tripleo_firewall: Allow injecting frontend rules

This change introduces new variables to define the firewall rules for haproxy frontend. When an API service is enabled, we should add proper firewall rule not only in the node where the API service is running, but also in the loadbalancer node where haproxy is running, otherwise the frontend port in haproxy is not accessible. The new variables are used once [1] is merged. [1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/831549 Related-Bug: #1961799 Change-Id: I9d79df8a8d0eaf77166b296178b9b0622263998d (cherry picked from commit f2760f5de3)
2022-03-03 00:16:19 +09:00 · 2022-03-03 00:16:19 +09:00 · 3267287fab
parent 47d0ab588f
commit 3267287fab
2 changed files with 58 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_firewall/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/defaults/main.yml
@ -31,6 +31,20 @@
 #     ensure: 'absent'
 tripleo_firewall_rules: {}

+tripleo_firewall_frontend_enabled: false
+
+tripleo_firewall_frontend_rules: {}
+
+tripleo_firewall_ssl_frontend_enabled: false
+
+tripleo_firewall_ssl_frontend_rules: {}
+
+tripleo_firewall_edge_frontend_enabled: false
+
+tripleo_firewall_edge_frontend_rules: {}
+
+tripleo_firewall_edge_ssl_frontend_rules: {}
+
 tripleo_firewall_default_rules:
  '000 accept related established rules':
    proto: all
--- a/tripleo_ansible/roles/tripleo_firewall/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/tasks/main.yml
@ -31,11 +31,55 @@
 - name: Get masquerade rules
  import_tasks: masquerade.yaml

+- name: Set the default frontend firewall rules
+  set_fact:
+    tripleo_firewall_frontend_rules_real: {}
+
+- name: When frontend rules are required
+  when: tripleo_firewall_frontend_enabled
+  block:
+    - name: Not in edge site
+      when: not tripleo_firewall_edge_frontend_enabled
+      block:
+        - name: Set frontend rule fact (non-ssl rules)
+          set_fact:
+            tripleo_firewall_frontend_rules_real: "{{
+              tripleo_firewall_frontend_rules_real |
+              combine(tripleo_firewall_frontend_rules)
+            }}"
+
+        - name: Set frontend rule fact (ssl rules)
+          when: tripleo_firewall_ssl_frontend_enabled
+          set_fact:
+            tripleo_firewall_frontend_rules_real: "{{
+              tripleo_firewall_frontend_rules_real |
+              combine(tripleo_firewall_ssl_frontend_rules)
+            }}"
+
+    - name: In edge site
+      when: tripleo_firewall_edge_frontend_enabled
+      block:
+        - name: Set frontend rule fact (non-ssl rules)
+          set_fact:
+            tripleo_firewall_frontend_rules_real: "{{
+              tripleo_firewall_frontend_rules_real |
+              combine(tripleo_firewall_edge_frontend_rules)
+            }}"
+
+        - name: Set frontend rule fact (ssl rules)
+          when: tripleo_firewall_ssl_frontend_enabled
+          set_fact:
+            tripleo_firewall_frontend_rules_real: "{{
+              tripleo_firewall_frontend_rules_real |
+              combine(tripleo_firewall_edge_ssl_frontend_rules)
+            }}"
+
 - name: Set rule fact
  set_fact:
    firewall_rules_sorted: "{{
      tripleo_firewall_default_rules |
      combine(tripleo_firewall_rules) |
+      combine(tripleo_firewall_frontend_rules_real) |
      combine(masquerade_rules|from_yaml) |
      dict2items(key_name='rule_name', value_name='rule') |
      sort(attribute='rule_name') |