Merge "Define frontend firewall rules separately"
This commit is contained in:
Zuul
Gerrit Code Review
commit
6fb173e590
@ -311,6 +311,16 @@ resources:
|
||||
expression: dict(coalesce($.data, []).where($ != null).select([$.get('container_puppet_tasks'), $.get('service_name')]).where($[0] != null).select([$[0], dict($[0].keys().zip(dict(service_name=>$[1]).repeat(len($[0].keys()))))]).select($[0].mergeWith($[1])).selectMany($.items()).groupBy($[0], $[1]))
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostFirewallTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: comma_delimited_list
|
||||
value:
|
||||
yaql:
|
||||
# Note we use distinct() here to filter any identical tasks
|
||||
expression: coalesce($.data, []).where($ != null).select($.get('host_firewall_tasks')).where($ != null).flatten().distinct()
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostPrepTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
@ -351,6 +361,32 @@ resources:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_sslfrontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -385,6 +421,13 @@ outputs:
|
||||
- {get_attr: [AnsibleGroupVars, value]}
|
||||
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
|
||||
|
||||
# Firewall rules
|
||||
firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
|
||||
# Keys to support docker/services
|
||||
puppet_config: {get_attr: [PuppetConfig, value]}
|
||||
kolla_config: {get_attr: [KollaConfig, value]}
|
||||
@ -396,10 +439,6 @@ outputs:
|
||||
- {get_attr: [DockerPuppetTasks, value]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
vars:
|
||||
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
- {get_attr: [HostFirewallTasks, value]}
|
||||
- {get_attr: [HostPrepTasks, value]}
|
||||
pre_deploy_step_tasks: {get_attr: [PreDeployStepTasks, value]}
|
||||
|
||||
@ -165,6 +165,13 @@ outputs:
|
||||
'128 aodh-api':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_frontend_rules:
|
||||
'100 aodh_haproxy_frontend':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 aodh_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13042
|
||||
keystone_resources:
|
||||
aodh:
|
||||
|
||||
@ -228,6 +228,13 @@ outputs:
|
||||
'117 barbican':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_frontend_rules:
|
||||
'100 barbican_haproxy_frontend':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 barbican_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13311
|
||||
keystone_resources:
|
||||
barbican:
|
||||
|
||||
@ -125,13 +125,23 @@ outputs:
|
||||
firewall_rules:
|
||||
'123 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_graphana':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
'100 ceph_prometheus':
|
||||
dport:
|
||||
- 9092
|
||||
'100 ceph_alertmanager':
|
||||
dport:
|
||||
- 9093
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
||||
@ -108,6 +108,12 @@ outputs:
|
||||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - {get_param: CephDashboardPort}
|
||||
firewall_frontend_rules:
|
||||
if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- '100 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: CephDashboardPort}
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
||||
@ -98,6 +98,14 @@ outputs:
|
||||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - '9100'
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_rgw':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ceph_rgw_ssl':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwPublic, port]}
|
||||
keystone_resources:
|
||||
swift:
|
||||
endpoints:
|
||||
|
||||
@ -162,6 +162,13 @@ outputs:
|
||||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_frontend_rules:
|
||||
'100 cinder_haproxy_frontend':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 cinder_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13776
|
||||
keystone_resources:
|
||||
cinder:
|
||||
|
||||
@ -94,6 +94,10 @@ outputs:
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [MysqlBase, role_data, config_settings]}
|
||||
|
||||
@ -134,6 +134,10 @@ outputs:
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [MysqlBase, role_data, config_settings]
|
||||
|
||||
@ -90,6 +90,11 @@ outputs:
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
firewall_frontend_rules:
|
||||
'100 redis_haproxy_frontend':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||
|
||||
@ -110,6 +110,13 @@ outputs:
|
||||
'139 designate api':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_frontend_rules:
|
||||
'100 designate_haproxy_frontend':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 designate_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13001
|
||||
keystone_resources:
|
||||
designate:
|
||||
|
||||
@ -127,6 +127,10 @@ outputs:
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
firewall_frontend_rules:
|
||||
'100 ectd_haproxy_frontend':
|
||||
dport:
|
||||
- 2379
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
||||
@ -462,6 +462,13 @@ outputs:
|
||||
'112 glance_api':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13292
|
||||
keystone_resources:
|
||||
glance:
|
||||
|
||||
@ -36,6 +36,11 @@ parameters:
|
||||
List of enabled Image Import Methods. Valid values in the list are
|
||||
'glance-direct', 'web-download', or 'copy-image'
|
||||
type: comma_delimited_list
|
||||
EnableGlanceApiProxy:
|
||||
default: true
|
||||
description: Configure haproxy to forward glance-api requests to glance-api
|
||||
services running at the edge site.
