Consume blacklisted_ip_addresses in workflows
The ceph-ansible and skydive workflows now consumes the blacklisted_ip_addresses input. The enable_ssh_admin workflow is modified to consume a list of ip addresses and only enable ssh on the given set of addresses. Change-Id: I4255739c852409fb8e170a9913fe7ad810711734 Depends-On: Ic158171c629e82892e480f1e6903a67457f86064 Closes-Bug: #1743046
This commit is contained in:
parent
e423c4a438
commit
f98c136078
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The `enable_ssh_admin` workflow is now always expecting a list of
|
||||||
|
servers to operate on, passed via `ssh_servers` input which is
|
||||||
|
left empty when unset.
|
|
@ -73,6 +73,7 @@ workflows:
|
||||||
workflow: tripleo.access.v1.create_admin_via_nova
|
workflow: tripleo.access.v1.create_admin_via_nova
|
||||||
input:
|
input:
|
||||||
queue_name: <% $.queue_name %>
|
queue_name: <% $.queue_name %>
|
||||||
|
ssh_servers: <% $.ssh_servers %>
|
||||||
tasks: <% $.create_admin_tasks %>
|
tasks: <% $.create_admin_tasks %>
|
||||||
overcloud_admin: <% $.overcloud_admin %>
|
overcloud_admin: <% $.overcloud_admin %>
|
||||||
|
|
||||||
|
@ -89,6 +90,7 @@ workflows:
|
||||||
input:
|
input:
|
||||||
- tasks
|
- tasks
|
||||||
- queue_name: tripleo
|
- queue_name: tripleo
|
||||||
|
- ssh_servers: []
|
||||||
- overcloud_admin: tripleo-admin
|
- overcloud_admin: tripleo-admin
|
||||||
- ansible_extra_env_variables:
|
- ansible_extra_env_variables:
|
||||||
ANSIBLE_HOST_KEY_CHECKING: 'False'
|
ANSIBLE_HOST_KEY_CHECKING: 'False'
|
||||||
|
@ -99,7 +101,7 @@ workflows:
|
||||||
action: nova.servers_list
|
action: nova.servers_list
|
||||||
on-success: create_admin
|
on-success: create_admin
|
||||||
publish:
|
publish:
|
||||||
servers: <% task().result._info %>
|
servers: <% let(root => $) -> task().result._info.where($.addresses.ctlplane.addr.any($ in $root.ssh_servers)) %>
|
||||||
|
|
||||||
create_admin:
|
create_admin:
|
||||||
workflow: tripleo.deployment.v1.deploy_on_server
|
workflow: tripleo.deployment.v1.deploy_on_server
|
||||||
|
@ -127,7 +129,7 @@ workflows:
|
||||||
input:
|
input:
|
||||||
inventory:
|
inventory:
|
||||||
overcloud:
|
overcloud:
|
||||||
hosts: <% $.servers.addresses.ctlplane.addr.flatten().toDict($, {}) %>
|
hosts: <% $.ssh_servers.toDict($, {}) %>
|
||||||
remote_user: <% $.overcloud_admin %>
|
remote_user: <% $.overcloud_admin %>
|
||||||
ssh_private_key: <% $.privkey %>
|
ssh_private_key: <% $.privkey %>
|
||||||
extra_env_variables: <% $.ansible_extra_env_variables %>
|
extra_env_variables: <% $.ansible_extra_env_variables %>
|
||||||
|
|
|
@ -32,30 +32,36 @@ workflows:
|
||||||
hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %>
|
hieradata: <% env().get('role_merged_configs', {}).values().select($.keys()).flatten().select(regex('^ceph::profile::params::osds$').search($)).where($ != null).toSet() %>
|
||||||
check_hieradata:
|
check_hieradata:
|
||||||
on-success:
|
on-success:
|
||||||
- enable_ssh_admin: <% not bool($.hieradata) %>
|
- set_blacklisted_ips: <% not bool($.hieradata) %>
|
||||||
- fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %>
|
- fail(msg=<% 'Ceph deployment stopped, puppet-ceph hieradata found. Convert it into ceph-ansible variables. {0}'.format($.hieradata) %>): <% bool($.hieradata) %>
|
||||||
|
set_blacklisted_ips:
|
||||||
|
publish:
|
||||||
|
blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
|
||||||
|
on-success: set_ip_lists
|
||||||
|
set_ip_lists:
|
||||||
|
publish:
|
||||||
|
mgr_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
mon_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
osd_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
mds_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
rgw_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
nfs_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
