Implement tripleo::masquerade_networks

It'll be used in the OS::TripleO::Services::MasqueradeNetworks service
to configure masquerade IPtables rules when needed for PoC or CI
environments.

Change-Id: I8dda3c164de90954855979529de4f1100a858b45
Related-Bug: #1760211
This commit is contained in:
Emilien Macchi 2018-04-02 09:15:59 -07:00
parent cbe1699395
commit 03402f207b
2 changed files with 113 additions and 0 deletions

@ -0,0 +1,46 @@
# Copyright 2018 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# == Class: tripleo::masqueraded_networks
#
# Configure masqueraded_networks
#
# [*masquerade_networks*]
# (Optional) Hash of masquerade networks to manage.
# Defaults to Defaults to hiera('masquerade_networks', false)
#
class tripleo::masquerade_networks (
$masquerade_networks = hiera('masquerade_networks', false)
){
if $masquerade_networks {
$masquerade_networks.each |$source, $destinations| {
create_resources('tripleo::firewall::rule', {
"137 routed_network return ${source}" => {
'table' => 'nat',
'source' => $source,
'destination' => $destinations,
'jump' => 'RETURN',
'chain' => 'POSTROUTING',
},
"138 routed_network masquerade ${source}" => {
'table' => 'nat',
'source' => $source,
'jump' => 'MASQUERADE',
'chain' => 'POSTROUTING',
}
})
}
}
}

@ -0,0 +1,67 @@
# Copyright 2018 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::masquerade_networks' do
let :params do
{ }
end
shared_examples_for 'tripleo::masquerade_networks' do
context 'with masquerade networks enabled' do
before :each do
params.merge!(
:masquerade_networks => {'192.168.24.0/24' => ['192.168.24.0/24', '192.168.25.0/24']},
)
end
it 'configure RETURN rule' do
is_expected.to contain_firewall('137 routed_network return 192.168.24.0/24 ipv4').with(
:table => 'nat',
:source => '192.168.24.0/24',
:destination => ['192.168.24.0/24', '192.168.25.0/24'],
:jump => 'RETURN',
:chain => 'POSTROUTING',
)
end
it 'configure MASQUERADE rule' do
is_expected.to contain_firewall('138 routed_network masquerade 192.168.24.0/24 ipv4').with(
:table => 'nat',
:source => '192.168.24.0/24',
:jump => 'MASQUERADE',
:chain => 'POSTROUTING',
)
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::masquerade_networks'
end
end
end