Merge "Remove implementation to manage firewall rules by Puppet"
This commit is contained in:
commit
f4bb643e1e
|
@ -1,203 +0,0 @@
|
|||
#
|
||||
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo
|
||||
#
|
||||
# Configure the TripleO firewall
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Completely enable or disable firewall settings
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to false
|
||||
#
|
||||
# [*firewall_chains*]
|
||||
# (optional) Manage firewall chains
|
||||
# Default to {}
|
||||
#
|
||||
# [*firewall_rules*]
|
||||
# (optional) Allow to add custom firewall rules
|
||||
# Should be an hash.
|
||||
# Default to {}
|
||||
#
|
||||
# [*purge_firewall_chains*]
|
||||
# (optional) Boolean, purge all firewalli rules in a given chain
|
||||
# Defaults to false
|
||||
#
|
||||
# [*purge_firewall_rules*]
|
||||
# (optional) Boolean, purge all firewall resources
|
||||
# Defaults to false
|
||||
#
|
||||
# [*firewall_pre_extras*]
|
||||
# (optional) Allow to add custom parameters to firewall rules (pre stage)
|
||||
# Should be an hash.
|
||||
# Default to {}
|
||||
#
|
||||
# [*firewall_post_extras*]
|
||||
# (optional) Allow to add custom parameters to firewall rules (post stage)
|
||||
# Should be an hash.
|
||||
# Default to {}
|
||||
#
|
||||
class tripleo::firewall(
|
||||
$manage_firewall = false,
|
||||
$firewall_chains = {},
|
||||
$firewall_rules = {},
|
||||
$purge_firewall_chains = false,
|
||||
$purge_firewall_rules = false,
|
||||
$firewall_pre_extras = {},
|
||||
$firewall_post_extras = {},
|
||||
) {
|
||||
|
||||
if $manage_firewall {
|
||||
|
||||
if $purge_firewall_chains {
|
||||
resources { 'firewallchain':
|
||||
purge => true
|
||||
}
|
||||
}
|
||||
|
||||
# Only purges IPv4 rules
|
||||
if $purge_firewall_rules {
|
||||
resources { 'firewall':
|
||||
purge => true
|
||||
}
|
||||
}
|
||||
|
||||
# To manage the chains they must be named in specific ways
|
||||
# https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
|
||||
# Example Hiera:
|
||||
# tripleo::firewall::firewall_chains:
|
||||
# 'FORWARD:filter:IPv4':
|
||||
# ensure: present
|
||||
# policy: accept
|
||||
# purge: false
|
||||
#
|
||||
create_resources('firewallchain', $firewall_chains)
|
||||
|
||||
# anyone can add your own rules
|
||||
# example with Hiera:
|
||||
#
|
||||
# tripleo::firewall::firewall_rules:
|
||||
# '300 allow custom application 1':
|
||||
# port: 999
|
||||
# proto: udp
|
||||
# action: accept
|
||||
# '301 allow custom application 2':
|
||||
# port: 8081
|
||||
# proto: tcp
|
||||
# action: accept
|
||||
#
|
||||
create_resources('tripleo::firewall::rule', $firewall_rules)
|
||||
|
||||
ensure_resource('class', 'tripleo::firewall::pre', {
|
||||
'firewall_settings' => $firewall_pre_extras,
|
||||
})
|
||||
|
||||
ensure_resource('class', 'tripleo::firewall::post', {
|
||||
'firewall_settings' => $firewall_post_extras,
|
||||
})
|
||||
|
||||
# Ensure we don't get any unmanaged rules in the firewall.
|
||||
#
|
||||
# iptables-services package pushes some rules we don't want to see in the
|
||||
# firewall, as they conflict with the ones we are actually managing:
|
||||
# - opens ssh to the world (see https://review.openstack.org/632468)
|
||||
# - reject connections (and this reject happens before the logging we push,
|
||||
# preventing logging to happen)
|
||||
# - some repetitions like RELATED,ESTABLISHED, and ICMP related rules
|
||||
#
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1667887
|
||||
# for more context and detail.
|
||||
exec {'save ipv4 rules':
|
||||
command => '/usr/sbin/iptables-save > /etc/sysconfig/iptables',
|
||||
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
|
||||
}
|
||||
exec {'save ipv6 rules':
|
||||
command => '/usr/sbin/ip6tables-save > /etc/sysconfig/ip6tables',
|
||||
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
|
||||
}
|
||||
|
||||
Class['tripleo::firewall::pre']
|
||||
-> Firewall<|tag == 'tripleo-firewall-rule'|>
|
||||
-> Class['tripleo::firewall::post']
|
||||
|
||||
Service<||> -> Class['tripleo::firewall::post']
|
||||
|
||||
# Allow composable services to load their own custom
|
||||
# example with Hiera.
|
||||
# NOTE(dprince): In the future when we have a better hiera
|
||||
# heat hook we might refactor this to use hiera's merging
|
||||
# capabilities instead. Until then rolling up the flat service
|
||||
# keys and dynamically creating firewall rules for each service
|
||||
# will allow us to compose and should work fine.
|
||||
#
|
||||
# Each service can load its rules by using this form:
|
||||
#
|
||||
# tripleo.<service name with underscores>.firewall_rules:
|
||||
# '300 allow custom application 1':
|
||||
# dport: 999
|
||||
# proto: udp
|
||||
# action: accept
|
||||
$service_names = hiera('service_names', [])
|
||||
tripleo::firewall::service_rules { $service_names: }
|
||||
|
||||
|
||||
# puppetlabs-firewall only manages the current state of iptables
|
||||
# rules and writes out the rules to a file to ensure they are
|
||||
# persisted. We are specifically running the following commands after the
|
||||
# iptables rules to ensure the persisted file does not contain any
|
||||
# ephemeral neutron rules. Neutron assumes the iptables rules are not
|
||||
# persisted so it may cause an issue if the rule is loaded on boot
|
||||
# (or via iptables restart). If an operator needs to reload iptables
|
||||
# for any reason, they may need to manually reload the appropriate
|
||||
# neutron agent to restore these iptables rules.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
||||
exec { 'nonpersistent_v4_rules_cleanup':
|
||||
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
|
||||
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
|
||||
}
|
||||
exec { 'nonpersistent_v6_rules_cleanup':
|
||||
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
|
||||
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
|
||||
}
|
||||
|
||||
# Do not persist ephemeral firewall rules mananged by ironic-inspector
|
||||
# pxe_filter 'iptables' driver.
|
||||
# https://bugs.launchpad.net/tripleo/+bug/1765700
|
||||
# https://storyboard.openstack.org/#!/story/2001890
|
||||
exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
|
||||
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables',
|
||||
onlyif => [
|
||||
'/bin/test -f /etc/sysconfig/iptables',
|
||||
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
|
||||
]
|
||||
}
|
||||
exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
|
||||
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
|
||||
onlyif => [
|
||||
'/bin/test -f /etc/sysconfig/ip6tables',
|
||||
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
|
||||
]
|
||||
}
|
||||
|
||||
Exec['save ipv4 rules'] -> Firewall<| |>
|
||||
Exec['save ipv6 rules'] -> Firewall<| |>
|
||||
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
|
||||
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
|
||||
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
|
||||
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
|
||||
}
|
||||
}
|
|
@ -1,65 +0,0 @@
|
|||
#
|
||||
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::firewall::post
|
||||
#
|
||||
# Firewall rules during 'post' Puppet stage
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*debug*]
|
||||
# (optional) Set log output to debug output
|
||||
# Defaults to false
|
||||
#
|
||||
# [*firewall_settings*]
|
||||
# (optional) Allow to add custom parameters to firewall rules
|
||||
# Should be a hash.
|
||||
# Default to {}
|
||||
#
|
||||
# [*logging_settings*]
|
||||
# (optional) Allow to add custom parameters to the logging firewall rule
|
||||
# Should be a hash.
|
||||
# Default to {}
|
||||
#
|
||||
class tripleo::firewall::post(
|
||||
$debug = false,
|
||||
$firewall_settings = {},
|
||||
$logging_settings = {},
|
||||
){
|
||||
|
||||
if $debug {
|
||||
warning('debug is enabled, the traffic is not blocked.')
