Consume blacklisted_ip_addresses in workflows

The ceph-ansible and skydive workflows now consumes the blacklisted_ip_addresses input. The enable_ssh_admin workflow is modified to consume a list of ip addresses and only enable ssh on the given set of addresses. Change-Id: I4255739c852409fb8e170a9913fe7ad810711734 Depends-On: Ic158171c629e82892e480f1e6903a67457f86064 Closes-Bug: #1743046
2018-01-15 11:31:38 +01:00 · 2018-01-15 11:31:38 +01:00 · f98c136078
commit f98c136078
parent e423c4a438
4 changed files with 43 additions and 23 deletions
--- a/releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml
+++ b/releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The `enable_ssh_admin` workflow is now always expecting a list of
+    servers to operate on, passed via `ssh_servers` input which is
+    left empty when unset.
--- a/workbooks/access.yaml
+++ b/workbooks/access.yaml
@ -73,6 +73,7 @@ workflows:
        workflow: tripleo.access.v1.create_admin_via_nova
        input:
          queue_name: <% $.queue_name %>
+          ssh_servers: <% $.ssh_servers %>
          tasks: <% $.create_admin_tasks %>
          overcloud_admin: <% $.overcloud_admin %>

@ -89,6 +90,7 @@ workflows:
    input:
      - tasks
      - queue_name: tripleo
+      - ssh_servers: []
      - overcloud_admin: tripleo-admin
      - ansible_extra_env_variables:
            ANSIBLE_HOST_KEY_CHECKING: 'False'
@ -99,7 +101,7 @@ workflows:
        action: nova.servers_list
        on-success: create_admin
        publish:
-          servers: <% task().result._info %>
+          servers: <% let(root => $) -> task().result._info.where($.addresses.ctlplane.addr.any($ in $root.ssh_servers)) %>

      create_admin:
        workflow: tripleo.deployment.v1.deploy_on_server
@ -127,7 +129,7 @@ workflows:
        input:
          inventory:
            overcloud:
-              hosts: <% $.servers.addresses.ctlplane.addr.flatten().toDict($, {}) %>
+              hosts: <% $.ssh_servers.toDict($, {}) %>
          remote_user: <% $.overcloud_admin %>
          ssh_private_key: <% $.privkey %>
          extra_env_variables: <% $.ansible_extra_env_variables %>
--- a/workbooks/ceph-ansible.yaml
+++ b/workbooks/ceph-ansible.yaml
@ -32,30 +32,36 @@ workflows:
          hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %>
      check_hieradata:
        on-success:
-        - enable_ssh_admin: <% not bool($.hieradata) %>
+        - set_blacklisted_ips: <% not bool($.hieradata) %>
        - fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %>
+      set_blacklisted_ips:
+        publish:
+          blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
+        on-success: set_ip_lists
+      set_ip_lists:
+        publish:
+          mgr_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          mon_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          osd_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          mds_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          rgw_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          nfs_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          rbdmirror_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          client_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+        on-success: merge_ip_lists
+      merge_ip_lists:
+        publish:
+          ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
+        on-success: enable_ssh_admin
      enable_ssh_admin:
        workflow: tripleo.access.v1.enable_ssh_admin
+        input:
+          ssh_servers: <% $.ips_list %>
        on-success: get_private_key
      get_private_key:
        action: tripleo.validations.get_privkey
        publish:
          private_key: <% task().result %>
-        on-success: set_ip_lists
-      set_ip_lists:
-        publish:
-          mgr_ips: <% env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []) %>
-          mon_ips: <% env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []) %>
-          osd_ips: <% env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []) %>
-          mds_ips: <% env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []) %>
-          rgw_ips: <% env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []) %>
-          nfs_ips: <% env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []) %>
-          rbdmirror_ips: <% env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []) %>
-          client_ips: <% env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []) %>
-        on-success: merge_ip_lists
-      merge_ip_lists:
-        publish:
-          ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
        on-success: make_fetch_directory
      make_fetch_directory:
        action: tripleo.files.make_temp_dir
--- a/workbooks/skydive-ansible.yaml
+++ b/workbooks/skydive-ansible.yaml
@ -18,18 +18,24 @@ workflows:
    tags:
      - tripleo-common-managed
    tasks:
+      set_blacklisted_ips:
+        publish:
+          blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
+        on-success: set_ip_lists
+      set_ip_lists:
+        publish:
+          agent_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+          analyzer_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
+        on-success: enable_ssh_admin
      enable_ssh_admin:
        workflow: tripleo.access.v1.enable_ssh_admin
+        input:
+          ssh_servers: <% ($.agent_ips + $.analyzer_ips).toSet() %>
        on-success: get_private_key
      get_private_key:
        action: tripleo.validations.get_privkey
        publish:
          private_key: <% task().result %>
-        on-success: set_ip_lists
-      set_ip_lists:
-        publish:
-          agent_ips: <% env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []) %>
-          analyzer_ips: <% env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []) %>
        on-success: set_fork_count
      set_fork_count:
        publish: # unique list of all IPs: make each list a set, take unions and count