openstack
/
tripleo-common
Code Issues Proposed changes

Consume blacklisted_ip_addresses in workflows 

The ceph-ansible and skydive workflows now consumes the
blacklisted_ip_addresses input.

The enable_ssh_admin workflow is modified to consume a list of
ip addresses and only enable ssh on the given set of addresses.

Change-Id: I4255739c852409fb8e170a9913fe7ad810711734
Depends-On: Ic158171c629e82892e480f1e6903a67457f86064
Closes-Bug: #1743046
This commit is contained in:
Giulio Fidente 2018-01-15 11:31:38 +01:00
parent e423c4a438
commit f98c136078
4 changed files with 43 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
releasenotes/notes/blacklisted_ips_support-f362e008ae1af210.yaml Normal file
View File

@ -0,0 +1,6 @@
---
security:
- |
The `enable_ssh_admin` workflow is now always expecting a list of
servers to operate on, passed via `ssh_servers` input which is
left empty when unset.

6
workbooks/access.yaml
View File

@ -73,6 +73,7 @@ workflows:
workflow: tripleo.access.v1.create_admin_via_nova workflow: tripleo.access.v1.create_admin_via_nova
input: input:
queue_name: <% $.queue_name %> queue_name: <% $.queue_name %>
ssh_servers: <% $.ssh_servers %>
tasks: <% $.create_admin_tasks %> tasks: <% $.create_admin_tasks %>
overcloud_admin: <% $.overcloud_admin %> overcloud_admin: <% $.overcloud_admin %>
@ -89,6 +90,7 @@ workflows:
input: input:
- tasks - tasks
- queue_name: tripleo - queue_name: tripleo
- ssh_servers: []
- overcloud_admin: tripleo-admin - overcloud_admin: tripleo-admin
- ansible_extra_env_variables: - ansible_extra_env_variables:
ANSIBLE_HOST_KEY_CHECKING: 'False' ANSIBLE_HOST_KEY_CHECKING: 'False'
@ -99,7 +101,7 @@ workflows:
action: nova.servers_list action: nova.servers_list
on-success: create_admin on-success: create_admin
publish: publish:
servers: <% task().result._info %> servers: <% let(root => $) -> task().result._info.where($.addresses.ctlplane.addr.any($ in $root.ssh_servers)) %>
create_admin: create_admin:
workflow: tripleo.deployment.v1.deploy_on_server workflow: tripleo.deployment.v1.deploy_on_server
@ -127,7 +129,7 @@ workflows:
input: input:
inventory: inventory:
overcloud: overcloud:
hosts: <% $.servers.addresses.ctlplane.addr.flatten().toDict($, {}) %> hosts: <% $.ssh_servers.toDict($, {}) %>
remote_user: <% $.overcloud_admin %> remote_user: <% $.overcloud_admin %>
ssh_private_key: <% $.privkey %> ssh_private_key: <% $.privkey %>
extra_env_variables: <% $.ansible_extra_env_variables %> extra_env_variables: <% $.ansible_extra_env_variables %>

38
workbooks/ceph-ansible.yaml
View File

@ -32,30 +32,36 @@ workflows:
hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %> hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %>
check_hieradata: check_hieradata:
on-success: on-success:
- enable_ssh_admin: <% not bool($.hieradata) %> - set_blacklisted_ips: <% not bool($.hieradata) %>
- fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %> - fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %>
set_blacklisted_ips:
publish:
blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
on-success: set_ip_lists
set_ip_lists:
publish:
mgr_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
mon_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
osd_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
mds_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
rgw_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
nfs_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
rbdmirror_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
client_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
on-success: merge_ip_lists
merge_ip_lists:
publish:
ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
on-success: enable_ssh_admin
enable_ssh_admin: enable_ssh_admin:
workflow: tripleo.access.v1.enable_ssh_admin workflow: tripleo.access.v1.enable_ssh_admin
input:
ssh_servers: <% $.ips_list %>
on-success: get_private_key on-success: get_private_key
get_private_key: get_private_key:
action: tripleo.validations.get_privkey action: tripleo.validations.get_privkey
publish: publish:
private_key: <% task().result %> private_key: <% task().result %>
on-success: set_ip_lists
set_ip_lists:
publish:
mgr_ips: <% env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []) %>
mon_ips: <% env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []) %>
osd_ips: <% env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []) %>
mds_ips: <% env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []) %>
rgw_ips: <% env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []) %>
nfs_ips: <% env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []) %>
rbdmirror_ips: <% env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []) %>
client_ips: <% env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []) %>
on-success: merge_ip_lists
merge_ip_lists:
publish:
ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
on-success: make_fetch_directory on-success: make_fetch_directory
make_fetch_directory: make_fetch_directory:
action: tripleo.files.make_temp_dir action: tripleo.files.make_temp_dir

16
workbooks/skydive-ansible.yaml
View File

@ -18,18 +18,24 @@ workflows:
tags: tags:
- tripleo-common-managed - tripleo-common-managed
tasks: tasks:
set_blacklisted_ips:
publish:
blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
on-success: set_ip_lists
set_ip_lists:
publish:
agent_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
analyzer_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
on-success: enable_ssh_admin
enable_ssh_admin: enable_ssh_admin:
workflow: tripleo.access.v1.enable_ssh_admin workflow: tripleo.access.v1.enable_ssh_admin
input:
ssh_servers: <% ($.agent_ips + $.analyzer_ips).toSet() %>
on-success: get_private_key on-success: get_private_key
get_private_key: get_private_key:
action: tripleo.validations.get_privkey action: tripleo.validations.get_privkey
publish: publish:
private_key: <% task().result %> private_key: <% task().result %>
on-success: set_ip_lists
set_ip_lists:
publish:
agent_ips: <% env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []) %>
analyzer_ips: <% env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []) %>
on-success: set_fork_count on-success: set_fork_count
set_fork_count: set_fork_count:
publish: # unique list of all IPs: make each list a set, take unions and count publish: # unique list of all IPs: make each list a set, take unions and count