|
||||
} else {
|
||||
$default_logging_extras = {
|
||||
'burst' => '15',
|
||||
'limit' => '20/min',
|
||||
}
|
||||
$logging_extras = merge($default_logging_extras, $logging_settings)
|
||||
tripleo::firewall::rule{ '998 log all':
|
||||
proto => 'all',
|
||||
jump => 'LOG',
|
||||
tag => 'tripleo-firewall-postrule',
|
||||
extras => $logging_extras,
|
||||
}
|
||||
tripleo::firewall::rule{ '999 drop all':
|
||||
proto => 'all',
|
||||
action => 'drop',
|
||||
extras => $firewall_settings,
|
||||
tag => 'tripleo-firewall-postrule',
|
||||
}
|
||||
notice('At this stage, all network traffic is blocked.')
|
||||
}
|
||||
|
||||
}
|
|
@ -1,62 +0,0 @@
|
|||
#
|
||||
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::firewall::pre
|
||||
#
|
||||
# Firewall rules during 'pre' Puppet stage
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*firewall_settings*]
|
||||
# (optional) Allow to add custom parameters to firewall rules
|
||||
# Should be an hash.
|
||||
# Default to {}
|
||||
#
|
||||
class tripleo::firewall::pre(
|
||||
$firewall_settings = {},
|
||||
){
|
||||
|
||||
# ensure the correct packages are installed
|
||||
include firewall
|
||||
|
||||
# defaults 'pre' rules
|
||||
tripleo::firewall::rule{ '000 accept related established rules':
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
extras => $firewall_settings,
|
||||
tag => 'tripleo-firewall-prerule',
|
||||
}
|
||||
|
||||
tripleo::firewall::rule{ '001 accept all icmp':
|
||||
proto => 'icmp',
|
||||
extras => $firewall_settings,
|
||||
tag => 'tripleo-firewall-prerule',
|
||||
}
|
||||
|
||||
tripleo::firewall::rule{ '002 accept all to lo interface':
|
||||
proto => 'all',
|
||||
iniface => 'lo',
|
||||
extras => $firewall_settings,
|
||||
tag => 'tripleo-firewall-prerule',
|
||||
}
|
||||
|
||||
tripleo::firewall::rule{ '004 accept ipv6 dhcpv6':
|
||||
dport => '546',
|
||||
proto => 'udp',
|
||||
state => ['NEW'],
|
||||
destination => 'fe80::/64',
|
||||
tag => 'tripleo-firewall-prerule',
|
||||
}
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Define: tripleo::firewall::service_rules
|
||||
#
|
||||
# Define used to create firewall rules for composable services.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*service_name*]
|
||||
# (optional) The service_name to load firewall rules for.
|
||||
# Defaults to $title
|
||||
#
|
||||
define tripleo::firewall::service_rules ($service_name = $title) {
|
||||
|
||||
$underscore_name = regsubst($service_name, '-', '_')
|
||||
|
||||
# This allows each composable service to load its own custom rules by
|
||||
# creating its own flat hiera key named:
|
||||
# tripleo.<service name with underscores>.firewall_rules
|
||||
$dots_rules = hiera("'tripleo.${underscore_name}.firewall_rules'", {})
|
||||
|
||||
# Supports standard "::" notation:
|
||||
# tripleo::<service name with underscores>::firewall_rules
|
||||
$colons_rules = hiera("tripleo::${underscore_name}::firewall_rules", {})
|
||||
|
||||
# merge rules
|
||||
$firewall_rules = merge($colons_rules, $dots_rules)
|
||||
|
||||
create_resources('tripleo::firewall::rule', $firewall_rules)
|
||||
}
|
|
@ -78,11 +78,6 @@
|
|||
# Can be "user" or "admin"
|
||||
# Defaults to "user"
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*controller_hosts*]
