Composable firewall rules

Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03

puppet/hieradata/controller.yaml

@@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
 controller_classes: []
 # firewall
 tripleo::firewall::firewall_rules:
-  '101 mongodb_config':
-    dport: 27019
-  '102 mongodb_sharding':
-    dport: 27018
-  '103 mongod':
-    dport: 27017
-  '104 mysql galera':
-    dport:
-      - 873
-      - 3306
-      - 4444
-      - 4567
-      - 4568
-      - 9200
-  '105 ntp':
-    dport: 123
-    proto: udp
-  '106 vrrp':
-    proto: vrrp
-  '107 haproxy stats':
-    dport: 1993
-  '108 redis':
-    dport:
-      - 6379
-      - 26379
-  '109 rabbitmq':
-    dport:
-      - 4369
-      - 5672
-      - 35672
-  '110 ceph':
-    dport:
-      - 6789
-      - '6800-6810'
-  '111 keystone':
-    dport:
-      - 5000
-      - 13000
-      - 35357
-      - 13357
-  '112 glance':
-    dport:
-      - 9292
-      - 9191
-      - 13292
-  '113 nova':
-    dport:
-      - 6080
-      - 13080
-      - 8773
-      - 3773
-      - 8774
-      - 13774
-      - 8775
-  '114 neutron server':
-    dport:
-      - 9696
-      - 13696
-  '115 neutron dhcp input':
-    proto: 'udp'
-    dport: 67
-  '116 neutron dhcp output':
-    proto: 'udp'
-    chain: 'OUTPUT'
-    dport: 68
-  '118 neutron vxlan networks':
-    proto: 'udp'
-    dport: 4789
-  '119 cinder':
-    dport:
-      - 8776
-      - 13776
-  '120 iscsi initiator':
-    dport: 3260
-  '121 memcached':
-    dport: 11211
-  '122 swift proxy':
-    dport:
-      - 8080
-      - 13808
-  '123 swift storage':
-    dport:
-      - 873
-      - 6000
-      - 6001
-      - 6002
-  '124 ceilometer':
-    dport:
-      - 8777
-      - 13777
-  '125 heat':
-    dport:
-      - 8000
-      - 13800
-      - 8003
-      - 13003
-      - 8004
-      - 13004
-  '126 horizon':
-    dport:
-      - 80
-      - 443
-  '127 snmp':
-    dport: 161
-    proto: 'udp'
   '128 aodh':
     dport:
       - 8042
       - 13042
-  '129 gnocchi-api':
-    dport:
-      - 8041
-      - 13041
-  '130 pacemaker tcp':
-    proto: 'tcp'
-    dport:
-      - 2224
-      - 3121
-      - 21064
-  '131 pacemaker udp':
-    proto: 'udp'
-    dport: 5405
-  '132 sahara':
-    dport:
-      - 8386
-      - 13386

puppet/services/ceilometer-api.yaml

@@ -23,6 +23,12 @@ outputs:
     value:
       service_name: ceilometer-api
       config_settings:
-        get_attr: [CeilometerServiceBase, role_data, config_settings]
+        map_merge:
+          - get_attr: [CeilometerServiceBase, role_data, config_settings]
+          - tripleo.ceilometer_api.firewall_rules:
+              '124 ceilometer':
+                dport:
+                  - 8777
+                  - 13777
       step_config: |
         include ::tripleo::profile::base::ceilometer::api

puppet/services/ceph-mon.yaml

@@ -53,5 +53,10 @@ outputs:
               - {get_param: NovaRbdPoolName}
               - {get_param: GlanceRbdPoolName}
               - {get_param: GnocchiRbdPoolName}
+            tripleo.ceph_mon.firewall_rules:
+              '110 ceph':
+                dport:
+                  - 6789
+                  - '6800-6810'
       step_config: |
         include ::tripleo::profile::base::ceph::mon

puppet/services/cinder-api.yaml

@@ -39,5 +39,10 @@ outputs:
             cinder::api::keystone_password: {get_param: CinderPassword}
             cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
             tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+            tripleo.cinder_api.firewall_rules:
+              '119 cinder':
+                dport:
+                  - 8776
+                  - 13776
       step_config: |
         include ::tripleo::profile::base::cinder::api

puppet/services/cinder-volume.yaml

@@ -76,5 +76,8 @@ outputs:
             tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+            tripleo.cinder_volume.firewall_rules:
+              '120 iscsi initiator':
+                dport: 3260
       step_config: |
         include ::tripleo::profile::base::cinder::volume

