From 2b7cb198764a23d7d2a42d93da7a0f2d133a8af3 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Fri, 18 Jan 2019 13:08:02 +0100
Subject: [PATCH] Allow ssh from all for undercloud

I89cff59947dda3f51482486c41a3d67c4aa36a3e broke SSH access on the
Undercloud, we shouldn't be that restrictive by default for the
undercloud and standalone (as deployed via tripleo deploy).

This change adds a new parameter called SshFirewallAllowAll that can be
used to include an allow all for ssh. By default it is disabled when
deploying the overcloud but is used by the undercloud and standalone to
allow access after installation.

Change-Id: Ie548f7216610e15af24c96f65a58cc8de603235c
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
---
 deployment/sshd/sshd-baremetal-puppet.yaml    | 21 +++++++++++++++----
 .../standalone/standalone-tripleo.yaml        |  4 ++++
 environments/undercloud.yaml                  |  1 +
 sample-env-generator/standalone.yaml          |  4 ++++
 4 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml
index 0d7e1a058a..d4a06ae9a3 100644
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@@ -65,6 +65,10 @@ parameters:
     default: 'no'
     description: Whether or not disable password authentication
     type: string
+  SshFirewallAllowAll:
+    default: false
+    description: Set this to true to open up ssh access from all sources.
+    type: boolean
 
 outputs:
   role_data:
@@ -72,9 +76,18 @@ outputs:
     value:
       service_name: sshd
       config_settings:
-        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
-        tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+        map_merge:
+          - tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+            tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+            tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+            tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+          - if:
+            - {get_param: SshFirewallAllowAll}
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+            - null
+
       step_config: |
         include ::tripleo::profile::base::sshd
diff --git a/environments/standalone/standalone-tripleo.yaml b/environments/standalone/standalone-tripleo.yaml
index f1712eb1fa..8b32d4b32e 100644
--- a/environments/standalone/standalone-tripleo.yaml
+++ b/environments/standalone/standalone-tripleo.yaml
@@ -44,6 +44,10 @@ parameter_defaults:
   # Type: string
   SoftwareConfigTransport: POLL_SERVER_HEAT
 
+  # Set this to true to open up ssh access from all sources.
+  # Type: boolean
+  SshFirewallAllowAll: True
+
   # Heat action on performed top-level stack.  Note StackUpdateType is set to UPGRADE when a major-version upgrade is in progress.
   # Mandatory. This parameter must be set by the user.
   # Type: string
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 654aab5e55..8cae712542 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -156,3 +156,4 @@ parameter_defaults:
   # TODO(emilien) Remove when Keepalived 2.0.6 is out
   # https://bugs.launchpad.net/tripleo/+bug/1791238
   KeepalivedRestart: true
+  SshFirewallAllowAll: true
diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml
index 1a547c55a4..c3a1a8f4a1 100644
--- a/sample-env-generator/standalone.yaml
+++ b/sample-env-generator/standalone.yaml
@@ -34,6 +34,9 @@ environments:
       deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml:
         parameters:
           - EnablePackageInstall
+      deployment/sshd/sshd-baremetal-puppet.yaml:
+        parameters:
+          - SshFirewallAllowAll
       # TODO(aschultz): hack to pull in this config transport, not sure it is
       # still neded.
       puppet/controller-role.yaml:
@@ -51,6 +54,7 @@ environments:
       SoftwareConfigTransport: POLL_SERVER_HEAT
       EnablePackageInstall: true
       SwiftReplicas: 1
+      SshFirewallAllowAll: true
     resource_registry:
       # this network config is assumed by the tripleo deploy command
       OS::TripleO::Network::Ports::RedisVipPort: ../../network/ports/noop.yaml