|
||||
# IPs of host or group of hosts to load-balance the services
|
||||
# Can be a string or an array.
|
||||
|
@ -543,7 +538,6 @@ class tripleo::haproxy (
|
|||
$haproxy_stats_user = 'admin',
|
||||
$haproxy_stats_password = undef,
|
||||
$haproxy_stats_bind_address = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$controller_hosts = hiera('controller_node_ips'),
|
||||
$controller_hosts_names = hiera('controller_node_names', undef),
|
||||
$service_certificate = undef,
|
||||
|
@ -787,7 +781,6 @@ class tripleo::haproxy (
|
|||
listen_options => $default_listen_options,
|
||||
frontend_options => $default_frontend_options,
|
||||
backend_options => $default_backend_options,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
|
||||
$service_names = hiera('enabled_services', [])
|
||||
|
@ -1314,7 +1307,6 @@ class tripleo::haproxy (
|
|||
use_internal_certificates => $use_internal_certificates,
|
||||
internal_certificates_specs => $internal_certificates_specs,
|
||||
service_network => $horizon_network,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1510,15 +1502,6 @@ class tripleo::haproxy (
|
|||
server_names => $mysql_server_names_real,
|
||||
options => $mysql_member_options_real,
|
||||
}
|
||||
if $manage_firewall {
|
||||
include tripleo::firewall
|
||||
$mysql_firewall_rules = {
|
||||
'100 mysql_haproxy' => {
|
||||
'dport' => 3306,
|
||||
}
|
||||
}
|
||||
create_resources('tripleo::firewall::rule', $mysql_firewall_rules)
|
||||
}
|
||||
}
|
||||
|
||||
if $rabbitmq {
|
||||
|
@ -1656,15 +1639,6 @@ class tripleo::haproxy (
|
|||
options => union($haproxy_member_options, ['on-marked-down shutdown-sessions'], $redis_ssl_member_options),
|
||||
verifyhost => false,
|
||||
}
|
||||
if $manage_firewall {
|
||||
include tripleo::firewall
|
||||
$redis_firewall_rules = {
|
||||
'100 redis_haproxy' => {
|
||||
'dport' => 6379,
|
||||
}
|
||||
}
|
||||
create_resources('tripleo::firewall::rule', $redis_firewall_rules)
|
||||
}
|
||||
}
|
||||
|
||||
if $ceph_rgw {
|
||||
|
|
|
@ -111,11 +111,6 @@
|
|||
# fetching the certificate for that specific network.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*authorized_userlist*]
|
||||
# (optional) Userlist that may access the endpoint. Activate Basic Authentication.
|
||||
# You'll need to create a tripleo::haproxy::userlist in order to use that option.
|
||||
|
@ -154,7 +149,6 @@ define tripleo::haproxy::endpoint (
|
|||
$use_internal_certificates = false,
|
||||
$internal_certificates_specs = {},
|
||||
$service_network = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$authorized_userlist = undef,
