Define frontend firewall rules separately

This change ensures that firewall rules for haproxy endpoints are
enabled properly even when haproxy and api services are running in
different nodes.

With this change, firewall rule for ssl endpoints are removed from base
firewall rules because these ports are used by haproxy and not used by
api services.

Also, the adhoc implementation to run firewall configurations first is
refactored by the new host_firewall_tasks key. This allows us to
implement tasks to configure firewall in the corresponding resource
template.

Closes-Bug: #1961799
Depends-on: https://review.opendev.org/831547
Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
This commit is contained in:
Takashi Kajinami 2022-03-03 00:47:10 +09:00
parent 433b6dcb18
commit a3dd023773
38 changed files with 329 additions and 17 deletions

View File

@ -311,6 +311,16 @@ resources:
expression: dict(coalesce($.data, []).where($ != null).select([$.get('container_puppet_tasks'), $.get('service_name')]).where($[0] != null).select([$[0], dict($[0].keys().zip(dict(service_name=>$[1]).repeat(len($[0].keys()))))]).select($[0].mergeWith($[1])).selectMany($.items()).groupBy($[0], $[1]))
data: {get_attr: [ServiceChain, role_data]}
HostFirewallTasks:
type: OS::Heat::Value
properties:
type: comma_delimited_list
value:
yaql:
# Note we use distinct() here to filter any identical tasks
expression: coalesce($.data, []).where($ != null).select($.get('host_firewall_tasks')).where($ != null).flatten().distinct()
data: {get_attr: [ServiceChain, role_data]}
HostPrepTasks:
type: OS::Heat::Value
properties:
@ -351,6 +361,32 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)).flatten()
data: {role_data: {get_attr: [ServiceChain, role_data]}}
FirewallFrontendRules:
type: OS::Heat::Value
properties:
type: json
value:
frontend:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_frontend_rules')).where($ != null)).flatten()
data: {role_data: {get_attr: [ServiceChain, role_data]}}
ssl_frontend:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_ssl_frontend_rules')).where($ != null)).flatten()
data: {role_data: {get_attr: [ServiceChain, role_data]}}
edge_frontend:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_frontend_rules')).where($ != null)).flatten()
data: {role_data: {get_attr: [ServiceChain, role_data]}}
edge_sslfrontend:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_ssl_frontend_rules')).where($ != null)).flatten()
data: {role_data: {get_attr: [ServiceChain, role_data]}}
outputs:
role_data:
@ -385,6 +421,13 @@ outputs:
- {get_attr: [AnsibleGroupVars, value]}
keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]}
# Firewall rules
firewall_rules: {get_attr: [FirewallRules, value]}
firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
# Keys to support docker/services
puppet_config: {get_attr: [PuppetConfig, value]}
kolla_config: {get_attr: [KollaConfig, value]}
@ -396,10 +439,6 @@ outputs:
- {get_attr: [DockerPuppetTasks, value]}
host_prep_tasks:
list_concat:
- - name: Run firewall role
include_role:
name: tripleo_firewall
vars:
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
- {get_attr: [HostFirewallTasks, value]}
- {get_attr: [HostPrepTasks, value]}
pre_deploy_step_tasks: {get_attr: [PreDeployStepTasks, value]}

View File

@ -165,6 +165,13 @@ outputs:
'128 aodh-api':
dport:
- 8042
firewall_frontend_rules:
'100 aodh_haproxy_frontend':
dport:
- 8042
firewall_ssl_frontend_rules:
'100 aodh_haproxy_frontend_ssl':
dport:
- 13042
keystone_resources:
aodh:

View File

@ -228,6 +228,13 @@ outputs:
'117 barbican':
dport:
- 9311
firewall_frontend_rules:
'100 barbican_haproxy_frontend':
dport:
- 9311
firewall_ssl_frontend_rules:
'100 barbican_haproxy_frontend_ssl':
dport:
- 13311
keystone_resources:
barbican:

View File

@ -125,13 +125,23 @@ outputs:
firewall_rules:
'123 ceph_dashboard':
dport:
- {get_param: GrafanaDashboardPort}
- 9090
- 9092
- 9093
- 9094
- 9100
- 9283
- {get_param: GrafanaDashboardPort}
- 9090
- 9092
- 9093
- 9094
- 9100
- 9283
firewall_frontend_rules:
'100 ceph_graphana':
dport:
- {get_param: GrafanaDashboardPort}
'100 ceph_prometheus':
dport:
- 9092
'100 ceph_alertmanager':
dport:
- 9093
upgrade_tasks: []
puppet_config: {}
docker_config: {}

View File

@ -108,6 +108,12 @@ outputs:
- if:
- {get_param: CephEnableDashboard}
- - {get_param: CephDashboardPort}
firewall_frontend_rules:
if:
- {get_param: CephEnableDashboard}
- '100 ceph_dashboard':
dport:
- {get_param: CephDashboardPort}
upgrade_tasks: []
puppet_config: {}
docker_config: {}

