Define frontend firewall rules separately
This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
This commit is contained in:
parent
433b6dcb18
commit
a3dd023773
@ -311,6 +311,16 @@ resources:
|
||||
expression: dict(coalesce($.data, []).where($ != null).select([$.get('container_puppet_tasks'), $.get('service_name')]).where($[0] != null).select([$[0], dict($[0].keys().zip(dict(service_name=>$[1]).repeat(len($[0].keys()))))]).select($[0].mergeWith($[1])).selectMany($.items()).groupBy($[0], $[1]))
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostFirewallTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: comma_delimited_list
|
||||
value:
|
||||
yaql:
|
||||
# Note we use distinct() here to filter any identical tasks
|
||||
expression: coalesce($.data, []).where($ != null).select($.get('host_firewall_tasks')).where($ != null).flatten().distinct()
|
||||
data: {get_attr: [ServiceChain, role_data]}
|
||||
|
||||
HostPrepTasks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
@ -351,6 +361,32 @@ resources:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
edge_sslfrontend:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_ssl_frontend_rules')).where($ != null)).flatten()
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -385,6 +421,13 @@ outputs:
|
||||
- {get_attr: [AnsibleGroupVars, value]}
|
||||
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
|
||||
|
||||
# Firewall rules
|
||||
firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
|
||||
# Keys to support docker/services
|
||||
puppet_config: {get_attr: [PuppetConfig, value]}
|
||||
kolla_config: {get_attr: [KollaConfig, value]}
|
||||
@ -396,10 +439,6 @@ outputs:
|
||||
- {get_attr: [DockerPuppetTasks, value]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
vars:
|
||||
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
- {get_attr: [HostFirewallTasks, value]}
|
||||
- {get_attr: [HostPrepTasks, value]}
|
||||
pre_deploy_step_tasks: {get_attr: [PreDeployStepTasks, value]}
|
||||
|
@ -165,6 +165,13 @@ outputs:
|
||||
'128 aodh-api':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_frontend_rules:
|
||||
'100 aodh_haproxy_frontend':
|
||||
dport:
|
||||
- 8042
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 aodh_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13042
|
||||
keystone_resources:
|
||||
aodh:
|
||||
|
@ -228,6 +228,13 @@ outputs:
|
||||
'117 barbican':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_frontend_rules:
|
||||
'100 barbican_haproxy_frontend':
|
||||
dport:
|
||||
- 9311
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 barbican_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13311
|
||||
keystone_resources:
|
||||
barbican:
|
||||
|
@ -125,13 +125,23 @@ outputs:
|
||||
firewall_rules:
|
||||
'123 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
- 9090
|
||||
- 9092
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
- 9283
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_graphana':
|
||||
dport:
|
||||
- {get_param: GrafanaDashboardPort}
|
||||
'100 ceph_prometheus':
|
||||
dport:
|
||||
- 9092
|
||||
'100 ceph_alertmanager':
|
||||
dport:
|
||||
- 9093
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
@ -108,6 +108,12 @@ outputs:
|
||||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - {get_param: CephDashboardPort}
|
||||
firewall_frontend_rules:
|
||||
if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- '100 ceph_dashboard':
|
||||
dport:
|
||||
- {get_param: CephDashboardPort}
|
||||
upgrade_tasks: []
|
||||
puppet_config: {}
|
||||
docker_config: {}
|
||||
|
@ -98,6 +98,14 @@ outputs:
|
||||
- if:
|
||||
- {get_param: CephEnableDashboard}
|
||||
- - '9100'
|
||||
firewall_frontend_rules:
|
||||
'100 ceph_rgw':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ceph_rgw_ssl':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, CephRgwPublic, port]}
|
||||
keystone_resources:
|
||||
swift:
|
||||
endpoints:
|
||||
|
@ -162,6 +162,13 @@ outputs:
|
||||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_frontend_rules:
|
||||
'100 cinder_haproxy_frontend':
|
||||
dport:
|
||||
- 8776
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 cinder_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13776
|
||||
keystone_resources:
|
||||
cinder:
|
||||
|
@ -94,6 +94,10 @@ outputs:
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [MysqlBase, role_data, config_settings]}
|
||||
|
@ -134,6 +134,10 @@ outputs:
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
firewall_frontend_rules:
|
||||
'100 mysql_haproxy':
|
||||
dport:
|
||||
- 3306
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [MysqlBase, role_data, config_settings]
|
||||
|
@ -90,6 +90,11 @@ outputs:
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
firewall_frontend_rules:
|
||||
'100 redis_haproxy_frontend':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||
|
@ -110,6 +110,13 @@ outputs:
|
||||
'139 designate api':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_frontend_rules:
|
||||
'100 designate_haproxy_frontend':
|
||||
dport:
|
||||
- 9001
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 designate_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13001
|
||||
keystone_resources:
|
||||
designate:
|
||||
|
@ -127,6 +127,10 @@ outputs:
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
firewall_frontend_rules:
|
||||
'100 ectd_haproxy_frontend':
|
||||
dport:
|
||||
- 2379
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -462,6 +462,13 @@ outputs:
|
||||
'112 glance_api':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend':
|
||||
dport:
|
||||
- 9292
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 glance_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13292
|
||||
keystone_resources:
|
||||
glance:
|
||||
|
@ -36,6 +36,11 @@ parameters:
|
||||
List of enabled Image Import Methods. Valid values in the list are
|
||||
'glance-direct', 'web-download', or 'copy-image'
|
||||
type: comma_delimited_list
|
||||
EnableGlanceApiProxy:
|
||||
default: true
|
||||
description: Configure haproxy to forward glance-api requests to glance-api
|
||||
services running at the edge site.