|
||||
type: boolean
|
||||
|
||||
resources:
|
||||
GlanceApiBase:
|
||||
@ -70,6 +75,14 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data]
|
||||
- service_name: glance_api_edge
|
||||
firewall_edge_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_fronetend_rules]}
|
||||
firewall_edge_ssl_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
|
||||
service_config_settings:
|
||||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data, service_config_settings]
|
||||
|
||||
@ -186,6 +186,13 @@ outputs:
|
||||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13041
|
||||
keystone_resources:
|
||||
gnocchi:
|
||||
|
||||
@ -180,6 +180,12 @@ outputs:
|
||||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||
ansible_group_vars:
|
||||
tripleo_firewall_frontend_enabled: true
|
||||
tripleo_firewall_ssl_frontend_enabled:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyLogging, config_settings]
|
||||
|
||||
@ -69,6 +69,10 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data]
|
||||
- service_name: haproxy_edge
|
||||
ansible_group_vars:
|
||||
map_merge:
|
||||
- get_attr: [HAPRoxyBase, role_data, ansible_group_vars]
|
||||
- tripleo_firewall_edge_frontend_enabled: true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
||||
@ -178,6 +178,7 @@ outputs:
|
||||
value:
|
||||
service_name: haproxy
|
||||
monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]}
|
||||
ansible_group_vars: {get_attr: [HAProxyBase, role_data, ansible_group_vars]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
||||
@ -116,6 +116,13 @@ outputs:
|
||||
'125 heat_cfn':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13800
|
||||
keystone_resources:
|
||||
heat-cfn:
|
||||
|
||||
@ -134,6 +134,13 @@ outputs:
|
||||
'125 heat_api':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13004
|
||||
keystone_resources:
|
||||
heat:
|
||||
|
||||
@ -197,6 +197,13 @@ outputs:
|
||||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
firewall_frontend_rules:
|
||||
'100 horizon_haproxy_frontend':
|
||||
dport:
|
||||
- 80
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 horizon_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 443
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
||||
config_settings:
|
||||
|
||||
@ -44,6 +44,13 @@ outputs:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13787
|
||||
host_prep_tasks:
|
||||
- name: authorize httpd to listen on registry ports
|
||||
|
||||
@ -152,6 +152,13 @@ outputs:
|
||||
'133 ironic api':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_frontend_rules:
|
||||
'100 ironic_haproxy_frontend':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13385
|
||||
keystone_resources:
|
||||
ironic:
|
||||
|
||||
@ -252,7 +252,6 @@ outputs:
|
||||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
- 13050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv4'
|
||||
@ -280,6 +279,14 @@ outputs:
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
firewall_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend':
|
||||
dport:
|
||||
- 5050
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13050
|
||||
keystone_resources:
|
||||
ironic-inspector:
|
||||
endpoints:
|
||||
|
||||
@ -499,8 +499,18 @@ outputs:
|
||||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend':
|
||||
dport:
|
||||
- 5000
|
||||
'100 keystone_admin_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13000
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
||||
@ -167,6 +167,13 @@ outputs:
|
||||
'150 manila':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_frontend_rules:
|
||||
'100 manila_haproxy_frontend':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 manila_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13786
|
||||
keystone_resources:
|
||||
manila:
|
||||
|
||||
@ -309,6 +309,13 @@ outputs:
|
||||
'114 neutron api':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_frontend_rules:
|
||||
'100 neutron_haproxy_frontend':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 neutron_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13696
|
||||
keystone_resources:
|
||||
neutron:
|
||||
|
||||
@ -323,6 +323,13 @@ outputs:
|
||||
'113 nova_api':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13774
|
||||
keystone_resources:
|
||||
nova:
|
||||
|
