openstack/puppet-tripleo
Code Issues Proposed changes

Implement firewalling in tripleo::firewall

Browse Source 
Currently firewalling is implemented in tripleo/init.pp this commit
moves it to its own scope tripleo/firewall.pp.

This is done so that in tripleo-heat-templates we can have a simple and
generic `include tripleo::firewall` in every manifest - unconditional.
The rest of the behavior will all be managed by hiera.

If a user wants to enable firewalling:

```
tripleo::firewall::manage_firewall: true
```

If a user wants to specify firewall rules:

```
tripleo::firewall::firewall_rules:
  '103 mongod':
    port: 27017
```

Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
This commit is contained in:
Yanis Guenane 2015-07-15 11:58:46 +02:00
parent 9b22f9f4dd
commit c59650772c
4 changed files with 206 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
manifests/firewall.pp Normal file
View File

@ -0,0 +1,91 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo
#
# Configure the TripleO firewall
#
# === Parameters:
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class tripleo::firewall(
$manage_firewall = false,
$firewall_rules = {},
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
include ::stdlib
if $manage_firewall {
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# anyone can add your own rules
# example with Hiera:
#
# tripleo::firewall::rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('tripleo::firewall::rule', $firewall_rules)
ensure_resource('class', 'tripleo::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
'stage' => 'setup',
})
ensure_resource('class', 'tripleo::firewall::post', {
'stage' => 'runtime',
'firewall_settings' => $firewall_post_extras,
})
}
}

70
manifests/init.pp
View File

@ -17,75 +17,7 @@
#
# Installs the system requirements
#
# === Parameters:
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class tripleo(
$manage_firewall = false,
$firewall_rules = {},
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
include ::stdlib
if $manage_firewall {
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# anyone can add your own rules
# example with Hiera:
#
# tripleo::firewall::rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('tripleo::firewall::rule', $firewall_rules)
ensure_resource('class', 'tripleo::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
'stage' => 'setup',
})
ensure_resource('class', 'tripleo::firewall::post', {
'stage' => 'runtime',
'firewall_settings' => $firewall_post_extras,
})
}
class tripleo{
}

114
spec/classes/tripleo_firewall_spec.rb Normal file
View File

@ -0,0 +1,114 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::firewall' do
let :params do
{ }
end
shared_examples_for 'tripleo node' do
context 'with firewall enabled' do
before :each do
params.merge!(
:manage_firewall => true,
)
end
it 'configure basic pre firewall rules' do
is_expected.to contain_firewall('000 accept related established rules').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
)
is_expected.to contain_firewall('001 accept all icmp').with(
:proto => 'icmp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('002 accept all to lo interface').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('003 accept ssh').with(
:port => '22',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
it 'configure basic post firewall rules' do
is_expected.to contain_firewall('999 drop all').with(
:proto => 'all',
:action => 'drop',
:source => '0.0.0.0/0',
)
end
end
context 'with custom firewall rules' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
}
)
end
it 'configure custom firewall rules' do
is_expected.to contain_firewall('300 add custom application 1').with(
:port => '999',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('301 add custom application 2').with(
:port => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'tripleo node'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'tripleo node'
end
end

91
spec/classes/tripleo_init_spec.rb
View File

@ -20,95 +20,4 @@ require 'spec_helper'
describe 'tripleo' do
let :params do
{ }
end
shared_examples_for 'tripleo node' do
context 'with firewall enabled' do
before :each do
params.merge!(
:manage_firewall => true,
)
end
it 'configure basic pre firewall rules' do
is_expected.to contain_firewall('000 accept related established rules').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
)
is_expected.to contain_firewall('001 accept all icmp').with(
:proto => 'icmp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('002 accept all to lo interface').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('003 accept ssh').with(
:port => '22',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
it 'configure basic post firewall rules' do
is_expected.to contain_firewall('999 drop all').with(
:proto => 'all',
:action => 'drop',
:source => '0.0.0.0/0',
)
end
end
context 'with custom firewall rules' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
}
)
end
it 'configure custom firewall rules' do
is_expected.to contain_firewall('300 add custom application 1').with(
:port => '999',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('301 add custom application 2').with(
:port => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian' }
end
it_configures 'tripleo node'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat' }
end
it_configures 'tripleo node'
end
end