|
||||
$sticky_sessions = false,
|
||||
$session_cookie = 'STICKYSESSION',
|
||||
|
@ -320,41 +314,4 @@ define tripleo::haproxy::endpoint (
|
|||
options => $member_options,
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_firewall {
|
||||
include tripleo::firewall
|
||||
# This block will construct firewall rules only when we specify
|
||||
# a port for the regular service and also the ssl port for the service.
|
||||
# It makes sure we're not trying to create TCP iptables rules where no port
|
||||
# is specified.
|
||||
if $service_port_real {
|
||||
$service_firewall_rules = {
|
||||
"100 ${name}_haproxy" => {
|
||||
'dport' => $service_port_real,
|
||||
},
|
||||
}
|
||||
}
|
||||
if $service_port_real != $haproxy_port_real {
|
||||
$haproxy_firewall_rules = {
|
||||
"100 ${name}_haproxy_frontend" => {
|
||||
'dport' => $haproxy_port_real,
|
||||
},
|
||||
}
|
||||
} else {
|
||||
$haproxy_firewall_rules = {}
|
||||
}
|
||||
if $public_ssl_port {
|
||||
$haproxy_ssl_firewall_rules = {
|
||||
"100 ${name}_haproxy_ssl" => {
|
||||
'dport' => $public_ssl_port,
|
||||
},
|
||||
}
|
||||
} else {
|
||||
$haproxy_ssl_firewall_rules = {}
|
||||
}
|
||||
$firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
|
||||
if $service_port_real or $public_ssl_port {
|
||||
create_resources('tripleo::firewall::rule', $firewall_rules)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -71,11 +71,6 @@
|
|||
# fetching the certificate for that specific network.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
class tripleo::haproxy::horizon_endpoint (
|
||||
$internal_ip,
|
||||
$ip_addresses,
|
||||
|
@ -88,7 +83,6 @@ class tripleo::haproxy::horizon_endpoint (
|
|||
$use_internal_certificates = false,
|
||||
$internal_certificates_specs = {},
|
||||
$service_network = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
) {
|
||||
# Let users override the options on a per-service basis
|
||||
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
|
||||
|
@ -193,25 +187,4 @@ class tripleo::haproxy::horizon_endpoint (
|
|||
options => union($member_options, ["cookie ${server}"]),
|
||||
}
|
||||
}
|
||||
if $manage_firewall {
|
||||
include tripleo::firewall
|
||||
$haproxy_horizon_firewall_rules = {
|
||||
'100 horizon_haproxy' => {
|
||||
'dport' => 80,
|
||||
},
|
||||
}
|
||||
if $public_certificate {
|
||||
$haproxy_horizon_ssl_firewall_rules = {
|
||||
'100 horizon_haproxy_ssl' => {
|
||||
'dport' => 443,
|
||||
},
|
||||
}
|
||||
} else {
|
||||
$haproxy_horizon_ssl_firewall_rules = {}
|
||||
}
|
||||
$horizon_firewall_rules = merge($haproxy_horizon_firewall_rules, $haproxy_horizon_ssl_firewall_rules)
|
||||
if !empty($horizon_firewall_rules) {
|
||||
create_resources('tripleo::firewall::rule', $horizon_firewall_rules)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -36,11 +36,6 @@
|
|||
# (Optional) Whether or not loadbalancer is enabled.
|
||||
# Defaults to hiera('enable_load_balancer', true).
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -49,14 +44,12 @@
|
|||
class tripleo::profile::base::haproxy (
|
||||
$certificates_specs = {},
|
||||
$enable_load_balancer = hiera('enable_load_balancer', true),
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
if $step >= 1 {
|
||||
if $enable_load_balancer {
|
||||
class {'tripleo::haproxy':
|
||||
internal_certificates_specs => $certificates_specs,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
|
||||
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
|
||||
|
|
|
@ -1,226 +0,0 @@
|
|||
#
|
||||
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::firewall' do
|
||||
|
||||
let :params do
|
||||
{ }
|
||||
end
|
||||
|
||||
shared_examples_for 'tripleo::firewall' do
|
||||
|
||||
context 'with firewall enabled' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:manage_firewall => true,
|
||||
)
|
||||
end
|
||||
|
||||
it 'configure basic pre firewall rules' do
|
||||
is_expected.to contain_firewall('000 accept related established rules ipv4').with(
|
||||
:proto => 'all',
|
||||
:state => ['RELATED', 'ESTABLISHED'],
|
||||
:action => 'accept',
|
||||
)
|
||||
is_expected.to contain_firewall('000 accept related established rules ipv6').with(
|
||||
:proto => 'all',
|
||||
:state => ['RELATED', 'ESTABLISHED'],
|
||||
:action => 'accept',
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('001 accept all icmp ipv4').with(
|
||||
:proto => 'icmp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
)
|
||||
is_expected.to contain_firewall('001 accept all icmp ipv6').with(
|
||||
:proto => 'ipv6-icmp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('002 accept all to lo interface ipv4').with(
|
||||
:proto => 'all',
|
||||
:iniface => 'lo',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
)
|
||||
is_expected.to contain_firewall('002 accept all to lo interface ipv6').with(
|
||||
:proto => 'all',
|
||||
:iniface => 'lo',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
end
|
||||
|
||||
