implement default ssh-from-ctlplane rule via hiera

With the accompanying change in puppet-tripleo, this removes the hardcoded firewall rule allowing ssh traffic in tripleo::firewall::pre and replaces it with a configuration in tripleo-firewall.yaml that allows only ssh access from the undercloud's controlplane network address. This allows operators to define more granular ssh firewall rules via tripleo::firewall::firewall_rules. Change-Id: I89cff59947dda3f51482486c41a3d67c4aa36a3e Related-Bug: #1826829 (cherry picked from commit a433e05e66) (cherry picked from commit 123535d8c9)
2018-07-12 15:36:48 -04:00 · 2018-07-12 15:36:48 -04:00 · b81c744370
commit b81c744370
parent 67ce74ed8b
1 changed files with 6 additions and 0 deletions
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@ -47,6 +47,12 @@ outputs:
      config_settings:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
+        tripleo::tripleo_firewall::firewall_rules:
+          '003 accept ssh from controlplane':
+            source: "%{hiera('ctlplane_subnet')}"
+            proto: 'tcp'
+            dport: 22
+
      step_config: |
        include ::tripleo::firewall
      upgrade_tasks: