Merge "Adds IPv6 support to auto security group"
This commit is contained in:
commit
5cd46ad66b
@ -205,37 +205,55 @@ class ClusterStack(object):
|
|||||||
security_group_description = (
|
security_group_description = (
|
||||||
"Auto security group created by Sahara for Node Group "
|
"Auto security group created by Sahara for Node Group "
|
||||||
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name))
|
"'%s' of cluster '%s'." % (ng.name, ng.cluster.name))
|
||||||
rules = self._serialize_auto_security_group_rules(ng)
|
|
||||||
|
if CONF.use_neutron:
|
||||||
|
res_type = "OS::Neutron::SecurityGroup"
|
||||||
|
desc_key = "description"
|
||||||
|
rules_key = "rules"
|
||||||
|
create_rule = lambda ip_version, cidr, proto, from_port, to_port: {
|
||||||
|
"ethertype": "IPv{}".format(ip_version),
|
||||||
|
"remote_ip_prefix": cidr,
|
||||||
|
"protocol": proto,
|
||||||
|
"port_range_min": six.text_type(from_port),
|
||||||
|
"port_range_max": six.text_type(to_port)}
|
||||||
|
else:
|
||||||
|
res_type = "AWS::EC2::SecurityGroup"
|
||||||
|
desc_key = "GroupDescription"
|
||||||
|
rules_key = "SecurityGroupIngress"
|
||||||
|
create_rule = lambda _, cidr, proto, from_port, to_port: {
|
||||||
|
"CidrIp": cidr,
|
||||||
|
"IpProtocol": proto,
|
||||||
|
"FromPort": six.text_type(from_port),
|
||||||
|
"ToPort": six.text_type(to_port)}
|
||||||
|
|
||||||
|
rules = self._serialize_auto_security_group_rules(ng, create_rule)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
security_group_name: {
|
security_group_name: {
|
||||||
"type": "AWS::EC2::SecurityGroup",
|
"type": res_type,
|
||||||
"properties": {
|
"properties": {
|
||||||
"GroupDescription": security_group_description,
|
desc_key: security_group_description,
|
||||||
"SecurityGroupIngress": rules
|
rules_key: rules
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
def _serialize_auto_security_group_rules(self, ng):
|
def _serialize_auto_security_group_rules(self, ng, create_rule):
|
||||||
create_rule = lambda cidr, proto, from_port, to_port: {
|
|
||||||
"CidrIp": cidr,
|
|
||||||
"IpProtocol": proto,
|
|
||||||
"FromPort": six.text_type(from_port),
|
|
||||||
"ToPort": six.text_type(to_port)}
|
|
||||||
|
|
||||||
rules = []
|
rules = []
|
||||||
for port in ng.open_ports:
|
for port in ng.open_ports:
|
||||||
rules.append(create_rule('0.0.0.0/0', 'tcp', port, port))
|
rules.append(create_rule(4, '0.0.0.0/0', 'tcp', port, port))
|
||||||
|
rules.append(create_rule(6, '::/0', 'tcp', port, port))
|
||||||
|
|
||||||
rules.append(create_rule('0.0.0.0/0', 'tcp', SSH_PORT, SSH_PORT))
|
rules.append(create_rule(4, '0.0.0.0/0', 'tcp', SSH_PORT, SSH_PORT))
|
||||||
|
rules.append(create_rule(6, '::/0', 'tcp', SSH_PORT, SSH_PORT))
|
||||||
|
|
||||||
# open all traffic for private networks
|
# open all traffic for private networks
|
||||||
if CONF.use_neutron:
|
if CONF.use_neutron:
|
||||||
for cidr in neutron.get_private_network_cidrs(ng.cluster):
|
for cidr in neutron.get_private_network_cidrs(ng.cluster):
|
||||||
|
ip_ver = 6 if ':' in cidr else 4
|
||||||
for protocol in ['tcp', 'udp']:
|
for protocol in ['tcp', 'udp']:
|
||||||
rules.append(create_rule(cidr, protocol, 1, 65535))
|
rules.append(create_rule(ip_ver, cidr, protocol, 1, 65535))
|
||||||
rules.append(create_rule(cidr, 'icmp', -1, -1))
|
rules.append(create_rule(ip_ver, cidr, 'icmp', 0, 255))
|
||||||
|
|
||||||
return rules
|
return rules
|
||||||
|
|
||||||
|
@ -13,6 +13,9 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import mock
|
||||||
|
|
||||||
|
