Merge "Define frontend firewall rules separately" into stable/wallaby
This commit is contained in:
commit
1f873b8308
|
@ -301,6 +301,16 @@ resources:
|
|||
expression: dict(coalesce($.data, []).where($ != null).select([$.get('container_puppet_tasks'), $.get('service_name')]).where($[0] != null).select([$[0], dict($[0].keys().zip(dict(service_name=>$[1]).repeat(len($[0].keys()))))]).select($[0].mergeWith($[1])).selectMany($.items()).groupBy($[0], $[1]))
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostFirewallTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: comma_delimited_list
|
||||
value:
|
||||
yaql:
|
||||
# Note we use distinct() here to filter any identical tasks
|
||||
expression: coalesce($.data, []).where($ != null).select($.get('host_firewall_tasks')).where($ != null).flatten().distinct()
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostPrepTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
|
@ -341,6 +351,32 @@ resources:
|
|||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_sslfrontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -374,6 +410,13 @@ outputs:
|
|||
- {get_attr: [AnsibleGroupVars, value]}
|
||||
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
|
||||
|
||||
# Firewall rules
|
||||
firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
|
||||
# Keys to support docker/services
|
||||
puppet_config: {get_attr: [PuppetConfig, value]}
|
||||
kolla_config: {get_attr: [KollaConfig, value]}
|
||||
|
@ -385,10 +428,6 @@ outputs:
|
|||
- {get_attr: [DockerPuppetTasks, value]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
vars:
|
||||
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
- {get_attr: [HostFirewallTasks, value]}
|
||||
- {get_attr: [HostPrepTasks, value]}
|
||||
pre_deploy_step_tasks: {get_attr: [PreDeployStepTasks, value]}
|
||||
|
|
|
@ -142,6 +142,13 @@ outputs:
|
|||
'128 aodh-api':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_frontend_rules:
|
||||
'100 aodh_haproxy_frontend':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 aodh_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13042
|
||||
keystone_resources:
|
||||
aodh:
|
||||
|
|
|
@ -222,6 +222,13 @@ outputs:
|
|||
'117 barbican':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_frontend_rules:
|
||||
'100 barbican_haproxy_frontend':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 barbican_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13311
|
||||
keystone_resources:
|
||||
barbican:
|
||||
|
|
|
@ -129,13 +129,23 @@ outputs:
|
|||
firewall_rules:
|
||||
'123 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_graphana':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
'100 ceph_prometheus':
|
||||
dport:
|
||||
- 9092
|
||||
'100 ceph_alertmanager':
|
||||
dport:
|
||||
- 9093
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
|
|
@ -112,6 +112,12 @@ outputs:
|
|||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - {get_param: CephDashboardPort}
|
||||
firewall_frontend_rules:
|
||||
if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- '100 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: CephDashboardPort}
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
|
|
@ -102,6 +102,14 @@ outputs:
|
|||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - '9100'
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_rgw':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ceph_rgw_ssl':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwPublic, port]}
|
||||
keystone_resources:
|
||||
swift:
|
||||
endpoints:
|
||||
|
|
|
@ -144,6 +144,13 @@ outputs:
|
|||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_frontend_rules:
|
||||
'100 cinder_haproxy_frontend':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 cinder_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13776
|
||||
keystone_resources:
|
||||
cinder:
|
||||
|
|
|
@ -76,6 +76,10 @@ outputs:
|
|||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [MysqlBase, role_data, config_settings]}
|
||||
|
|
|
@ -116,6 +116,10 @@ outputs:
|
|||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [MysqlBase, role_data, config_settings]
|
||||
|
|
|
@ -72,6 +72,11 @@ outputs:
|
|||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
firewall_frontend_rules:
|
||||
'100 redis_haproxy_frontend':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||
|
|
|
@ -92,6 +92,13 @@ outputs:
|
|||
'139 designate api':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_frontend_rules:
|
||||
'100 designate_haproxy_frontend':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 designate_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13001
|
||||
keystone_resources:
|
||||
designate:
|
||||
|
|
|
@ -109,6 +109,10 @@ outputs:
|
|||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
firewall_frontend_rules:
|
||||
'100 ectd_haproxy_frontend':
|
||||
dport:
|
||||
- 2379
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
|
|
@ -444,6 +444,13 @@ outputs:
|
|||
'112 glance_api':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13292
|
||||
keystone_resources:
|
||||
glance:
|
||||
|
|
|
@ -36,6 +36,11 @@ parameters:
|
|||
List of enabled Image Import Methods. Valid values in the list are
|
||||
'glance-direct', 'web-download', or 'copy-image'
|
||||
type: comma_delimited_list
|
||||
EnableGlanceApiProxy:
|
||||
default: true
|
||||
description: Configure haproxy to forward glance-api requests to glance-api
|
||||
services running at the edge site.
|
||||
type: boolean
|
||||
|
||||
resources:
|
||||
GlanceApiBase:
|
||||
|
@ -70,6 +75,14 @@ outputs:
|
|||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data]
|
||||
- service_name: glance_api_edge
|
||||
firewall_edge_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_fronetend_rules]}
|
||||
firewall_edge_ssl_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
|
||||
service_config_settings:
|
||||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data, service_config_settings]
|
||||
|
|
|
@ -168,6 +168,13 @@ outputs:
|
|||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13041
|
||||
keystone_resources:
|
||||
gnocchi:
|
||||
|
|
|
@ -157,6 +157,12 @@ outputs:
|
|||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||
ansible_group_vars:
|
||||
tripleo_firewall_frontend_enabled: true
|
||||
tripleo_firewall_ssl_frontend_enabled:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyLogging, config_settings]
|
||||
|
|
|
@ -69,6 +69,10 @@ outputs:
|
|||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data]
|
||||
- service_name: haproxy_edge
|
||||
ansible_group_vars:
|
||||
map_merge:
|
||||
- get_attr: [HAPRoxyBase, role_data, ansible_group_vars]
|
||||
- tripleo_firewall_edge_frontend_enabled: true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
|
|
@ -160,6 +160,7 @@ outputs:
|
|||
value:
|
||||
service_name: haproxy
|
||||
monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]}
|
||||
ansible_group_vars: {get_attr: [HAProxyBase, role_data, ansible_group_vars]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
|
|
@ -98,6 +98,13 @@ outputs:
|
|||
'125 heat_cfn':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13800
|
||||
keystone_resources:
|
||||
heat-cfn:
|
||||
|
|
|
@ -116,6 +116,13 @@ outputs:
|
|||
'125 heat_api':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13004
|
||||
keystone_resources:
|
||||
heat:
|
||||
|
|
|
@ -173,6 +173,13 @@ outputs:
|
|||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
firewall_frontend_rules:
|
||||
'100 horizon_haproxy_frontend':
|
||||
dport:
|
||||
- 80
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 horizon_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 443
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
||||
config_settings:
|
||||
|
|
|
@ -44,6 +44,13 @@ outputs:
|
|||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13787
|
||||
host_prep_tasks:
|
||||
- name: authorize httpd to listen on registry ports
|
||||
|
|
|
@ -109,6 +109,13 @@ outputs:
|
|||
'133 ironic api':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_frontend_rules:
|
||||
'100 ironic_haproxy_frontend':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13385
|
||||
keystone_resources:
|
||||
ironic:
|
||||
|
|
|
@ -218,7 +218,6 @@ outputs:
|
|||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
- 13050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv4'
|
||||
|
@ -246,6 +245,14 @@ outputs:
|
|||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
firewall_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend':
|
||||
dport:
|
||||
- 5050
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13050
|
||||
keystone_resources:
|
||||
ironic-inspector:
|
||||
endpoints:
|
||||
|
|
|
@ -433,8 +433,18 @@ outputs:
|
|||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend':
|
||||
dport:
|
||||
- 5000
|
||||
'100 keystone_admin_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13000
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
|
|
@ -149,6 +149,13 @@ outputs:
|
|||
'150 manila':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_frontend_rules:
|
||||
'100 manila_haproxy_frontend':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 manila_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13786
|
||||
keystone_resources:
|
||||
manila:
|
||||
|
|
|
@ -267,6 +267,13 @@ outputs:
|
|||
'114 neutron api':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_frontend_rules:
|
||||
'100 neutron_haproxy_frontend':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 neutron_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13696
|
||||
keystone_resources:
|
||||
neutron:
|
||||
|
|
|
@ -318,6 +318,13 @@ outputs:
|
|||
'113 nova_api':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13774
|
||||
keystone_resources:
|
