Merge "firewall: make ExtraFirewallRules role specific" into stable/ussuri
This commit is contained in:
commit
67d2e075ff
|
@ -87,3 +87,10 @@ parameter_defaults:
|
|||
proto: udp
|
||||
source: 127.0.0.1
|
||||
action: append
|
||||
StandaloneParameters:
|
||||
ExtraFirewallRules:
|
||||
'303 allow arbitrary tcp rule for controller':
|
||||
dport: 12347
|
||||
proto: tcp
|
||||
source: 127.0.0.1
|
||||
action: insert
|
||||
|
|
|
@ -34,6 +34,23 @@ parameters:
|
|||
default: {}
|
||||
description: Mapping of firewall rules.
|
||||
type: json
|
||||
tags:
|
||||
- role_specific
|
||||
|
||||
resources:
|
||||
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
||||
# RoleParameters will have the precedence over the default parameters.
|
||||
RoleParametersValue:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
map_replace:
|
||||
- map_replace:
|
||||
- extra_firewall_rules: ExtraFirewallRules
|
||||
- values: {get_param: [RoleParameters]}
|
||||
- values:
|
||||
ExtraFirewallRules: {get_param: ExtraFirewallRules}
|
||||
|
||||
conditions:
|
||||
no_ctlplane:
|
||||
|
@ -60,7 +77,7 @@ outputs:
|
|||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- {get_param: ExtraFirewallRules}
|
||||
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
||||
host_prep_tasks:
|
||||
- if:
|
||||
- no_ctlplane
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# This is an example of custom firewall rules that one could apply for specific
|
||||
# roles.
|
||||
|
||||
parameter_defaults:
|
||||
|
||||
# This firewall rule will autorize 12345/tcp from localhost on all the nodes
|
||||
# in the overcloud:
|
||||
# ExtraFirewallRules:
|
||||
# '301 allow arbitrary tcp rule':
|
||||
# dport: 12345
|
||||
# proto: tcp
|
||||
# source: 127.0.0.1
|
||||
# action: insert
|
||||
|
||||
# This firewall rule will autorize 12345/tcp from localhost on all the
|
||||
# compute nodes:
|
||||
# ComputeParameters:
|
||||
# ExtraFirewallRules:
|
||||
# '301 allow arbitrary tcp rule':
|
||||
# dport: 12345
|
||||
# proto: tcp
|
||||
# source: 127.0.0.1
|
||||
# action: insert
|
Loading…
Reference in New Issue