Add tripleo-firewall composable service

This creates a new service to help manage the puppet-tripleo class that enables firewall features. Currently has no settings but this will keep our interfaces consistent. Change-Id: I5ac85fa1e460b19ee2b1a9280413aebefe300845
2016-08-15 15:24:06 -04:00 · 2016-08-15 15:24:06 -04:00 · 9b18594c79
commit 9b18594c79
parent 0df577c6f0
9 changed files with 25 additions and 12 deletions
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@ -212,6 +212,7 @@ resource_registry:
  OS::TripleO::Services::IronicConductor: OS::Heat::None
  OS::TripleO::Services::NovaIronic: OS::Heat::None
  OS::TripleO::Services::TripleoPackages: puppet/services/tripleo-packages.yaml
+  OS::TripleO::Services::TripleoFirewall: puppet/services/tripleo-firewall.yaml

 parameter_defaults:
  EnablePackageInstall: false
--- a/overcloud.yaml
+++ b/overcloud.yaml
@ -171,6 +171,7 @@ parameters:
      - OS::TripleO::Services::IronicConductor
      - OS::TripleO::Services::NovaIronic
      - OS::TripleO::Services::TripleoPackages
+      - OS::TripleO::Services::TripleoFirewall
    description: A list of service resources (configured in the Heat
                 resource_registry) which represent nested stacks
                 for each service that should get installed on the Controllers.
@ -192,6 +193,7 @@ parameters:
      - OS::TripleO::Services::ComputeNeutronL3Agent
      - OS::TripleO::Services::ComputeNeutronMetadataAgent
      - OS::TripleO::Services::TripleoPackages
+      - OS::TripleO::Services::TripleoFirewall
    description: A list of service resources (configured in the Heat
                 resource_registry) which represent nested stacks
                 for each service that should get installed on the Compute Nodes.
@ -215,6 +217,7 @@ parameters:
      - OS::TripleO::Services::Timezone
      - OS::TripleO::Services::Snmp
      - OS::TripleO::Services::TripleoPackages
+      - OS::TripleO::Services::TripleoFirewall
    description: A list of service resources (configured in the Heat
                 resource_registry) which represent nested stacks
                 for each service that should get installed on the BlockStorage nodes.
@ -239,6 +242,7 @@ parameters:
      - OS::TripleO::Services::Snmp
      - OS::TripleO::Services::Timezone
      - OS::TripleO::Services::TripleoPackages
+      - OS::TripleO::Services::TripleoFirewall
    description: A list of service resources (configured in the Heat
                 resource_registry) which represent nested stacks
                 for each service that should get installed on the ObjectStorage nodes.
@ -263,6 +267,7 @@ parameters:
      - OS::TripleO::Services::Ntp
      - OS::TripleO::Services::Timezone
      - OS::TripleO::Services::TripleoPackages
+      - OS::TripleO::Services::TripleoFirewall
    description: A list of service resources (configured in the Heat
                 resource_registry) which represent nested stacks
                 for each service that should get installed on the CephStorage nodes.
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('ceph_classes', [])
 }
--- a/puppet/manifests/overcloud_compute.pp
+++ b/puppet/manifests/overcloud_compute.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('compute_classes', [])
 }
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('controller_classes', [])
 }
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('controller_classes', [])
 }
--- a/puppet/manifests/overcloud_object.pp
+++ b/puppet/manifests/overcloud_object.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('object_classes', [])
 }
--- a/puppet/manifests/overcloud_volume.pp
+++ b/puppet/manifests/overcloud_volume.pp
@ -13,8 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-include ::tripleo::firewall
-
 if hiera('step') >= 4 {
  hiera_include('volume_classes', [])
 }
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@ -0,0 +1,19 @@
+heat_template_version: 2016-04-08
+
+description: >
+  TripleO Firewall settings
+
+parameters:
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the TripleO firewall settings
+    value:
+      service_name: tripleo_firewall
+      step_config: |
+        include ::tripleo::firewall