View File

@ -98,6 +98,14 @@ outputs:
- if:
- {get_param: CephEnableDashboard}
- - '9100'
firewall_frontend_rules:
'100 ceph_rgw':
dport:
- {get_param: [EndpointMap, CephRgwInternal, port]}
firewall_ssl_frontend_rules:
'100 ceph_rgw_ssl':
dport:
- {get_param: [EndpointMap, CephRgwPublic, port]}
keystone_resources:
swift:
endpoints:

View File

@ -162,6 +162,13 @@ outputs:
'119 cinder':
dport:
- 8776
firewall_frontend_rules:
'100 cinder_haproxy_frontend':
dport:
- 8776
firewall_ssl_frontend_rules:
'100 cinder_haproxy_frontend_ssl':
dport:
- 13776
keystone_resources:
cinder:

View File

@ -94,6 +94,10 @@ outputs:
- 4567
- 4568
- 9200
firewall_frontend_rules:
'100 mysql_haproxy':
dport:
- 3306
config_settings:
map_merge:
- {get_attr: [MysqlBase, role_data, config_settings]}

View File

@ -134,6 +134,10 @@ outputs:
- 4567
- 4568
- 9200
firewall_frontend_rules:
'100 mysql_haproxy':
dport:
- 3306
config_settings:
map_merge:
- get_attr: [MysqlBase, role_data, config_settings]

View File

@ -90,6 +90,11 @@ outputs:
dport:
- 6379
- 26379
firewall_frontend_rules:
'100 redis_haproxy_frontend':
dport:
- 6379
- 26379
config_settings:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}

View File

@ -110,6 +110,13 @@ outputs:
'139 designate api':
dport:
- 9001
firewall_frontend_rules:
'100 designate_haproxy_frontend':
dport:
- 9001
firewall_ssl_frontend_rules:
'100 designate_haproxy_frontend_ssl':
dport:
- 13001
keystone_resources:
designate:

View File

@ -127,6 +127,10 @@ outputs:
dport:
- 2379
- 2380
firewall_frontend_rules:
'100 ectd_haproxy_frontend':
dport:
- 2379
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
config_settings:
map_merge:

View File

@ -462,6 +462,13 @@ outputs:
'112 glance_api':
dport:
- 9292
firewall_frontend_rules:
'100 glance_api_haproxy_frontend':
dport:
- 9292
firewall_ssl_frontend_rules:
'100 glance_api_haproxy_frontend_ssl':
dport:
- 13292
keystone_resources:
glance:

View File

@ -36,6 +36,11 @@ parameters:
List of enabled Image Import Methods. Valid values in the list are
'glance-direct', 'web-download', or 'copy-image'
type: comma_delimited_list
EnableGlanceApiProxy:
default: true
description: Configure haproxy to forward glance-api requests to glance-api
services running at the edge site.
type: boolean
resources:
GlanceApiBase:
@ -70,6 +75,14 @@ outputs:
map_merge:
- get_attr: [GlanceApiBase, role_data]
- service_name: glance_api_edge
firewall_edge_frontend_rules:
if:
- {get_param: EnableGlanceApiProxy}
- {get_attr: [GlanceApiBase, role_data, firewall_fronetend_rules]}
firewall_edge_ssl_frontend_rules:
if:
- {get_param: EnableGlanceApiProxy}
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
service_config_settings:
map_merge:
- get_attr: [GlanceApiBase, role_data, service_config_settings]

View File

@ -186,6 +186,13 @@ outputs:
'129 gnocchi-api':
dport:
- 8041
firewall_frontend_rules:
'100 gnocchi_haproxy_frontend':
dport:
- 8041
firewall_ssl_frontend_rules:
'100 gnocchi_haproxy_frontend_ssl':
dport:
- 13041
keystone_resources:
gnocchi:

View File

@ -180,6 +180,12 @@ outputs:
'107 haproxy stats':
dport: 1993
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
ansible_group_vars:
tripleo_firewall_frontend_enabled: true
tripleo_firewall_ssl_frontend_enabled:
if:
- public_tls_enabled
- true
config_settings:
map_merge:
- get_attr: [HAProxyLogging, config_settings]

View File

@ -69,6 +69,10 @@ outputs:
map_merge:
- get_attr: [HAProxyBase, role_data]
- service_name: haproxy_edge
ansible_group_vars:
map_merge:
- get_attr: [HAPRoxyBase, role_data, ansible_group_vars]
- tripleo_firewall_edge_frontend_enabled: true
config_settings:
map_merge:
- get_attr: [HAProxyBase, role_data, config_settings]

View File

@ -178,6 +178,7 @@ outputs:
value:
service_name: haproxy
monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]}
ansible_group_vars: {get_attr: [HAProxyBase, role_data, ansible_group_vars]}
config_settings:
map_merge:
- get_attr: [HAProxyBase, role_data, config_settings]

View File

@ -116,6 +116,13 @@ outputs:
'125 heat_cfn':
dport:
- 8000
firewall_frontend_rules:
'100 heat_api_cfn_haproxy_frontend':
dport:
- 8000
firewall_ssl_frontend_rules:
'100 heat_api_cfn_haproxy_frontend_ssl':
dport:
- 13800
keystone_resources:
heat-cfn:

View File

@ -134,6 +134,13 @@ outputs:
'125 heat_api':
dport:
- 8004
firewall_frontend_rules:
'100 heat_api_haproxy_frontend':
dport:
- 8004
firewall_ssl_frontend_rules:
'100 heat_api_haproxy_frontend_ssl':
dport:
- 13004
keystone_resources:
heat:

View File

@ -197,6 +197,13 @@ outputs:
'126 horizon':
dport:
- 80
firewall_frontend_rules:
'100 horizon_haproxy_frontend':
dport:
- 80
firewall_ssl_frontend_rules:
'100 horizon_haproxy_frontend_ssl':
dport:
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:

View File

@ -44,6 +44,13 @@ outputs:
'155 docker-registry':
dport:
- 8787
firewall_frontend_rules:
'100 docker_registry_haproxy_frontend':
dport:
- 8787
firewall_ssl_frontend_rules:
'100 docker_registry_haproxy_frontend_ssl':
dport:
- 13787
host_prep_tasks:
- name: authorize httpd to listen on registry ports

View File

@ -152,6 +152,13 @@ outputs:
'133 ironic api':
dport:
- 6385
firewall_frontend_rules:
'100 ironic_haproxy_frontend':
dport:
- 6385
firewall_ssl_frontend_rules:
'100 ironic_haproxy_frontend_ssl':
dport:
- 13385
keystone_resources:
ironic:

View File

@ -252,7 +252,6 @@ outputs:
'137 ironic-inspector':
dport:
- 5050
- 13050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
@ -280,6 +279,14 @@ outputs:
proto: 'udp'
chain: 'OUTPUT'
dport: 547
firewall_frontend_rules:
'100 ironic-inspector_haproxy_frontend':
dport:
- 5050
firewall_ssl_frontend_rules:
'100 ironic-inspector_haproxy_frontend_ssl':
dport:
- 13050
keystone_resources:
ironic-inspector:
endpoints:

View File

@ -499,8 +499,18 @@ outputs:
'111 keystone':
dport:
- 5000
- 13000
- {get_param: [EndpointMap, KeystoneAdmin, port]}
firewall_frontend_rules:
'100 keystone_public_haproxy_frontend':
dport:
- 5000
'100 keystone_admin_haproxy_frontend':
dport:
- {get_param: [EndpointMap, KeystoneAdmin, port]}
firewall_ssl_frontend_rules:
'100 keystone_public_haproxy_frontend_ssl':
dport:
- 13000
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
config_settings:
map_merge:

View File

@ -167,6 +167,13 @@ outputs:
'150 manila':
dport:
- 8786
firewall_frontend_rules:
'100 manila_haproxy_frontend':
dport:
- 8786
firewall_ssl_frontend_rules:
'100 manila_haproxy_frontend_ssl':
dport:
- 13786
keystone_resources:
manila:

View File

@ -309,6 +309,13 @@ outputs:
'114 neutron api':
dport:
- 9696
firewall_frontend_rules:
'100 neutron_haproxy_frontend':
dport:
- 9696
firewall_ssl_frontend_rules:
'100 neutron_haproxy_frontend_ssl':
dport:
- 13696
keystone_resources:
neutron:

View File

@ -323,6 +323,13 @@ outputs:
'113 nova_api':
dport:
- 8774
firewall_frontend_rules:
'100 nova_osapi_haproxy_frontend':
dport:
- 8774
firewall_ssl_frontend_rules:
'100 nova_osapi_haproxy_frontend_ssl':
dport:
- 13774
keystone_resources:
nova:

View File

@ -158,6 +158,13 @@ outputs:
'139 nova_metadata':
dport:
- 8775
firewall_frontend_rules:
'100 nova_metadatahaproxy_frontend':
dport:
- 8775
firewall_ssl_frontend_rules:
'100 nova_metadatahaproxy_frontend_ssl':
dport:
- 13775
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
config_settings:

View File

@ -179,6 +179,13 @@ outputs:
'137 nova_vnc_proxy':
dport:
- 6080
firewall_frontend_rules:
'100 nova_vncproxy_haproxy_frontend':
dport:
- 6080
firewall_ssl_frontend_rules:
'100 nova_vncproxy_haproxy_frontend_ssl':
dport:
- 13080
config_settings:
map_merge:

