Add resource templates for port-security

This allows the use of OVB on newer clouds (at least Newton and up)
without changing the host cloud firewall_driver in Neutron.  Sample
resource registry entries are added to the example env file.

templates/baremetal-ports-all-port-security.yaml

@@ -0,0 +1,120 @@
+heat_template_version: 2015-10-15
+
+parameters:
+
+  baremetal_prefix:
+    type: string
+
+  provision_net:
+    type: string
+
+  public_net:
+    type: string
+    description: Name of external network
+    default: public
+
+  suffix:
+    type: string
+
+  overcloud_internal_net:
+    type: string
+    description: Name of internal API network
+    default: overcloud_internal
+
+  overcloud_storage_net:
+    type: string
+    description: Name of storage network
+    default: overcloud_storage
+
+  overcloud_storage_mgmt_net:
+    type: string
+    description: Name of storage management network
+    default: overcloud_storage_mgmt
+
+  overcloud_tenant_net:
+    type: string
+    description: Name of tenant network
+    default: overcloud_tenant
+
+resources:
+
+  provision_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: provision_net}
+      port_security_enabled: False
+
+  internal_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - internal_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_internal_net}
+      port_security_enabled: False
+
+  storage_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - storage_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_storage_net}
+      port_security_enabled: False
+
+  storage_mgmt_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - storage_mgmt_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_storage_mgmt_net}
+      port_security_enabled: False
+
+  tenant_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - tenant_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_tenant_net}
+      port_security_enabled: False
+
+  public_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - public_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: public_net}
+      port_security_enabled: False
+
+outputs:
+  ports:
+    value:
+    - {port: {get_resource: provision_port}}
+    - {port: {get_resource: public_port}}
+    - {port: {get_resource: internal_port}}
+    - {port: {get_resource: storage_port}}
+    - {port: {get_resource: storage_mgmt_port}}
+    - {port: {get_resource: tenant_port}}

templates/baremetal-ports-default-port-security.yaml

@@ -0,0 +1,35 @@
+heat_template_version: 2015-10-15
+
+parameters:
+
+  baremetal_prefix:
+    type: string
+
+  provision_net:
+    type: string
+
+  public_net:
+    type: string
+    description: Name of external network
+    default: public
+
+  suffix:
+    type: string
+
+resources:
+
+  provision_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: provision_net}
+      port_security_enabled: False
+
+outputs:
+  ports:
+    value:
+    - {port: {get_resource: provision_port}}

templates/baremetal-ports-public-bond-port-security.yaml

@@ -0,0 +1,133 @@
+heat_template_version: 2015-10-15
+
+parameters:
+
+  baremetal_prefix:
+    type: string
+
+  provision_net:
+    type: string
+
+  public_net:
+    type: string
+    description: Name of external network
+    default: public
+
+  suffix:
+    type: string
+
+  overcloud_internal_net:
+    type: string
+    description: Name of internal API network
+    default: overcloud_internal
+
+  overcloud_storage_net:
+    type: string
+    description: Name of storage network
+    default: overcloud_storage
+
+  overcloud_storage_mgmt_net:
+    type: string
+    description: Name of storage management network
+    default: overcloud_storage_mgmt
+
+  overcloud_tenant_net:
+    type: string
+    description: Name of tenant network
+    default: overcloud_tenant
+
+resources:
+
+  provision_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: provision_net}
+      port_security_enabled: False
+
+  internal_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - internal_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_internal_net}
+      port_security_enabled: False
+
+  storage_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - storage_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_storage_net}
+      port_security_enabled: False
+
+  storage_mgmt_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - storage_mgmt_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_storage_mgmt_net}
+      port_security_enabled: False
+
+  tenant_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - tenant_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: overcloud_tenant_net}
+      port_security_enabled: False
+
+  public_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - public_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: public_net}
+      port_security_enabled: False
+
+  public_bond_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - ''
+        - - public_
+          - {get_param: baremetal_prefix}
+          - {get_param: suffix}
+      network: {get_param: public_net}
+      port_security_enabled: False
+
+outputs:
+  ports:
+    value:
+    - {port: {get_resource: provision_port}}
+    - {port: {get_resource: public_port}}
+    - {port: {get_resource: public_bond_port}}
+    - {port: {get_resource: internal_port}}
+    - {port: {get_resource: storage_port}}
+    - {port: {get_resource: storage_mgmt_port}}
+    - {port: {get_resource: tenant_port}}

templates/bmc-port-port-security.yaml

@@ -0,0 +1,29 @@
+heat_template_version: 2015-10-15
+
+parameters:
+
+  bmc_prefix:
+    type: string
+
+  private_net:
+    type: string
+
+resources:
+
+  private_bmc_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - '_'
+        - - 'utility'
+          - {get_param: bmc_prefix}
+      network: {get_param: private_net}
+      port_security_enabled: False
+
+outputs:
+  port:
+    value:
+    - {port: {get_resource: private_bmc_port}}
+  ip_address:
+    value: {get_attr: [private_bmc_port, fixed_ips, 0, ip_address]}

templates/env.yaml.example

@@ -43,5 +43,13 @@ parameters:
 #  OS::OVB::BaremetalNetworks: templates/baremetal-networks-all.yaml
 #  OS::OVB::BaremetalPorts: templates/baremetal-ports-all.yaml
 
+## Uncomment to use the neutron port-security extension to allow DHCP from
+## the undercloud to overcloud nodes.  There are *-port-security.yaml versions
+## of all the standard port resource templates.  The examples below are to use
+## port-security with a minimal deployment (i.e. no network isolation).
+#  OS::OVB::BaremetalPorts: templates/baremetal-ports-default-port-security.yaml
+#  OS::OVB::BMCPort: templates/bmc-port-port-security.yaml
+#  OS::OVB::UndercloudPorts: templates/undercloud-ports-port-security.yaml
+
 ## Uncomment to deploy a quintupleo environment without an undercloud.
 #  OS::OVB::UndercloudEnvironment: OS::Heat::None

templates/undercloud-ports-port-security.yaml

@@ -0,0 +1,68 @@
+heat_template_version: 2015-10-15
+
+parameters:
+
+  undercloud_name:
+    type: string
+
+  private_net:
+    type: string
+
+  provision_net:
+    type: string
+
+  public_net:
+    type: string
+
+resources:
+  undercloud_sg:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: undercloud_sg
+      description: Ping and SSH
+      rules:
+      - protocol: icmp
+      - protocol: tcp
+        port_range_min: 22
+        port_range_max: 22
+
+  private_undercloud_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - '_'
+        - - {get_param: undercloud_name}
+          - 'private'
+      network: {get_param: private_net}
+      security_groups:
+      - {get_resource: undercloud_sg}
+
+  provision_undercloud_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - '_'
+        - - {get_param: undercloud_name}
+          - 'provision'
+      network: {get_param: provision_net}
+      port_security_enabled: False
+
+  public_undercloud_port:
+    type: OS::Neutron::Port
+    properties:
+      name:
+        list_join:
+        - '_'
+        - - {get_param: undercloud_name}
+          - 'public'
+      network: {get_param: public_net}
+      port_security_enabled: False
+
+outputs:
+  ports:
+    value:
+    - {port: {get_resource: private_undercloud_port}}
+    - {port: {get_resource: provision_undercloud_port}}
+    - {port: {get_resource: public_undercloud_port}}