tripleo_firewall: Allow injecting frontend rules
This change introduces new variables to define the firewall rules for
haproxy frontend.
When an API service is enabled, we should add proper firewall rule not
only in the node where the API service is running, but also in
the loadbalancer node where haproxy is running, otherwise the frontend
port in haproxy is not accessible.
The new variables are used once [1] is merged.
[1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/831549
Related-Bug: #1961799
Change-Id: I9d79df8a8d0eaf77166b296178b9b0622263998d
(cherry picked from commit f2760f5de3
)
This commit is contained in:
parent
47d0ab588f
commit
3267287fab
|
@ -31,6 +31,20 @@
|
|||
# ensure: 'absent'
|
||||
tripleo_firewall_rules: {}
|
||||
|
||||
tripleo_firewall_frontend_enabled: false
|
||||
|
||||
tripleo_firewall_frontend_rules: {}
|
||||
|
||||
tripleo_firewall_ssl_frontend_enabled: false
|
||||
|
||||
tripleo_firewall_ssl_frontend_rules: {}
|
||||
|
||||
tripleo_firewall_edge_frontend_enabled: false
|
||||
|
||||
tripleo_firewall_edge_frontend_rules: {}
|
||||
|
||||
tripleo_firewall_edge_ssl_frontend_rules: {}
|
||||
|
||||
tripleo_firewall_default_rules:
|
||||
'000 accept related established rules':
|
||||
proto: all
|
||||
|
|
|
@ -31,11 +31,55 @@
|
|||
- name: Get masquerade rules
|
||||
import_tasks: masquerade.yaml
|
||||
|
||||
- name: Set the default frontend firewall rules
|
||||
set_fact:
|
||||
tripleo_firewall_frontend_rules_real: {}
|
||||
|
||||
- name: When frontend rules are required
|
||||
when: tripleo_firewall_frontend_enabled
|
||||
block:
|
||||
- name: Not in edge site
|
||||
when: not tripleo_firewall_edge_frontend_enabled
|
||||
block:
|
||||
- name: Set frontend rule fact (non-ssl rules)
|
||||
set_fact:
|
||||
tripleo_firewall_frontend_rules_real: "{{
|
||||
tripleo_firewall_frontend_rules_real |
|
||||
combine(tripleo_firewall_frontend_rules)
|
||||
}}"
|
||||
|
||||
- name: Set frontend rule fact (ssl rules)
|
||||
when: tripleo_firewall_ssl_frontend_enabled
|
||||
set_fact:
|
||||
tripleo_firewall_frontend_rules_real: "{{
|
||||
tripleo_firewall_frontend_rules_real |
|
||||
combine(tripleo_firewall_ssl_frontend_rules)
|
||||
}}"
|
||||
|
||||
- name: In edge site
|
||||
when: tripleo_firewall_edge_frontend_enabled
|
||||
block:
|
||||
- name: Set frontend rule fact (non-ssl rules)
|
||||
set_fact:
|
||||
tripleo_firewall_frontend_rules_real: "{{
|
||||
tripleo_firewall_frontend_rules_real |
|
||||
combine(tripleo_firewall_edge_frontend_rules)
|
||||
}}"
|
||||
|
||||
- name: Set frontend rule fact (ssl rules)
|
||||
when: tripleo_firewall_ssl_frontend_enabled
|
||||
set_fact:
|
||||
tripleo_firewall_frontend_rules_real: "{{
|
||||
tripleo_firewall_frontend_rules_real |
|
||||
combine(tripleo_firewall_edge_ssl_frontend_rules)
|
||||
}}"
|
||||
|
||||
- name: Set rule fact
|
||||
set_fact:
|
||||
firewall_rules_sorted: "{{
|
||||
tripleo_firewall_default_rules |
|
||||
combine(tripleo_firewall_rules) |
|
||||
combine(tripleo_firewall_frontend_rules_real) |
|
||||
combine(masquerade_rules|from_yaml) |
|
||||
dict2items(key_name='rule_name', value_name='rule') |
|
||||
sort(attribute='rule_name') |
|
||||
|
|
Loading…
Reference in New Issue