rbdmirror_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
client_ips: <% let(root => $) -> env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
on-success: merge_ip_lists
|
||||||
|
merge_ip_lists:
|
||||||
|
publish:
|
||||||
|
ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
|
||||||
|
on-success: enable_ssh_admin
|
||||||
enable_ssh_admin:
|
enable_ssh_admin:
|
||||||
workflow: tripleo.access.v1.enable_ssh_admin
|
workflow: tripleo.access.v1.enable_ssh_admin
|
||||||
|
input:
|
||||||
|
ssh_servers: <% $.ips_list %>
|
||||||
on-success: get_private_key
|
on-success: get_private_key
|
||||||
get_private_key:
|
get_private_key:
|
||||||
action: tripleo.validations.get_privkey
|
action: tripleo.validations.get_privkey
|
||||||
publish:
|
publish:
|
||||||
private_key: <% task().result %>
|
private_key: <% task().result %>
|
||||||
on-success: set_ip_lists
|
|
||||||
set_ip_lists:
|
|
||||||
publish:
|
|
||||||
mgr_ips: <% env().get('service_ips', {}).get('ceph_mgr_ctlplane_node_ips', []) %>
|
|
||||||
mon_ips: <% env().get('service_ips', {}).get('ceph_mon_ctlplane_node_ips', []) %>
|
|
||||||
osd_ips: <% env().get('service_ips', {}).get('ceph_osd_ctlplane_node_ips', []) %>
|
|
||||||
mds_ips: <% env().get('service_ips', {}).get('ceph_mds_ctlplane_node_ips', []) %>
|
|
||||||
rgw_ips: <% env().get('service_ips', {}).get('ceph_rgw_ctlplane_node_ips', []) %>
|
|
||||||
nfs_ips: <% env().get('service_ips', {}).get('ceph_nfs_ctlplane_node_ips', []) %>
|
|
||||||
rbdmirror_ips: <% env().get('service_ips', {}).get('ceph_rbdmirror_ctlplane_node_ips', []) %>
|
|
||||||
client_ips: <% env().get('service_ips', {}).get('ceph_client_ctlplane_node_ips', []) %>
|
|
||||||
on-success: merge_ip_lists
|
|
||||||
merge_ip_lists:
|
|
||||||
publish:
|
|
||||||
ips_list: <% ($.mgr_ips + $.mon_ips + $.osd_ips + $.mds_ips + $.rgw_ips + $.nfs_ips + $.rbdmirror_ips + $.client_ips).toSet() %>
|
|
||||||
on-success: make_fetch_directory
|
on-success: make_fetch_directory
|
||||||
make_fetch_directory:
|
make_fetch_directory:
|
||||||
action: tripleo.files.make_temp_dir
|
action: tripleo.files.make_temp_dir
|
||||||
|
|
|
@ -18,18 +18,24 @@ workflows:
|
||||||
tags:
|
tags:
|
||||||
- tripleo-common-managed
|
- tripleo-common-managed
|
||||||
tasks:
|
tasks:
|
||||||
|
set_blacklisted_ips:
|
||||||
|
publish:
|
||||||
|
blacklisted_ips: <% env().get('blacklisted_ip_addresses', []) %>
|
||||||
|
on-success: set_ip_lists
|
||||||
|
set_ip_lists:
|
||||||
|
publish:
|
||||||
|
agent_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
analyzer_ips: <% let(root => $) -> env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []).where(not ($ in $root.blacklisted_ips)) %>
|
||||||
|
on-success: enable_ssh_admin
|
||||||
enable_ssh_admin:
|
enable_ssh_admin:
|
||||||
workflow: tripleo.access.v1.enable_ssh_admin
|
workflow: tripleo.access.v1.enable_ssh_admin
|
||||||
|
input:
|
||||||
|
ssh_servers: <% ($.agent_ips + $.analyzer_ips).toSet() %>
|
||||||
on-success: get_private_key
|
on-success: get_private_key
|
||||||
get_private_key:
|
get_private_key:
|
||||||
action: tripleo.validations.get_privkey
|
action: tripleo.validations.get_privkey
|
||||||
publish:
|
publish:
|
||||||
private_key: <% task().result %>
|
private_key: <% task().result %>
|
||||||
on-success: set_ip_lists
|
|
||||||
set_ip_lists:
|
|
||||||
publish:
|
|
||||||
agent_ips: <% env().get('service_ips', {}).get('skydive_agent_ctlplane_node_ips', []) %>
|
|
||||||
analyzer_ips: <% env().get('service_ips', {}).get('skydive_analyzer_ctlplane_node_ips', []) %>
|
|
||||||
on-success: set_fork_count
|
on-success: set_fork_count
|
||||||
set_fork_count:
|
set_fork_count:
|
||||||
publish: # unique list of all IPs: make each list a set, take unions and count
|
publish: # unique list of all IPs: make each list a set, take unions and count
|
||||||
|
|
Loading…
Reference in New Issue