it 'configure basic post firewall rules' do
|
||||
is_expected.to contain_firewall('999 drop all ipv4').with(
|
||||
:proto => 'all',
|
||||
:action => 'drop',
|
||||
)
|
||||
is_expected.to contain_firewall('999 drop all ipv6').with(
|
||||
:proto => 'all',
|
||||
:action => 'drop',
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with custom firewall rules' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:manage_firewall => true,
|
||||
:firewall_rules => {
|
||||
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
|
||||
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
||||
'302 fwd custom cidr 1' => {'port' => 'all', 'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
|
||||
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
||||
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
|
||||
'305 add gre rule' => {'proto' => 'gre'},
|
||||
'306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
|
||||
'307 add custom nat rule' => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
|
||||
'308 add custom INPUT v4' => {'ipversion' => 'ipv4', 'port' => '67', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
|
||||
'309 add custom INPUT v6' => {'ipversion' => 'ipv6', 'port' => '546', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
|
||||
}
|
||||
)
|
||||
end
|
||||
it 'configure custom firewall rules' do
|
||||
is_expected.to contain_firewall('300 add custom application 1 ipv4').with(
|
||||
:port => '999',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('301 add custom application 2 ipv4').with(
|
||||
:port => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('302 fwd custom cidr 1 ipv4').with(
|
||||
:chain => 'FORWARD',
|
||||
:proto => 'tcp',
|
||||
:destination => '192.0.2.0/24',
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to_not contain_firewall('302 fwd custom cidr 1 ipv6')
|
||||
is_expected.to contain_firewall('303 add custom application 3 ipv4').with(
|
||||
:dport => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('304 add custom application 4 ipv4').with(
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('304 add custom application 4 ipv6').with(
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('305 add gre rule ipv4').without(:state)
|
||||
is_expected.to contain_firewall('306 add custom cidr 2 ipv6').with(
|
||||
:proto => 'tcp',
|
||||
:destination => '::1/24',
|
||||
:action => 'accept',
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
|
||||
:destination => '192.168.0.0/24',
|
||||
:source => '192.168.0.0/24',
|
||||
:jump => 'RETURN',
|
||||
:table => 'nat',
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('308 add custom INPUT v4 ipv4').with(
|
||||
:chain => 'INPUT',
|
||||
:port => '67',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('309 add custom INPUT v6 ipv6').with(
|
||||
:chain => 'INPUT',
|
||||
:port => '546',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with TCP rule without port or dport or sport specified' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:manage_firewall => true,
|
||||
:firewall_rules => {
|
||||
'500 wrong tcp rule' => {'proto' => 'tcp', 'action' => 'accept'},
|
||||
}
|
||||
)
|
||||
end
|
||||
it_raises 'a Puppet::Error', /500 wrong tcp rule firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport./
|
||||
end
|
||||
|
||||
context 'with firewall chain' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:manage_firewall => true,
|
||||
:firewall_chains => {
|
||||
'FORWARD:filter:IPv4' => {
|
||||
'ensure' => 'present',
|
||||
'policy' => 'accept',
|
||||
'purge' => false
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_firewallchain('FORWARD:filter:IPv4').with(
|
||||
'ensure' => 'present',
|
||||
'policy' => 'accept',
|
||||
'purge' => false)
|
||||
}
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge(OSDefaults.get_facts({ :hostname => 'node.example.com' }))
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::firewall'
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,37 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::firewall::service_rules' do
|
||||
|
||||
|
||||
let :pre_condition do
|
||||
'include tripleo::firewall'
|
||||
end
|
||||
|
||||
shared_examples_for 'tripleo firewall service rules' do
|
||||
context 'with existing service_rules' do
|
||||
let(:title) { 'dynamic-rules' }
|
||||
it 'should compile' do
|
||||
is_expected.to compile.with_all_deps
|
||||
end
|
||||
it 'should configure firewall' do
|
||||
is_expected.to contain_tripleo__firewall__rule('11-neutron')
|
||||
end
|
||||
end
|
||||
context 'with NON-existing service_rules' do
|
||||
let(:title) { 'no-rules' }
|
||||
it 'should compile' do
|
||||
is_expected.to compile.with_all_deps
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge(OSDefaults.get_facts({ :hostname => 'node.example.com' }))
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo firewall service rules'
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue