Merge "Designate mDNS: restrict access to internal network"

2023-03-22 15:09:20 +00:00 · 2023-03-22 15:09:20 +00:00 · b4f2c55580
parent 1c7b14cadd a8e936a9c4
commit b4f2c55580
1 changed files with 22 additions and 8 deletions
--- a/deployment/designate/designate-mdns-container-puppet.yaml
+++ b/deployment/designate/designate-mdns-container-puppet.yaml
@ -109,14 +109,28 @@ outputs:
    value:
      service_name: designate_mdns
      firewall_rules:
-        '142 designate_mdns udp':
-          proto: 'udp'
-          dport:
-            - 5354
-        '143 designate_mdns tcp':
-          proto: 'tcp'
-          dport:
-            - 5354
+        map_merge:
+          - '142 designate_mdns udp':
+              extras:
+                ensure: absent
+            '143 designate_mdns tcp':
+              extras:
+                ensure: absent
+          - map_merge:
+              repeat:
+                for_each:
+                  <% net_cidr %>: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, DesignateMdnsNetwork]}]}
+                template:
+                  '142 designate_mdns udp <% net_cidr %>':
+                    proto: 'udp'
+                    source: <% net_cidr %>
+                    dport:
+                      - 5354
+                  '143 designate_mdns tcp <% net_cidr %>':
+                    proto: 'tcp'
+                    source: <% net_cidr %>
+                    dport:
+                      - 5354
      firewall_frontend_rules:
        '100 designate_mdns proxies':
          proto: 'tcp'