puppet/services/database/mongodb.yaml

@@ -25,5 +25,12 @@ outputs:
           - get_attr: [MongoDbBase, role_data, config_settings]
           - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
             mongodb::server::service_manage: True
+            tripleo.mongodb.firewall_rules:
+              '101 mongodb_config':
+                dport: 27019
+              '102 mongodb_sharding':
+                dport: 27018
+              '103 mongod':
+                dport: 27017
       step_config: |
-        include ::tripleo::profile::base::database::mongodb
+        include ::tripleo::profile::base::database::mongodb

puppet/services/database/mysql.yaml

@@ -17,5 +17,14 @@ outputs:
     value:
       service_name: mysql
       config_settings:
+        tripleo.mysql.firewall_rules:
+          '104 mysql galera':
+            dport:
+              - 873
+              - 3306
+              - 4444
+              - 4567
+              - 4568
+              - 9200
       step_config: |
         include ::tripleo::profile::base::database::mysql

puppet/services/database/redis.yaml

@@ -22,5 +22,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [RedisBase, role_data, config_settings]
+          - tripleo.redis.firewall_rules:
+              '108 redis':
+                dport:
+                  - 6379
+                  - 26379
       step_config: |
         include ::tripleo::profile::base::database::redis

puppet/services/glance-api.yaml

@@ -104,5 +104,10 @@ outputs:
         glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
         glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
         glance::keystone::auth::password: {get_param: GlancePassword }
+        tripleo.glance_api.firewall_rules:
+          '112 glance_api':
+            dport:
+              - 9292
+              - 13292
       step_config: |
         include ::tripleo::profile::base::glance::api

puppet/services/glance-registry.yaml

@@ -49,5 +49,9 @@ outputs:
           - '%'
           - "%{hiera('mysql_bind_host')}"
 
+        tripleo.glance_registry.firewall_rules:
+          '112 glance_registry':
+            dport:
+              - 9191
       step_config: |
         include ::tripleo::profile::base::glance::registry

puppet/services/gnocchi-api.yaml

@@ -24,5 +24,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [GnocchiServiceBase, role_data, config_settings]
+          - tripleo.gnocchi_api.firewall_rules:
+              '129 gnocchi-api':
+                dport:
+                  - 8041
+                  - 13041
       step_config: |
         include ::tripleo::profile::base::gnocchi::api

puppet/services/haproxy.yaml

@@ -15,5 +15,9 @@ outputs:
     description: Role data for the HAproxy role.
     value:
       service_name: haproxy
+      config_settings:
+        tripleo.haproxy.firewall_rules:
+          '107 haproxy stats':
+            dport: 1993
       step_config: |
         include ::tripleo::profile::base::haproxy

puppet/services/heat-api-cfn.yaml

@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
             heat::keystone::auth_cfn::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api_cfn.firewall_rules:
+              '125 heat_cfn':
+                dport:
+                  - 8000
+                  - 13800
       step_config: |
         include ::tripleo::profile::base::heat::api_cfn

puppet/services/heat-api-cloudwatch.yaml

@@ -27,5 +27,10 @@ outputs:
         map_merge:
           - get_attr: [HeatBase, role_data, config_settings]
           - heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+            tripleo.heat_api_cloudwatch.firewall_rules:
+              '125 heat_cloudwatch':
+                dport:
+                  - 8003
+                  - 13003
       step_config: |
         include ::tripleo::profile::base::heat::api_cloudwatch

puppet/services/heat-api.yaml

@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
             heat::keystone::auth::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api.firewall_rules:
+              '125 heat_api':
+                dport:
+                  - 8004
+                  - 13004
       step_config: |
         include ::tripleo::profile::base::heat::api

puppet/services/horizon.yaml

@@ -31,5 +31,10 @@ outputs:
             template: MECHANISMS
             params:
               MECHANISMS: {get_param: NeutronMechanismDrivers}
+        tripleo.horizon.firewall_rules:
+          '126 horizon':
+            dport:
+              - 80
+              - 443
       step_config: |
         include ::tripleo::profile::base::horizon

puppet/services/keystone.yaml

@@ -136,5 +136,12 @@ outputs:
         keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
         # override via extraconfig:
         keystone::wsgi::apache::threads: 1
+        tripleo.keystone.firewall_rules:
+          '111 keystone':
+            dport:
+              - 5000
+              - 13000
+              - 35357
+              - 13357
       step_config: |
         include ::tripleo::profile::base::keystone