View File

@ -171,6 +171,13 @@ outputs:
'120 octavia api':
dport:
- 9876
firewall_frontend_rules:
'100 octavia_haproxy_frontend':
dport:
- 9876
firewall_ssl_frontend_rules:
'100 octavia_haproxy_frontend_ssl':
dport:
- 13876
keystone_resources:
octavia:

View File

@ -109,6 +109,13 @@ outputs:
dport:
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
firewall_frontend_rules:
'100 ovn_nbdb_haproxy_frontend':
dport:
- {get_param: OVNNorthboundServerPort}
'100 ovn_sbdb_haproxy_frontend_ssl':
dport:
- {get_param: OVNSouthboundServerPort}
config_settings:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}

View File

@ -162,6 +162,13 @@ outputs:
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
firewall_frontend_rules:
'100 ovn_nbdb_haproxy_frontend':
dport:
- {get_param: OVNNorthboundServerPort}
'100 ovn_sbdb_haproxy_frontend_ssl':
dport:
- {get_param: OVNSouthboundServerPort}
config_settings:
map_merge:
- get_attr: [OVNDbsBase, role_data, config_settings]

View File

@ -149,6 +149,13 @@ outputs:
'138 placement':
dport:
- 8778
firewall_frontend_rules:
'100 placement_haproxy_frontend':
dport:
- 8778
firewall_ssl_frontend_rules:
'100 placement_haproxy_frontend_ssl':
dport:
- 13778
keystone_resources:
placement:

View File

@ -156,6 +156,13 @@ outputs:
'122 swift proxy':
dport:
- 8080
firewall_frontend_rules:
'100 swift_proxy_server_haproxy_frontend':
dport:
- 8080
firewall_ssl_frontend_rules:
'100 swift_proxy_server_haproxy_frontend_ssl':
dport:
- 13808
keystone_resources:
swift:

View File

@ -69,6 +69,10 @@ outputs:
proto: 'tcp'
dport: 22
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
host_firewall_tasks:
- name: Run firewall role
include_role:
name: tripleo_firewall
update_tasks:
- name: Cleanup tripleo-iptables services
when:

View File

@ -931,6 +931,37 @@ resources:
properties:
CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]}
# NOTE(tkajinam): Backend services and haproxy might be running in different
# nodes, so we need to gather all frontend firewall rules
# across all roles and pass the combined data to firewall
# configuration task in the node where haproxy (or edge
# haproxy) is assigned to.
FirewallFrontendRules:
type: OS::Heat::Value
properties:
type: json
value:
frontend:
map_merge:
{% for role in roles %}
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_frontend_rules]
{% endfor %}
ssl_frontend:
map_merge:
{% for role in roles %}
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_ssl_frontend_rules]
{% endfor %}
edge_frontend:
map_merge:
{% for role in roles %}
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_frontend_rules]
{% endfor %}
edge_ssl_frontend:
map_merge:
{% for role in roles %}
- get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_ssl_frontend_rules]
{% endfor %}
{%- for role in roles %}
{{role.name}}GroupVars:
type: OS::Heat::Value
@ -1007,6 +1038,11 @@ resources:
tripleo_network_config_with_ansible: {get_param: NetworkConfigWithAnsible}
default_route_networks: {{role.default_route_networks|default(['ControlPlane'])}}
networks_skip_config: {{ role.networks_skip_config|default([]) }}
tripleo_firewall_rules: {get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_rules]}
tripleo_firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]}
tripleo_firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]}
tripleo_firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]}
tripleo_firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]}
role_tags: {{role.tags}}
{{role.name}}NetworkConfig:

View File

@ -43,6 +43,10 @@ required_params = ['EndpointMap', 'ServiceNetMap', 'RoleName',
OPTIONAL_SECTIONS = ['ansible_group_vars',
'cellv2_discovery',
'firewall_rules',
'firewall_frontend_rules',
'firewall_ssl_frontend_rules',
'firewall_edge_frontend_rules',
'firewall_edge_ssl_frontend_rules',
'keystone_resources']
REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config',
'config_settings']
@ -51,9 +55,9 @@ OPTIONAL_DOCKER_SECTIONS = ['container_puppet_tasks', 'upgrade_tasks',
'pre_upgrade_rolling_tasks',
'post_upgrade_tasks', 'update_tasks',
'post_update_tasks', 'service_config_settings',
'host_prep_tasks', 'metadata_settings',
'kolla_config', 'global_config_settings',
'external_deploy_tasks',
'host_firewall_tasks', 'host_prep_tasks',
'metadata_settings', 'kolla_config',
'global_config_settings', 'external_deploy_tasks',
'external_post_deploy_tasks',
'container_config_scripts', 'step_config',
'monitoring_subscription', 'scale_tasks',