||||
@ -158,6 +158,13 @@ outputs:
|
||||
'139 nova_metadata':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13775
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
||||
config_settings:
|
||||
|
||||
@ -179,6 +179,13 @@ outputs:
|
||||
'137 nova_vnc_proxy':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13080
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
||||
@ -171,6 +171,13 @@ outputs:
|
||||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_frontend_rules:
|
||||
'100 octavia_haproxy_frontend':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 octavia_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13876
|
||||
keystone_resources:
|
||||
octavia:
|
||||
|
||||
@ -109,6 +109,13 @@ outputs:
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
||||
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
||||
|
||||
@ -162,6 +162,13 @@ outputs:
|
||||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OVNDbsBase, role_data, config_settings]
|
||||
|
||||
@ -149,6 +149,13 @@ outputs:
|
||||
'138 placement':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_frontend_rules:
|
||||
'100 placement_haproxy_frontend':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 placement_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13778
|
||||
keystone_resources:
|
||||
placement:
|
||||
|
||||
@ -156,6 +156,13 @@ outputs:
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13808
|
||||
keystone_resources:
|
||||
swift:
|
||||
|
||||
@ -69,6 +69,10 @@ outputs:
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
||||
host_firewall_tasks:
|
||||
- name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
update_tasks:
|
||||
- name: Cleanup tripleo-iptables services
|
||||
when:
|
||||
|
||||
@ -932,6 +932,37 @@ resources:
|
||||
properties:
|
||||
CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]}
|
||||
|
||||
# NOTE(tkajinam): Backend services and haproxy might be running in different
|
||||
# nodes, so we need to gather all frontend firewall rules
|
||||
# across all roles and pass the combined data to firewall
|
||||
# configuration task in the node where haproxy (or edge
|
||||
# haproxy) is assigned to.
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_frontend_rules]
|
||||
{% endfor %}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
|
||||
{%- for role in roles %}
|
||||
{{role.name}}GroupVars:
|
||||
type: OS::Heat::Value
|
||||
@ -1008,6 +1039,11 @@ resources:
|
||||
tripleo_network_config_with_ansible: {get_param: NetworkConfigWithAnsible}
|
||||
default_route_networks: {{role.default_route_networks|default(['ControlPlane'])}}
|
||||
networks_skip_config: {{ role.networks_skip_config|default([]) }}
|
||||
tripleo_firewall_rules: {get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_rules]}
|
||||
tripleo_firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
tripleo_firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
tripleo_firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
tripleo_firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
role_tags: {{role.tags}}
|
||||
|
||||
{{role.name}}NetworkConfig:
|
||||
|
||||
@ -43,6 +43,10 @@ required_params = ['EndpointMap', 'ServiceNetMap', 'RoleName',
|
||||
OPTIONAL_SECTIONS = ['ansible_group_vars',
|
||||
'cellv2_discovery',
|
||||
'firewall_rules',
|
||||
'firewall_frontend_rules',
|
||||
'firewall_ssl_frontend_rules',
|
||||
'firewall_edge_frontend_rules',
|
||||
'firewall_edge_ssl_frontend_rules',
|
||||
'keystone_resources']
|
||||
REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config',
|
||||
'config_settings']
|
||||
@ -51,9 +55,9 @@ OPTIONAL_DOCKER_SECTIONS = ['container_puppet_tasks', 'upgrade_tasks',
|
||||
'pre_upgrade_rolling_tasks',
|
||||
'post_upgrade_tasks', 'update_tasks',
|
||||
'post_update_tasks', 'service_config_settings',
|
||||
'host_prep_tasks', 'metadata_settings',
|
||||
'kolla_config', 'global_config_settings',
|
||||
'external_deploy_tasks',
|
||||
'host_firewall_tasks', 'host_prep_tasks',
|
||||
'metadata_settings', 'kolla_config',
|
||||
'global_config_settings', 'external_deploy_tasks',
|
||||
'external_post_deploy_tasks',
|
||||
'container_config_scripts', 'step_config',
|
||||
'monitoring_subscription', 'scale_tasks',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user