|
||||
type: boolean
|
||||
|
||||
resources:
|
||||
GlanceApiBase:
|
||||
@ -70,6 +75,14 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data]
|
||||
- service_name: glance_api_edge
|
||||
firewall_edge_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_fronetend_rules]}
|
||||
firewall_edge_ssl_frontend_rules:
|
||||
if:
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
|
||||
service_config_settings:
|
||||
map_merge:
|
||||
- get_attr: [GlanceApiBase, role_data, service_config_settings]
|
||||
|
@ -186,6 +186,13 @@ outputs:
|
||||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend':
|
||||
dport:
|
||||
- 8041
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 gnocchi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13041
|
||||
keystone_resources:
|
||||
gnocchi:
|
||||
|
@ -180,6 +180,12 @@ outputs:
|
||||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||
ansible_group_vars:
|
||||
tripleo_firewall_frontend_enabled: true
|
||||
tripleo_firewall_ssl_frontend_enabled:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyLogging, config_settings]
|
||||
|
@ -69,6 +69,10 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data]
|
||||
- service_name: haproxy_edge
|
||||
ansible_group_vars:
|
||||
map_merge:
|
||||
- get_attr: [HAPRoxyBase, role_data, ansible_group_vars]
|
||||
- tripleo_firewall_edge_frontend_enabled: true
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
@ -178,6 +178,7 @@ outputs:
|
||||
value:
|
||||
service_name: haproxy
|
||||
monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]}
|
||||
ansible_group_vars: {get_attr: [HAProxyBase, role_data, ansible_group_vars]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||
|
@ -116,6 +116,13 @@ outputs:
|
||||
'125 heat_cfn':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend':
|
||||
dport:
|
||||
- 8000
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_cfn_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13800
|
||||
keystone_resources:
|
||||
heat-cfn:
|
||||
|
@ -134,6 +134,13 @@ outputs:
|
||||
'125 heat_api':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend':
|
||||
dport:
|
||||
- 8004
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 heat_api_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13004
|
||||
keystone_resources:
|
||||
heat:
|
||||
|
@ -197,6 +197,13 @@ outputs:
|
||||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
firewall_frontend_rules:
|
||||
'100 horizon_haproxy_frontend':
|
||||
dport:
|
||||
- 80
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 horizon_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 443
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
||||
config_settings:
|
||||
|
@ -44,6 +44,13 @@ outputs:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend':
|
||||
dport:
|
||||
- 8787
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 docker_registry_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13787
|
||||
host_prep_tasks:
|
||||
- name: authorize httpd to listen on registry ports
|
||||
|
@ -152,6 +152,13 @@ outputs:
|
||||
'133 ironic api':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_frontend_rules:
|
||||
'100 ironic_haproxy_frontend':
|
||||
dport:
|
||||
- 6385
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13385
|
||||
keystone_resources:
|
||||
ironic:
|
||||
|
@ -252,7 +252,6 @@ outputs:
|
||||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
- 13050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv4'
|
||||
@ -280,6 +279,14 @@ outputs:
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
firewall_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend':
|
||||
dport:
|
||||
- 5050
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 ironic-inspector_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13050
|
||||
keystone_resources:
|
||||
ironic-inspector:
|
||||
endpoints:
|
||||
|
@ -499,8 +499,18 @@ outputs:
|
||||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend':
|
||||
dport:
|
||||
- 5000
|
||||
'100 keystone_admin_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 keystone_public_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13000
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -167,6 +167,13 @@ outputs:
|
||||
'150 manila':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_frontend_rules:
|
||||
'100 manila_haproxy_frontend':
|
||||
dport:
|
||||
- 8786
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 manila_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13786
|
||||
keystone_resources:
|
||||
manila:
|
||||
|
@ -309,6 +309,13 @@ outputs:
|
||||
'114 neutron api':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_frontend_rules:
|
||||
'100 neutron_haproxy_frontend':
|
||||
dport:
|
||||
- 9696
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 neutron_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13696
|
||||
keystone_resources:
|
||||
neutron:
|
||||
|
@ -323,6 +323,13 @@ outputs:
|
||||
'113 nova_api':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend':
|
||||
dport:
|
||||
- 8774
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_osapi_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13774
|
||||
keystone_resources:
|
||||
nova:
|
||||
|
