From a3dd02377394c6fab4a556f0c666a04755fa905c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 3 Mar 2022 00:47:10 +0900 Subject: [PATCH] Define frontend firewall rules separately This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a --- common/services/role.role.j2.yaml | 49 +++++++++++++++++-- .../aodh/aodh-api-container-puppet.yaml | 7 +++ .../barbican-api-container-puppet.yaml | 7 +++ deployment/cephadm/ceph-grafana.yaml | 24 ++++++--- deployment/cephadm/ceph-mgr.yaml | 6 +++ deployment/cephadm/ceph-rgw.yaml | 8 +++ .../cinder/cinder-api-container-puppet.yaml | 7 +++ .../database/mysql-container-puppet.yaml | 4 ++ .../database/mysql-pacemaker-puppet.yaml | 4 ++ .../database/redis-container-puppet.yaml | 5 ++ .../designate-api-container-puppet.yaml | 7 +++ deployment/etcd/etcd-container-puppet.yaml | 4 ++ .../glance/glance-api-container-puppet.yaml | 7 +++ .../glance-api-edge-container-puppet.yaml | 13 +++++ .../gnocchi/gnocchi-api-container-puppet.yaml | 7 +++ .../haproxy/haproxy-container-puppet.yaml | 6 +++ .../haproxy-edge-container-puppet.yaml | 4 ++ .../haproxy/haproxy-pacemaker-puppet.yaml | 1 + .../heat/heat-api-cfn-container-puppet.yaml | 7 +++ .../heat/heat-api-container-puppet.yaml | 7 +++ .../horizon/horizon-container-puppet.yaml | 7 +++ .../image-serve-baremetal-ansible.yaml | 7 +++ .../ironic/ironic-api-container-puppet.yaml | 7 +++ .../ironic-inspector-container-puppet.yaml | 9 +++- .../keystone/keystone-container-puppet.yaml | 12 ++++- .../manila/manila-api-container-puppet.yaml | 7 +++ .../neutron/neutron-api-container-puppet.yaml | 7 +++ .../nova/nova-api-container-puppet.yaml | 7 +++ .../nova/nova-metadata-container-puppet.yaml | 7 +++ .../nova/nova-vnc-proxy-container-puppet.yaml | 7 +++ .../octavia/octavia-api-container-puppet.yaml | 7 +++ deployment/ovn/ovn-dbs-container-puppet.yaml | 7 +++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 7 +++ .../placement-api-container-puppet.yaml | 7 +++ .../swift/swift-proxy-container-puppet.yaml | 7 +++ .../tripleo-firewall-baremetal-ansible.yaml | 4 ++ overcloud.j2.yaml | 36 ++++++++++++++ tools/yaml-validate.py | 10 ++-- 38 files changed, 329 insertions(+), 17 deletions(-) diff --git a/common/services/role.role.j2.yaml b/common/services/role.role.j2.yaml index b9d760adc0..19b0ba2faa 100644 --- a/common/services/role.role.j2.yaml +++ b/common/services/role.role.j2.yaml @@ -311,6 +311,16 @@ resources: expression: dict(coalesce($.data, []).where($ != null).select([$.get('container_puppet_tasks'), $.get('service_name')]).where($[0] != null).select([$[0], dict($[0].keys().zip(dict(service_name=>$[1]).repeat(len($[0].keys()))))]).select($[0].mergeWith($[1])).selectMany($.items()).groupBy($[0], $[1])) data: {get_attr: [ServiceChain, role_data]} + HostFirewallTasks: + type: OS::Heat::Value + properties: + type: comma_delimited_list + value: + yaql: + # Note we use distinct() here to filter any identical tasks + expression: coalesce($.data, []).where($ != null).select($.get('host_firewall_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} + HostPrepTasks: type: OS::Heat::Value properties: @@ -351,6 +361,32 @@ resources: expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)).flatten() data: {role_data: {get_attr: [ServiceChain, role_data]}} + FirewallFrontendRules: + type: OS::Heat::Value + properties: + type: json + value: + frontend: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_frontend_rules')).where($ != null)).flatten() + data: {role_data: {get_attr: [ServiceChain, role_data]}} + ssl_frontend: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_ssl_frontend_rules')).where($ != null)).flatten() + data: {role_data: {get_attr: [ServiceChain, role_data]}} + edge_frontend: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_frontend_rules')).where($ != null)).flatten() + data: {role_data: {get_attr: [ServiceChain, role_data]}} + edge_sslfrontend: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_edge_ssl_frontend_rules')).where($ != null)).flatten() + data: {role_data: {get_attr: [ServiceChain, role_data]}} + outputs: role_data: @@ -385,6 +421,13 @@ outputs: - {get_attr: [AnsibleGroupVars, value]} keystone_resources: {get_attr: [KeystoneResourcesConfigs, value]} + # Firewall rules + firewall_rules: {get_attr: [FirewallRules, value]} + firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]} + firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]} + firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]} + firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]} + # Keys to support docker/services puppet_config: {get_attr: [PuppetConfig, value]} kolla_config: {get_attr: [KollaConfig, value]} @@ -396,10 +439,6 @@ outputs: - {get_attr: [DockerPuppetTasks, value]} host_prep_tasks: list_concat: - - - name: Run firewall role - include_role: - name: tripleo_firewall - vars: - tripleo_firewall_rules: {get_attr: [FirewallRules, value]} + - {get_attr: [HostFirewallTasks, value]} - {get_attr: [HostPrepTasks, value]} pre_deploy_step_tasks: {get_attr: [PreDeployStepTasks, value]} diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index 58d53c728c..6ba3b9302c 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -165,6 +165,13 @@ outputs: '128 aodh-api': dport: - 8042 + firewall_frontend_rules: + '100 aodh_haproxy_frontend': + dport: + - 8042 + firewall_ssl_frontend_rules: + '100 aodh_haproxy_frontend_ssl': + dport: - 13042 keystone_resources: aodh: diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 87a5cfa6df..cd1fa2d143 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -228,6 +228,13 @@ outputs: '117 barbican': dport: - 9311 + firewall_frontend_rules: + '100 barbican_haproxy_frontend': + dport: + - 9311 + firewall_ssl_frontend_rules: + '100 barbican_haproxy_frontend_ssl': + dport: - 13311 keystone_resources: barbican: diff --git a/deployment/cephadm/ceph-grafana.yaml b/deployment/cephadm/ceph-grafana.yaml index 70aa7fa6aa..f3b92e9164 100644 --- a/deployment/cephadm/ceph-grafana.yaml +++ b/deployment/cephadm/ceph-grafana.yaml @@ -125,13 +125,23 @@ outputs: firewall_rules: '123 ceph_dashboard': dport: - - {get_param: GrafanaDashboardPort} - - 9090 - - 9092 - - 9093 - - 9094 - - 9100 - - 9283 + - {get_param: GrafanaDashboardPort} + - 9090 + - 9092 + - 9093 + - 9094 + - 9100 + - 9283 + firewall_frontend_rules: + '100 ceph_graphana': + dport: + - {get_param: GrafanaDashboardPort} + '100 ceph_prometheus': + dport: + - 9092 + '100 ceph_alertmanager': + dport: + - 9093 upgrade_tasks: [] puppet_config: {} docker_config: {} diff --git a/deployment/cephadm/ceph-mgr.yaml b/deployment/cephadm/ceph-mgr.yaml index b559fc2ec4..ee4ae6ccbd 100644 --- a/deployment/cephadm/ceph-mgr.yaml +++ b/deployment/cephadm/ceph-mgr.yaml @@ -108,6 +108,12 @@ outputs: - if: - {get_param: CephEnableDashboard} - - {get_param: CephDashboardPort} + firewall_frontend_rules: + if: + - {get_param: CephEnableDashboard} + - '100 ceph_dashboard': + dport: + - {get_param: CephDashboardPort} upgrade_tasks: [] puppet_config: {} docker_config: {} diff --git a/deployment/cephadm/ceph-rgw.yaml b/deployment/cephadm/ceph-rgw.yaml index 5a70678c4d..df22f2e369 100644 --- a/deployment/cephadm/ceph-rgw.yaml +++ b/deployment/cephadm/ceph-rgw.yaml @@ -98,6 +98,14 @@ outputs: - if: - {get_param: CephEnableDashboard} - - '9100' + firewall_frontend_rules: + '100 ceph_rgw': + dport: + - {get_param: [EndpointMap, CephRgwInternal, port]} + firewall_ssl_frontend_rules: + '100 ceph_rgw_ssl': + dport: + - {get_param: [EndpointMap, CephRgwPublic, port]} keystone_resources: swift: endpoints: diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index c5459e7be0..2e8d7f7328 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -162,6 +162,13 @@ outputs: '119 cinder': dport: - 8776 + firewall_frontend_rules: + '100 cinder_haproxy_frontend': + dport: + - 8776 + firewall_ssl_frontend_rules: + '100 cinder_haproxy_frontend_ssl': + dport: - 13776 keystone_resources: cinder: diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml index d4feb714f3..4a756bead2 100644 --- a/deployment/database/mysql-container-puppet.yaml +++ b/deployment/database/mysql-container-puppet.yaml @@ -94,6 +94,10 @@ outputs: - 4567 - 4568 - 9200 + firewall_frontend_rules: + '100 mysql_haproxy': + dport: + - 3306 config_settings: map_merge: - {get_attr: [MysqlBase, role_data, config_settings]} diff --git a/deployment/database/mysql-pacemaker-puppet.yaml b/deployment/database/mysql-pacemaker-puppet.yaml index 1ff16ac736..7a3c45bd71 100644 --- a/deployment/database/mysql-pacemaker-puppet.yaml +++ b/deployment/database/mysql-pacemaker-puppet.yaml @@ -134,6 +134,10 @@ outputs: - 4567 - 4568 - 9200 + firewall_frontend_rules: + '100 mysql_haproxy': + dport: + - 3306 config_settings: map_merge: - get_attr: [MysqlBase, role_data, config_settings] diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 0642ddad7f..220f594980 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -90,6 +90,11 @@ outputs: dport: - 6379 - 26379 + firewall_frontend_rules: + '100 redis_haproxy_frontend': + dport: + - 6379 + - 26379 config_settings: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} diff --git a/deployment/designate/designate-api-container-puppet.yaml b/deployment/designate/designate-api-container-puppet.yaml index 2ef868dae3..23ab6d4112 100644 --- a/deployment/designate/designate-api-container-puppet.yaml +++ b/deployment/designate/designate-api-container-puppet.yaml @@ -110,6 +110,13 @@ outputs: '139 designate api': dport: - 9001 + firewall_frontend_rules: + '100 designate_haproxy_frontend': + dport: + - 9001 + firewall_ssl_frontend_rules: + '100 designate_haproxy_frontend_ssl': + dport: - 13001 keystone_resources: designate: diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index f7231f11cd..57e11150e9 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -127,6 +127,10 @@ outputs: dport: - 2379 - 2380 + firewall_frontend_rules: + '100 ectd_haproxy_frontend': + dport: + - 2379 monitoring_subscription: {get_param: MonitoringSubscriptionEtcd} config_settings: map_merge: diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 1e436d3496..1767fe197e 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -462,6 +462,13 @@ outputs: '112 glance_api': dport: - 9292 + firewall_frontend_rules: + '100 glance_api_haproxy_frontend': + dport: + - 9292 + firewall_ssl_frontend_rules: + '100 glance_api_haproxy_frontend_ssl': + dport: - 13292 keystone_resources: glance: diff --git a/deployment/glance/glance-api-edge-container-puppet.yaml b/deployment/glance/glance-api-edge-container-puppet.yaml index 114d05b955..835c754801 100644 --- a/deployment/glance/glance-api-edge-container-puppet.yaml +++ b/deployment/glance/glance-api-edge-container-puppet.yaml @@ -36,6 +36,11 @@ parameters: List of enabled Image Import Methods. Valid values in the list are 'glance-direct', 'web-download', or 'copy-image' type: comma_delimited_list + EnableGlanceApiProxy: + default: true + description: Configure haproxy to forward glance-api requests to glance-api + services running at the edge site. + type: boolean resources: GlanceApiBase: @@ -70,6 +75,14 @@ outputs: map_merge: - get_attr: [GlanceApiBase, role_data] - service_name: glance_api_edge + firewall_edge_frontend_rules: + if: + - {get_param: EnableGlanceApiProxy} + - {get_attr: [GlanceApiBase, role_data, firewall_fronetend_rules]} + firewall_edge_ssl_frontend_rules: + if: + - {get_param: EnableGlanceApiProxy} + - {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]} service_config_settings: map_merge: - get_attr: [GlanceApiBase, role_data, service_config_settings] diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 513c1b133b..dc900d58af 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -186,6 +186,13 @@ outputs: '129 gnocchi-api': dport: - 8041 + firewall_frontend_rules: + '100 gnocchi_haproxy_frontend': + dport: + - 8041 + firewall_ssl_frontend_rules: + '100 gnocchi_haproxy_frontend_ssl': + dport: - 13041 keystone_resources: gnocchi: diff --git a/deployment/haproxy/haproxy-container-puppet.yaml b/deployment/haproxy/haproxy-container-puppet.yaml index 96e3ae031b..998e169112 100644 --- a/deployment/haproxy/haproxy-container-puppet.yaml +++ b/deployment/haproxy/haproxy-container-puppet.yaml @@ -180,6 +180,12 @@ outputs: '107 haproxy stats': dport: 1993 monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} + ansible_group_vars: + tripleo_firewall_frontend_enabled: true + tripleo_firewall_ssl_frontend_enabled: + if: + - public_tls_enabled + - true config_settings: map_merge: - get_attr: [HAProxyLogging, config_settings] diff --git a/deployment/haproxy/haproxy-edge-container-puppet.yaml b/deployment/haproxy/haproxy-edge-container-puppet.yaml index 17ba797f26..20ce77ec0c 100644 --- a/deployment/haproxy/haproxy-edge-container-puppet.yaml +++ b/deployment/haproxy/haproxy-edge-container-puppet.yaml @@ -69,6 +69,10 @@ outputs: map_merge: - get_attr: [HAProxyBase, role_data] - service_name: haproxy_edge + ansible_group_vars: + map_merge: + - get_attr: [HAPRoxyBase, role_data, ansible_group_vars] + - tripleo_firewall_edge_frontend_enabled: true config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] diff --git a/deployment/haproxy/haproxy-pacemaker-puppet.yaml b/deployment/haproxy/haproxy-pacemaker-puppet.yaml index c664c420a0..87d75674cc 100644 --- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml +++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml @@ -178,6 +178,7 @@ outputs: value: service_name: haproxy monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]} + ansible_group_vars: {get_attr: [HAProxyBase, role_data, ansible_group_vars]} config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] diff --git a/deployment/heat/heat-api-cfn-container-puppet.yaml b/deployment/heat/heat-api-cfn-container-puppet.yaml index 46d4338266..331147dfd6 100644 --- a/deployment/heat/heat-api-cfn-container-puppet.yaml +++ b/deployment/heat/heat-api-cfn-container-puppet.yaml @@ -116,6 +116,13 @@ outputs: '125 heat_cfn': dport: - 8000 + firewall_frontend_rules: + '100 heat_api_cfn_haproxy_frontend': + dport: + - 8000 + firewall_ssl_frontend_rules: + '100 heat_api_cfn_haproxy_frontend_ssl': + dport: - 13800 keystone_resources: heat-cfn: diff --git a/deployment/heat/heat-api-container-puppet.yaml b/deployment/heat/heat-api-container-puppet.yaml index 5b4ee83746..520168428a 100644 --- a/deployment/heat/heat-api-container-puppet.yaml +++ b/deployment/heat/heat-api-container-puppet.yaml @@ -134,6 +134,13 @@ outputs: '125 heat_api': dport: - 8004 + firewall_frontend_rules: + '100 heat_api_haproxy_frontend': + dport: + - 8004 + firewall_ssl_frontend_rules: + '100 heat_api_haproxy_frontend_ssl': + dport: - 13004 keystone_resources: heat: diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml index 4c913d4fd6..d0155a7f7a 100644 --- a/deployment/horizon/horizon-container-puppet.yaml +++ b/deployment/horizon/horizon-container-puppet.yaml @@ -197,6 +197,13 @@ outputs: '126 horizon': dport: - 80 + firewall_frontend_rules: + '100 horizon_haproxy_frontend': + dport: + - 80 + firewall_ssl_frontend_rules: + '100 horizon_haproxy_frontend_ssl': + dport: - 443 monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: diff --git a/deployment/image-serve/image-serve-baremetal-ansible.yaml b/deployment/image-serve/image-serve-baremetal-ansible.yaml index bc38293832..198a32de2b 100644 --- a/deployment/image-serve/image-serve-baremetal-ansible.yaml +++ b/deployment/image-serve/image-serve-baremetal-ansible.yaml @@ -44,6 +44,13 @@ outputs: '155 docker-registry': dport: - 8787 + firewall_frontend_rules: + '100 docker_registry_haproxy_frontend': + dport: + - 8787 + firewall_ssl_frontend_rules: + '100 docker_registry_haproxy_frontend_ssl': + dport: - 13787 host_prep_tasks: - name: authorize httpd to listen on registry ports diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index 5b7c2e552d..ebfd75e8af 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -152,6 +152,13 @@ outputs: '133 ironic api': dport: - 6385 + firewall_frontend_rules: + '100 ironic_haproxy_frontend': + dport: + - 6385 + firewall_ssl_frontend_rules: + '100 ironic_haproxy_frontend_ssl': + dport: - 13385 keystone_resources: ironic: diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 1956cb66e3..42af16e74c 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -252,7 +252,6 @@ outputs: '137 ironic-inspector': dport: - 5050 - - 13050 '137 ironic-inspector dhcp input': iniface: {get_param: IronicInspectorInterface} ipversion: 'ipv4' @@ -280,6 +279,14 @@ outputs: proto: 'udp' chain: 'OUTPUT' dport: 547 + firewall_frontend_rules: + '100 ironic-inspector_haproxy_frontend': + dport: + - 5050 + firewall_ssl_frontend_rules: + '100 ironic-inspector_haproxy_frontend_ssl': + dport: + - 13050 keystone_resources: ironic-inspector: endpoints: diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index 573ea87cef..1a05dd6259 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -499,8 +499,18 @@ outputs: '111 keystone': dport: - 5000 - - 13000 - {get_param: [EndpointMap, KeystoneAdmin, port]} + firewall_frontend_rules: + '100 keystone_public_haproxy_frontend': + dport: + - 5000 + '100 keystone_admin_haproxy_frontend': + dport: + - {get_param: [EndpointMap, KeystoneAdmin, port]} + firewall_ssl_frontend_rules: + '100 keystone_public_haproxy_frontend_ssl': + dport: + - 13000 monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} config_settings: map_merge: diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 5ad354cc6b..b884260c8a 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -167,6 +167,13 @@ outputs: '150 manila': dport: - 8786 + firewall_frontend_rules: + '100 manila_haproxy_frontend': + dport: + - 8786 + firewall_ssl_frontend_rules: + '100 manila_haproxy_frontend_ssl': + dport: - 13786 keystone_resources: manila: diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index c033c0aa3c..1178b33c45 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -309,6 +309,13 @@ outputs: '114 neutron api': dport: - 9696 + firewall_frontend_rules: + '100 neutron_haproxy_frontend': + dport: + - 9696 + firewall_ssl_frontend_rules: + '100 