Merge "firewall: make ExtraFirewallRules role specific" into stable/ussuri

2020-10-06 06:52:20 +00:00 · 2020-10-06 06:52:20 +00:00 · 67d2e075ff
parent 808a6a3659 e83c47f11d
commit 67d2e075ff
3 changed files with 48 additions and 1 deletions
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@ -87,3 +87,10 @@ parameter_defaults:
      proto: udp
      source: 127.0.0.1
      action: append
+  StandaloneParameters:
+    ExtraFirewallRules:
+      '303 allow arbitrary tcp rule for controller':
+        dport: 12347
+        proto: tcp
+        source: 127.0.0.1
+        action: insert
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@ -34,6 +34,23 @@ parameters:
    default: {}
    description: Mapping of firewall rules.
    type: json
+    tags:
+      - role_specific
+
+resources:
+  # Merging role-specific parameters (RoleParameters) with the default parameters.
+  # RoleParameters will have the precedence over the default parameters.
+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - extra_firewall_rules: ExtraFirewallRules
+            - values: {get_param: [RoleParameters]}
+          - values:
+              ExtraFirewallRules: {get_param: ExtraFirewallRules}

 conditions:
  no_ctlplane:
@ -60,7 +77,7 @@ outputs:
                    source: <%net_cidr%>
                    proto: 'tcp'
                    dport: 22
-          - {get_param: ExtraFirewallRules}
+          - {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
      host_prep_tasks:
        - if:
            - no_ctlplane
--- a/environments/firewall.yaml
+++ b/environments/firewall.yaml
@ -0,0 +1,23 @@
+# This is an example of custom firewall rules that one could apply for specific
+# roles.
+
+parameter_defaults:
+
+# This firewall rule will autorize 12345/tcp from localhost on all the nodes
+# in the overcloud:
+#  ExtraFirewallRules:
+#    '301 allow arbitrary tcp rule':
+#      dport: 12345
+#      proto: tcp
+#      source: 127.0.0.1
+#      action: insert
+
+# This firewall rule will autorize 12345/tcp from localhost on all the
+# compute nodes:
+#  ComputeParameters:
+#    ExtraFirewallRules:
+#      '301 allow arbitrary tcp rule':
+#        dport: 12345
+#        proto: tcp
+#        source: 127.0.0.1
+#        action: insert