Designate - Use net_cidr_map for rndc_allowed_addresses

Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes
NetCidrMapValue a list of ip networks.

The designate service configures the dns backend security
to contol from wich addresses updates are allowed. We
should use the list of cidr's associated with the
DesignateApiNetwork to allow all nodes in the network to
remotely control the nameserver.

Partial: blueprint tripleo-routed-networks-templates
Change-Id: I5c5cd51c8f127e8879c5528883c3abd261f4a5b3
This commit is contained in:
Harald Jensås 2018-11-19 22:58:21 +01:00
parent da1de3aafc
commit 5666a4fe0d
2 changed files with 8 additions and 6 deletions

View File

@ -94,12 +94,10 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::profile::base::designate::rndc_allowed_addresses:
# TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, DesignateApiNetwork]}
- str_replace:
template:
"%{hiera('$NETWORK_subnet')}"
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, DesignateApiNetwork]}
designate::backend::bind9::rndc_host:
str_replace:
template:

View File

@ -912,6 +912,10 @@ def validate_service_hiera_interpol(f, tpl):
# Omit apache remoteip proxy_ips
if 'apache::mod::remoteip::proxy_ips' in path:
continue
# Omit Designate rndc_allowed_addressses
if ('tripleo::profile::base::designate::rndc_allowed_addresses' in
path):
continue
# Omit if not a part of {get_param: [ServiceNetMap ...
if not enter_lists and path[-1] != 'get_param':