puppet/services/memcached.yaml

@@ -16,5 +16,8 @@ outputs:
     value:
       service_name: memcached
       config_settings:
+        tripleo.memcached.firewall_rules:
+          '121 memcached':
+            dport: 11211
       step_config: |
         include ::tripleo::profile::base::memcached

puppet/services/neutron-dhcp.yaml

@@ -28,5 +28,13 @@ outputs:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
           - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+            tripleo.neutron_dhcp.firewall_rules:
+              '115 neutron dhcp input':
+                proto: 'udp'
+                dport: 67
+              '116 neutron dhcp output':
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 68
       step_config: |
         include tripleo::profile::base::neutron::dhcp

puppet/services/neutron-server.yaml

@@ -72,5 +72,15 @@ outputs:
             neutron::db::mysql::allowed_hosts:
               - '%'
               - "%{hiera('mysql_bind_host')}"
+            tripleo.neutron_server.firewall_rules:
+              '114 neutron server':
+                dport:
+                  - 9696
+                  - 13696
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '106 vrrp':
+                proto: vrrp
       step_config: |
         include tripleo::profile::base::neutron::server

puppet/services/nova-api.yaml

@@ -32,5 +32,15 @@ outputs:
             nova::api::metadata_workers: {get_param: NovaWorkers}
             nova::cron::archive_deleted_rows::hour: '"*/12"'
             nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+            tripleo.nova_api.firewall_rules:
+              '113 nova_api':
+                dport:
+                  - 6080
+                  - 13080
+                  - 8773
+                  - 3773
+                  - 8774
+                  - 13774
+                  - 8775
       step_config: |
         include tripleo::profile::base::nova::api

puppet/services/pacemaker.yaml

@@ -16,5 +16,15 @@ outputs:
     value:
       service_name: pacemaker
       config_settings:
+        tripleo.pacemaker.firewall_rules:
+          '130 pacemaker tcp':
+            proto: 'tcp'
+            dport:
+              - 2224
+              - 3121
+              - 21064
+          '131 pacemaker udp':
+            proto: 'udp'
+            dport: 5405
       step_config: |
         include ::tripleo::profile::base::pacemaker

puppet/services/rabbitmq.yaml

@@ -36,5 +36,11 @@ outputs:
         rabbitmq::default_user: {get_param: RabbitUserName}
         rabbitmq::default_pass: {get_param: RabbitPassword}
         rabbit_ipv6: {get_param: RabbitIPv6}
+        tripleo.rabbitmq.firewall_rules:
+          '109 rabbitmq':
+            dport:
+              - 4369
+              - 5672
+              - 35672
       step_config: |
         include ::tripleo::profile::base::rabbitmq

puppet/services/sahara-api.yaml

@@ -49,5 +49,10 @@ outputs:
             sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
             sahara::keystone::auth::password: {get_param: SaharaPassword }
             sahara::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.sahara_api.firewall_rules:
+              '132 sahara':
+                dport:
+                  - 8386
+                  - 13386
       step_config: |
         include ::tripleo::profile::base::sahara::api

puppet/services/snmp.yaml

@@ -28,5 +28,9 @@ outputs:
       config_settings:
         snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
         snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+        tripleo.snmp.firewall_rules:
+          '127 snmp':
+            dport: 161
+            proto: 'udp'
       step_config: |
         include ::tripleo::profile::base::snmp

puppet/services/swift-proxy.yaml

@@ -51,5 +51,10 @@ outputs:
         swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
         swift::keystone::auth::password: {get_param: SwiftPassword}
         swift::keystone::auth::region: {get_param: KeystoneRegion}
+        tripleo.swift_proxy.firewall_rules:
+          '122 swift proxy':
+            dport:
+              - 8080
+              - 13808
       step_config: |
         include ::tripleo::profile::base::swift::proxy

puppet/services/swift-storage.yaml

@@ -41,5 +41,12 @@ outputs:
         # Swift
         swift::storage::all::mount_check: {get_param: SwiftMountCheck}
         tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
+        tripleo.swift_storage.firewall_rules:
+          '123 swift storage':
+            dport:
+              - 873
+              - 6000
+              - 6001
+              - 6002
       step_config: |
         include ::tripleo::profile::base::swift::storage

puppet/services/time/ntp.yaml

@@ -24,5 +24,9 @@ outputs:
       service_name: ntp
       config_settings:
         ntp::ntpservers: {get_param: NtpServer}
+        tripleo.ntp.firewall_rules:
+          '105 ntp':
+            dport: 123
+            proto: udp
       step_config: |
         include ::ntp