Queens only - allow SSH from any source

With change I89cff59947dda3f51482486c41a3d67c4aa36a3e SSH was limited to the ctlplane_subnet only. This changes the previous behaviour that allowed SSH from any source. The use of hiera introduced a regression where overcloud nodes on remote subnet in a DCN (or spine-and-leaf) set up are not available via SSH from the undercloud or from overcloud nodes in other sites/leafs. Introducing the tripleo::firewall::firewall_rules to allow operators to define more granular ssh firewall rules does make sense, but changeing the default will also break users doing monitoring or management/maintenance operations via SSH. Change-Id: I8c8ca93744934746d588c7228caa2950a53b23ce Closes-Bug: #1834161 (cherry picked from commit d8ef4512b8)
2019-06-25 11:04:01 +02:00 · 2019-06-25 11:04:01 +02:00 · 1bf53b5466
parent e0e2235300
commit 1bf53b5466
1 changed files with 1 additions and 2 deletions
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@ -48,8 +48,7 @@ outputs:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
        tripleo::tripleo_firewall::firewall_rules:
-          '003 accept ssh from controlplane':
-            source: "%{hiera('ctlplane_subnet')}"
+          '003 accept ssh from any':
            proto: 'tcp'
            dport: 22