@ -158,6 +158,13 @@ outputs:
|
||||
'139 nova_metadata':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend':
|
||||
dport:
|
||||
- 8775
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_metadatahaproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13775
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
||||
config_settings:
|
||||
|
@ -179,6 +179,13 @@ outputs:
|
||||
'137 nova_vnc_proxy':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend':
|
||||
dport:
|
||||
- 6080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 nova_vncproxy_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13080
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -171,6 +171,13 @@ outputs:
|
||||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_frontend_rules:
|
||||
'100 octavia_haproxy_frontend':
|
||||
dport:
|
||||
- 9876
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 octavia_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13876
|
||||
keystone_resources:
|
||||
octavia:
|
||||
|
@ -109,6 +109,13 @@ outputs:
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
||||
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
||||
|
@ -162,6 +162,13 @@ outputs:
|
||||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
firewall_frontend_rules:
|
||||
'100 ovn_nbdb_haproxy_frontend':
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
'100 ovn_sbdb_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OVNDbsBase, role_data, config_settings]
|
||||
|
@ -149,6 +149,13 @@ outputs:
|
||||
'138 placement':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_frontend_rules:
|
||||
'100 placement_haproxy_frontend':
|
||||
dport:
|
||||
- 8778
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 placement_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13778
|
||||
keystone_resources:
|
||||
placement:
|
||||
|
@ -156,6 +156,13 @@ outputs:
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend':
|
||||
dport:
|
||||
- 8080
|
||||
firewall_ssl_frontend_rules:
|
||||
'100 swift_proxy_server_haproxy_frontend_ssl':
|
||||
dport:
|
||||
- 13808
|
||||
keystone_resources:
|
||||
swift:
|
||||
|
@ -69,6 +69,10 @@ outputs:
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
||||
host_firewall_tasks:
|
||||
- name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo_firewall
|
||||
update_tasks:
|
||||
- name: Cleanup tripleo-iptables services
|
||||
when:
|
||||
|
@ -931,6 +931,37 @@ resources:
|
||||
properties:
|
||||
CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]}
|
||||
|
||||
# NOTE(tkajinam): Backend services and haproxy might be running in different
|
||||
# nodes, so we need to gather all frontend firewall rules
|
||||
# across all roles and pass the combined data to firewall
|
||||
# configuration task in the node where haproxy (or edge
|
||||
# haproxy) is assigned to.
|
||||
FirewallFrontendRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_frontend_rules]
|
||||
{% endfor %}
|
||||
ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_frontend_rules]
|
||||
{% endfor %}
|
||||
edge_ssl_frontend:
|
||||
map_merge:
|
||||
{% for role in roles %}
|
||||
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_ssl_frontend_rules]
|
||||
{% endfor %}
|
||||
|
||||
{%- for role in roles %}
|
||||
{{role.name}}GroupVars:
|
||||
type: OS::Heat::Value
|
||||
@ -1007,6 +1038,11 @@ resources:
|
||||
tripleo_network_config_with_ansible: {get_param: NetworkConfigWithAnsible}
|
||||
default_route_networks: {{role.default_route_networks|default(['ControlPlane'])}}
|
||||
networks_skip_config: {{ role.networks_skip_config|default([]) }}
|
||||
tripleo_firewall_rules: {get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_rules]}
|
||||
tripleo_firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
|
||||
tripleo_firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
|
||||
tripleo_firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
|
||||
tripleo_firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
|
||||
role_tags: {{role.tags}}
|
||||
|
||||
{{role.name}}NetworkConfig:
|
||||
|
@ -43,6 +43,10 @@ required_params = ['EndpointMap', 'ServiceNetMap', 'RoleName',
|
||||
OPTIONAL_SECTIONS = ['ansible_group_vars',
|
||||
'cellv2_discovery',
|
||||
'firewall_rules',
|
||||
'firewall_frontend_rules',
|
||||
'firewall_ssl_frontend_rules',
|
||||
'firewall_edge_frontend_rules',
|
||||
'firewall_edge_ssl_frontend_rules',
|
||||
'keystone_resources']
|
||||
REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config',
|
||||
'config_settings']
|
||||
@ -51,9 +55,9 @@ OPTIONAL_DOCKER_SECTIONS = ['container_puppet_tasks', 'upgrade_tasks',
|
||||
'pre_upgrade_rolling_tasks',
|
||||
'post_upgrade_tasks', 'update_tasks',
|
||||
'post_update_tasks', 'service_config_settings',
|
||||
'host_prep_tasks', 'metadata_settings',
|
||||
'kolla_config', 'global_config_settings',
|
||||
'external_deploy_tasks',
|
||||
'host_firewall_tasks', 'host_prep_tasks',
|
||||
'metadata_settings', 'kolla_config',
|
||||
'global_config_settings', 'external_deploy_tasks',
|
||||
'external_post_deploy_tasks',
|
||||
'container_config_scripts', 'step_config',
|
||||
'monitoring_subscription', 'scale_tasks',
|
||||
|
Loading…
Reference in New Issue
Block a user