from sahara.conductor import resource as r
|
||||||
from sahara.service.heat import templates as h
|
from sahara.service.heat import templates as h
|
||||||
from sahara.tests.unit import base
|
from sahara.tests.unit import base
|
||||||
from sahara.tests.unit import testutils as tu
|
from sahara.tests.unit import testutils as tu
|
||||||
@ -93,6 +96,71 @@ class TestClusterTemplate(base.SaharaWithDbTestCase):
|
|||||||
actual = heat_template._get_security_groups(ng2)
|
actual = heat_template._get_security_groups(ng2)
|
||||||
self.assertEqual(expected, actual)
|
self.assertEqual(expected, actual)
|
||||||
|
|
||||||
|
def _generate_auto_security_group_template(self, use_neutron):
|
||||||
|
self.override_config('use_neutron', use_neutron)
|
||||||
|
ng1, ng2 = self._make_node_groups('floating')
|
||||||
|
cluster = self._make_cluster('private_net', ng1, ng2)
|
||||||
|
ng1['cluster'] = cluster
|
||||||
|
ng2['cluster'] = cluster
|
||||||
|
ng1 = r.NodeGroupResource(ng1)
|
||||||
|
ng2 = r.NodeGroupResource(ng2)
|
||||||
|
heat_template = self._make_heat_template(cluster, ng1, ng2)
|
||||||
|
return heat_template._serialize_auto_security_group(ng1)
|
||||||
|
|
||||||
|
@mock.patch('sahara.utils.openstack.neutron.get_private_network_cidrs')
|
||||||
|
def test_serialize_auto_security_group_neutron(self, patched):
|
||||||
|
ipv4_cidr = '192.168.0.0/24'
|
||||||
|
ipv6_cidr = 'fe80::/64'
|
||||||
|
patched.side_effect = lambda cluster: [ipv4_cidr, ipv6_cidr]
|
||||||
|
expected_rules = [
|
||||||
|
('0.0.0.0/0', 'IPv4', 'tcp', '22', '22'),
|
||||||
|
('::/0', 'IPv6', 'tcp', '22', '22'),
|
||||||
|
(ipv4_cidr, 'IPv4', 'tcp', '1', '65535'),
|
||||||
|
(ipv4_cidr, 'IPv4', 'udp', '1', '65535'),
|
||||||
|
(ipv4_cidr, 'IPv4', 'icmp', '0', '255'),
|
||||||
|
(ipv6_cidr, 'IPv6', 'tcp', '1', '65535'),
|
||||||
|
(ipv6_cidr, 'IPv6', 'udp', '1', '65535'),
|
||||||
|
(ipv6_cidr, 'IPv6', 'icmp', '0', '255'),
|
||||||
|
]
|
||||||
|
expected = {'cluster-master-1': {
|
||||||
|
'type': 'OS::Neutron::SecurityGroup',
|
||||||
|
'properties': {
|
||||||
|
'description': 'Auto security group created by Sahara '
|
||||||
|
'for Node Group \'master\' of cluster \'cluster\'.',
|
||||||
|
'rules': [{
|
||||||
|
'remote_ip_prefix': rule[0],
|
||||||
|
'ethertype': rule[1],
|
||||||
|
'protocol': rule[2],
|
||||||
|
'port_range_min': rule[3],
|
||||||
|
'port_range_max': rule[4]
|
||||||
|
} for rule in expected_rules]
|
||||||
|
}
|
||||||
|
}}
|
||||||
|
actual = self._generate_auto_security_group_template(True)
|
||||||
|
self.assertEqual(expected, actual)
|
||||||
|
|
||||||
|
def test_serialize_auto_security_group_nova_network(self):
|
||||||
|
expected = {'cluster-master-1': {
|
||||||
|
'type': 'AWS::EC2::SecurityGroup',
|
||||||
|
'properties': {
|
||||||
|
'GroupDescription': 'Auto security group created by Sahara'
|
||||||
|
' for Node Group \'master\' of cluster \'cluster\'.',
|
||||||
|
'SecurityGroupIngress': [{
|
||||||
|
'ToPort': '22',
|
||||||
|
'CidrIp': '0.0.0.0/0',
|
||||||
|
'FromPort': '22',
|
||||||
|
'IpProtocol': 'tcp'
|
||||||
|
}, {
|
||||||
|
'ToPort': '22',
|
||||||
|
'CidrIp': '::/0',
|
||||||
|
'FromPort': '22',
|
||||||
|
'IpProtocol': 'tcp'
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}}
|
||||||
|
actual = self._generate_auto_security_group_template(False)
|
||||||
|
self.assertEqual(expected, actual)
|
||||||
|
|
||||||
|
|
||||||
def get_ud_generator(s):
|
def get_ud_generator(s):
|
||||||
def generator(*args, **kwargs):
|
def generator(*args, **kwargs):
|
||||||
|
Loading…
Reference in New Issue
Block a user