Convert firewall rules to use TripleO-Ansible

This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-08-19 10:38:24 -05:00
parent c7f19f0bd2
commit 50367fbe35
86 changed files with 832 additions and 675 deletions
--- a/deployment/ipsec/ipsec-baremetal-ansible.yaml
+++ b/deployment/ipsec/ipsec-baremetal-ansible.yaml
@@ -44,42 +44,40 @@ outputs:
    description: Role data for the IPSEC service
    value:
      service_name: ipsec
-      config_settings:
-        tripleo::ipsec::firewall_rules:
-          '100 IPSEC IKE INPUT':
-            dport: 500
-            sport: 500
-            proto: udp
-            chain: INPUT
-          '100 IPSEC IKE OUTPUT':
-            dport: 500
-            sport: 500
-            proto: udp
-            chain: OUTPUT
-          '100 IPSEC IKE NAT-Traversal INPUT':
-            dport: 4500
-            sport: 4500
-            proto: udp
-            chain: INPUT
-          '100 IPSEC IKE NAT-Traversal OUTPUT':
-            dport: 4500
-            sport: 4500
-            proto: udp
-            chain: OUTPUT
-          '100 IPSEC ESP INPUT':
-            proto: esp
-            chain: INPUT
-          '100 IPSEC ESP OUTPUT':
-            proto: esp
-            chain: OUTPUT
-          '100 IPSEC Authentication Header INPUT':
-            proto: ah
-            chain: INPUT
-          '100 IPSEC Authentication Header OUTPUT':
-            proto: ah
-            chain: OUTPUT
+      firewall_rules:
+        '100 IPSEC IKE INPUT':
+          dport: 500
+          sport: 500
+          proto: udp
+          chain: INPUT
+        '100 IPSEC IKE OUTPUT':
+          dport: 500
+          sport: 500
+          proto: udp
+          chain: OUTPUT
+        '100 IPSEC IKE NAT-Traversal INPUT':
+          dport: 4500
+          sport: 4500
+          proto: udp
+          chain: INPUT
+        '100 IPSEC IKE NAT-Traversal OUTPUT':
+          dport: 4500
+          sport: 4500
+          proto: udp
+          chain: OUTPUT
+        '100 IPSEC ESP INPUT':
+          proto: esp
+          chain: INPUT
+        '100 IPSEC ESP OUTPUT':
+          proto: esp
+          chain: OUTPUT
+        '100 IPSEC Authentication Header INPUT':
+          proto: ah
+          chain: INPUT
+        '100 IPSEC Authentication Header OUTPUT':
+          proto: ah
+          chain: OUTPUT
      upgrade_tasks: []
-      step_config: ''
      external_deploy_tasks:
        - name: IPSEC configuration on step 1
          when: step|int == 1