remove ssh from tripleo::firewall::pre

including global ssh access in tripleo::firewall::pre makes it difficult for the operator to control ssh access to overcloud hosts. This removes the hardcoded rule and the accompanying change in t-h-t configures the default firewall rules via hiera config_settings. Depends-On: I89cff59947dda3f51482486c41a3d67c4aa36a3e Change-Id: I14b540e6564c5b7c5d54b4f1fd5368b000744135
2018-07-12 15:22:10 -04:00 · 2018-07-12 15:22:10 -04:00 · 9bdb8199cc
commit 9bdb8199cc
parent daa4710a0a
2 changed files with 0 additions and 19 deletions
--- a/manifests/firewall/pre.pp
+++ b/manifests/firewall/pre.pp
@ -52,12 +52,6 @@ class tripleo::firewall::pre(
    tag     => 'tripleo-firewall-prerule',
  }

-  tripleo::firewall::rule{ '003 accept ssh':
-    dport  => '22',
-    extras => $firewall_settings,
-    tag    => 'tripleo-firewall-prerule',
-  }
-
  tripleo::firewall::rule{ '004 accept ipv6 dhcpv6':
    dport       => '546',
    proto       => 'udp',
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@ -69,19 +69,6 @@ describe 'tripleo::firewall' do
          :state    => ['NEW'],
          :provider => 'ip6tables',
        )
-        is_expected.to contain_firewall('003 accept ssh ipv4').with(
-          :dport   => '22',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
-        )
-        is_expected.to contain_firewall('003 accept ssh ipv6').with(
-          :dport    => '22',
-          :proto    => 'tcp',
-          :action   => 'accept',
-          :state    => ['NEW'],
-          :provider => 'ip6tables',
-        )
      end

      it 'configure basic post firewall rules' do