
|
||||
parameters:
|
||||
|
||||
bmc_prefix:
|
||||
type: string
|
||||
|
||||
private_net:
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
private_bmc_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- '_'
|
||||
- - 'utility'
|
||||
- {get_param: bmc_prefix}
|
||||
network: {get_param: private_net}
|
||||
port_security_enabled: False
|
||||
|
||||
outputs:
|
||||
port:
|
||||
value:
|
||||
- {port: {get_resource: private_bmc_port}}
|
||||
ip_address:
|
||||
value: {get_attr: [private_bmc_port, fixed_ips, 0, ip_address]}
|
@ -43,5 +43,13 @@ parameters:
|
||||
# OS::OVB::BaremetalNetworks: templates/baremetal-networks-all.yaml
|
||||
# OS::OVB::BaremetalPorts: templates/baremetal-ports-all.yaml
|
||||
|
||||
## Uncomment to use the neutron port-security extension to allow DHCP from
|
||||
## the undercloud to overcloud nodes. There are *-port-security.yaml versions
|
||||
## of all the standard port resource templates. The examples below are to use
|
||||
## port-security with a minimal deployment (i.e. no network isolation).
|
||||
# OS::OVB::BaremetalPorts: templates/baremetal-ports-default-port-security.yaml
|
||||
# OS::OVB::BMCPort: templates/bmc-port-port-security.yaml
|
||||
# OS::OVB::UndercloudPorts: templates/undercloud-ports-port-security.yaml
|
||||
|
||||
## Uncomment to deploy a quintupleo environment without an undercloud.
|
||||
# OS::OVB::UndercloudEnvironment: OS::Heat::None
|
||||
|
68
templates/undercloud-ports-port-security.yaml
Normal file
68
templates/undercloud-ports-port-security.yaml
Normal file
@ -0,0 +1,68 @@
|
||||
heat_template_version: 2015-10-15
|
||||
|
||||
parameters:
|
||||
|
||||
undercloud_name:
|
||||
type: string
|
||||
|
||||
private_net:
|
||||
type: string
|
||||
|
||||
provision_net:
|
||||
type: string
|
||||
|
||||
public_net:
|
||||
type: string
|
||||
|
||||
resources:
|
||||
undercloud_sg:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
name: undercloud_sg
|
||||
description: Ping and SSH
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
port_range_min: 22
|
||||
port_range_max: 22
|
||||
|
||||
private_undercloud_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- '_'
|
||||
- - {get_param: undercloud_name}
|
||||
- 'private'
|
||||
network: {get_param: private_net}
|
||||
security_groups:
|
||||
- {get_resource: undercloud_sg}
|
||||
|
||||
provision_undercloud_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- '_'
|
||||
- - {get_param: undercloud_name}
|
||||
- 'provision'
|
||||
network: {get_param: provision_net}
|
||||
port_security_enabled: False
|
||||
|
||||
public_undercloud_port:
|
||||
type: OS::Neutron::Port
|
||||
properties:
|
||||
name:
|
||||
list_join:
|
||||
- '_'
|
||||
- - {get_param: undercloud_name}
|
||||
- 'public'
|
||||
network: {get_param: public_net}
|
||||
port_security_enabled: False
|
||||
|
||||
outputs:
|
||||
ports:
|
||||
value:
|
||||
- {port: {get_resource: private_undercloud_port}}
|
||||
- {port: {get_resource: provision_undercloud_port}}
|
||||
- {port: {get_resource: public_undercloud_port}}
|
Loading…
Reference in New Issue
Block a user