Merge "Allow ssh from all for undercloud"

2019-01-21 16:10:16 +00:00 · 2019-01-21 16:10:16 +00:00 · 4d617a85ed
parent 52e273e653 2b7cb19876
commit 4d617a85ed
4 changed files with 26 additions and 4 deletions
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@ -65,6 +65,10 @@ parameters:
    default: 'no'
    description: Whether or not disable password authentication
    type: string
+  SshFirewallAllowAll:
+    default: false
+    description: Set this to true to open up ssh access from all sources.
+    type: boolean

 outputs:
  role_data:
@ -72,9 +76,18 @@ outputs:
    value:
      service_name: sshd
      config_settings:
-        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
-        tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+        map_merge:
+          - tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+            tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+            tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+            tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+          - if:
+            - {get_param: SshFirewallAllowAll}
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+            - null
+
      step_config: |
        include ::tripleo::profile::base::sshd
--- a/environments/standalone/standalone-tripleo.yaml
+++ b/environments/standalone/standalone-tripleo.yaml
@ -44,6 +44,10 @@ parameter_defaults:
  # Type: string
  SoftwareConfigTransport: POLL_SERVER_HEAT

+  # Set this to true to open up ssh access from all sources.
+  # Type: boolean
+  SshFirewallAllowAll: True
+
  # Heat action on performed top-level stack.  Note StackUpdateType is set to UPGRADE when a major-version upgrade is in progress.
  # Mandatory. This parameter must be set by the user.
  # Type: string
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@ -156,3 +156,4 @@ parameter_defaults:
  # TODO(emilien) Remove when Keepalived 2.0.6 is out
  # https://bugs.launchpad.net/tripleo/+bug/1791238
  KeepalivedRestart: true
+  SshFirewallAllowAll: true
--- a/sample-env-generator/standalone.yaml
+++ b/sample-env-generator/standalone.yaml
@ -34,6 +34,9 @@ environments:
      deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml:
        parameters:
          - EnablePackageInstall
+      deployment/sshd/sshd-baremetal-puppet.yaml:
+        parameters:
+          - SshFirewallAllowAll
      # TODO(aschultz): hack to pull in this config transport, not sure it is
      # still neded.
      puppet/controller-role.yaml:
@ -51,6 +54,7 @@ environments:
      SoftwareConfigTransport: POLL_SERVER_HEAT
      EnablePackageInstall: true
      SwiftReplicas: 1
+      SshFirewallAllowAll: true
    resource_registry:
      # this network config is assumed by the tripleo deploy command
      OS::TripleO::Network::Ports::RedisVipPort: ../../network/ports/noop.yaml