neutron_haproxy_frontend_ssl': + dport: - 13696 keystone_resources: neutron: diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 7288b715ee..70f044a3ab 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -323,6 +323,13 @@ outputs: '113 nova_api': dport: - 8774 + firewall_frontend_rules: + '100 nova_osapi_haproxy_frontend': + dport: + - 8774 + firewall_ssl_frontend_rules: + '100 nova_osapi_haproxy_frontend_ssl': + dport: - 13774 keystone_resources: nova: diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index 6249d509f9..152521290d 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -158,6 +158,13 @@ outputs: '139 nova_metadata': dport: - 8775 + firewall_frontend_rules: + '100 nova_metadatahaproxy_frontend': + dport: + - 8775 + firewall_ssl_frontend_rules: + '100 nova_metadatahaproxy_frontend_ssl': + dport: - 13775 monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata} config_settings: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 7dfc6d9eca..27303e22e9 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -179,6 +179,13 @@ outputs: '137 nova_vnc_proxy': dport: - 6080 + firewall_frontend_rules: + '100 nova_vncproxy_haproxy_frontend': + dport: + - 6080 + firewall_ssl_frontend_rules: + '100 nova_vncproxy_haproxy_frontend_ssl': + dport: - 13080 config_settings: map_merge: diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 4e23d13e50..b2c7772d14 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -171,6 +171,13 @@ outputs: '120 octavia api': dport: - 9876 + firewall_frontend_rules: + '100 octavia_haproxy_frontend': + dport: + - 9876 + firewall_ssl_frontend_rules: + '100 octavia_haproxy_frontend_ssl': + dport: - 13876 keystone_resources: octavia: diff --git a/deployment/ovn/ovn-dbs-container-puppet.yaml b/deployment/ovn/ovn-dbs-container-puppet.yaml index b9b7102544..42e1dc5c40 100644 --- a/deployment/ovn/ovn-dbs-container-puppet.yaml +++ b/deployment/ovn/ovn-dbs-container-puppet.yaml @@ -109,6 +109,13 @@ outputs: dport: - {get_param: OVNNorthboundServerPort} - {get_param: OVNSouthboundServerPort} + firewall_frontend_rules: + '100 ovn_nbdb_haproxy_frontend': + dport: + - {get_param: OVNNorthboundServerPort} + '100 ovn_sbdb_haproxy_frontend_ssl': + dport: + - {get_param: OVNSouthboundServerPort} config_settings: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index 0da72dea0e..ff51f0a41d 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -162,6 +162,13 @@ outputs: - 3125 - {get_param: OVNNorthboundServerPort} - {get_param: OVNSouthboundServerPort} + firewall_frontend_rules: + '100 ovn_nbdb_haproxy_frontend': + dport: + - {get_param: OVNNorthboundServerPort} + '100 ovn_sbdb_haproxy_frontend_ssl': + dport: + - {get_param: OVNSouthboundServerPort} config_settings: map_merge: - get_attr: [OVNDbsBase, role_data, config_settings] diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index d9702d69b4..35ed04763f 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -149,6 +149,13 @@ outputs: '138 placement': dport: - 8778 + firewall_frontend_rules: + '100 placement_haproxy_frontend': + dport: + - 8778 + firewall_ssl_frontend_rules: + '100 placement_haproxy_frontend_ssl': + dport: - 13778 keystone_resources: placement: diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index 4ad6c355cf..50f76eef57 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -156,6 +156,13 @@ outputs: '122 swift proxy': dport: - 8080 + firewall_frontend_rules: + '100 swift_proxy_server_haproxy_frontend': + dport: + - 8080 + firewall_ssl_frontend_rules: + '100 swift_proxy_server_haproxy_frontend_ssl': + dport: - 13808 keystone_resources: swift: diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml index 385640c9e5..a61a0527ea 100644 --- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml +++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml @@ -69,6 +69,10 @@ outputs: proto: 'tcp' dport: 22 - {get_attr: [RoleParametersValue, value, extra_firewall_rules]} + host_firewall_tasks: + - name: Run firewall role + include_role: + name: tripleo_firewall update_tasks: - name: Cleanup tripleo-iptables services when: diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 67ac7fc175..3a1eb8a81e 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -931,6 +931,37 @@ resources: properties: CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]} + # NOTE(tkajinam): Backend services and haproxy might be running in different + # nodes, so we need to gather all frontend firewall rules + # across all roles and pass the combined data to firewall + # configuration task in the node where haproxy (or edge + # haproxy) is assigned to. + FirewallFrontendRules: + type: OS::Heat::Value + properties: + type: json + value: + frontend: + map_merge: +{% for role in roles %} + - get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_frontend_rules] +{% endfor %} + ssl_frontend: + map_merge: +{% for role in roles %} + - get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_ssl_frontend_rules] +{% endfor %} + edge_frontend: + map_merge: +{% for role in roles %} + - get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_frontend_rules] +{% endfor %} + edge_ssl_frontend: + map_merge: +{% for role in roles %} + - get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_edge_ssl_frontend_rules] +{% endfor %} + {%- for role in roles %} {{role.name}}GroupVars: type: OS::Heat::Value @@ -1007,6 +1038,11 @@ resources: tripleo_network_config_with_ansible: {get_param: NetworkConfigWithAnsible} default_route_networks: {{role.default_route_networks|default(['ControlPlane'])}} networks_skip_config: {{ role.networks_skip_config|default([]) }} + tripleo_firewall_rules: {get_attr: [{{role.name}}ServiceChainRoleData, value, firewall_rules]} + tripleo_firewall_frontend_rules: {get_attr: [FirewallFrontendRules, value, frontend]} + tripleo_firewall_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, ssl_frontend]} + tripleo_firewall_edge_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_frontend]} + tripleo_firewall_edge_ssl_frontend_rules: {get_attr: [FirewallFrontendRules, value, edge_ssl_frontend]} role_tags: {{role.tags}} {{role.name}}NetworkConfig: diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index c1291864ec..c343af3bdb 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -43,6 +43,10 @@ required_params = ['EndpointMap', 'ServiceNetMap', 'RoleName', OPTIONAL_SECTIONS = ['ansible_group_vars', 'cellv2_discovery', 'firewall_rules', + 'firewall_frontend_rules', + 'firewall_ssl_frontend_rules', + 'firewall_edge_frontend_rules', + 'firewall_edge_ssl_frontend_rules', 'keystone_resources'] REQUIRED_DOCKER_SECTIONS = ['service_name', 'docker_config', 'puppet_config', 'config_settings'] @@ -51,9 +55,9 @@ OPTIONAL_DOCKER_SECTIONS = ['container_puppet_tasks', 'upgrade_tasks', 'pre_upgrade_rolling_tasks', 'post_upgrade_tasks', 'update_tasks', 'post_update_tasks', 'service_config_settings', - 'host_prep_tasks', 'metadata_settings', - 'kolla_config', 'global_config_settings', - 'external_deploy_tasks', + 'host_firewall_tasks', 'host_prep_tasks', + 'metadata_settings', 'kolla_config', + 'global_config_settings', 'external_deploy_tasks', 'external_post_deploy_tasks', 'container_config_scripts', 'step_config', 'monitoring_subscription', 'scale_tasks',