||||
nova:
|
||||
|
|
|
@ -141,6 +141,13 @@ outputs:
|
|||
'139 nova_metadata':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13775
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
||||
config_settings:
|
||||
|
|
|
@ -172,6 +172,13 @@ outputs:
|
|||
'137 nova_vnc_proxy':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13080
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
|
|
@ -150,6 +150,13 @@ outputs:
|
|||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_frontend_rules:
|
||||
'100 octavia_haproxy_frontend':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 octavia_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13876
|
||||
keystone_resources:
|
||||
octavia:
|
||||
|
|
|
@ -85,6 +85,13 @@ outputs:
|
|||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
||||
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
||||
|
|
|
@ -150,6 +150,13 @@ outputs:
|
|||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OVNDbsBase, role_data, config_settings]
|
||||
|
|
|
@ -136,6 +136,13 @@ outputs:
|
|||
'138 placement':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_frontend_rules:
|
||||
'100 placement_haproxy_frontend':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 placement_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13778
|
||||
keystone_resources:
|
||||
placement:
|
||||
|
|
|
@ -142,6 +142,13 @@ outputs:
|
|||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13808
|
||||
keystone_resources:
|
||||
swift:
|
||||
|
|
|
@ -88,6 +88,10 @@ outputs:
|
|||
debug:
|
||||
msg: |
|
||||
CIDRs found in the ctlplane network tags.
|
||||
host_firewall_tasks:
|
||||
- name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
update_tasks:
|
||||
- name: Cleanup tripleo-iptables services
|
||||
when:
|
||||
|
|
|
@ -938,6 +938,37 @@ resources:
|
|||
properties:
|
||||
CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]}
|
||||
|
||||
# NOTE(tkajinam): Backend services and haproxy might be running in different
|
||||
# nodes, so we need to gather all frontend firewall rules
|
||||
# across all roles and pass the combined data to firewall
|
||||
# configuration task in the node where haproxy (or edge
|
||||
# haproxy) is assigned to.
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_frontend_rules]
|
||||
{% endfor %}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
|
||||
{%- for role in roles %}
|
||||
{{role.name}}GroupVars:
|
||||
type: OS::Heat::Value
|
||||
|
@ -1014,6 +1045,11 @@ resources:
|
|||
tripleo_network_config_with_ansible: {get_param: NetworkConfigWithAnsible}
|
||||
default_route_networks: {{role.default_route_networks|default(['ControlPlane'])}}
|
||||
networks_skip_config: {{ role.networks_skip_config|default([]) }}
|
||||
tripleo_firewall_rules: {get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_rules]}
|
||||
tripleo_firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
tripleo_firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
tripleo_firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
tripleo_firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
role_tags: {{role.tags}}
|
||||
|
||||
{{role.name}}NetworkConfig:
|
||||
|
|
|
@ -53,6 +53,10 @@ ENDPOINT_MAP_FILE = 'endpoint_map.yaml'
|
|||
OPTIONAL_SECTIONS = ['ansible_group_vars',
|
||||
'cellv2_discovery',
|
||||
'firewall_rules',
|
||||
'firewall_frontend_rules',
|
||||
'firewall_ssl_frontend_rules',
|
||||
'firewall_edge_frontend_rules',
|
||||
'firewall_edge_ssl_frontend_rules',
|
||||
'keystone_resources']
|
||||
REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config',
|
||||
'config_settings']
|
||||
|
@ -61,9 +65,9 @@ OPTIONAL_DOCKER_SECTIONS = ['container_puppet_tasks', 'upgrade_tasks',
|
|||
'pre_upgrade_rolling_tasks',
|
||||
'post_upgrade_tasks', 'update_tasks',
|
||||
'post_update_tasks', 'service_config_settings',
|
||||
'host_prep_tasks', 'metadata_settings',
|
||||
'kolla_config', 'global_config_settings',
|
||||
'external_deploy_tasks',
|
||||
'host_firewall_tasks', 'host_prep_tasks',
|
||||
'metadata_settings', 'kolla_config',
|
||||
'global_config_settings', 'external_deploy_tasks',
|
||||
'external_post_deploy_tasks',
|
||||
'container_config_scripts', 'step_config',
|
||||
'monitoring_subscription', 'scale_tasks',
|
||||
|
|
Loading…
Reference in New Issue