firewall: make ExtraFirewallRules role specific

Allow our operators to override ExtraFirewallRules per role. Also add an environment file that hopefully provide enough example on how this feature can be used. Also making sure that CI is testing this change. Change-Id: I776f1cdb780ab57d7554985f0b7c2139356cdf3a
2020-09-29 17:19:43 -04:00 · 2020-09-29 17:19:43 -04:00 · dbe38cac18
parent d84aee0f00
commit dbe38cac18
3 changed files with 48 additions and 1 deletions
--- a/ci/environments/scenario003-standalone.yaml
+++ b/ci/environments/scenario003-standalone.yaml
@ -85,3 +85,10 @@ parameter_defaults:
      proto: udp
      source: 127.0.0.1
      action: append
+  StandaloneParameters:
+    ExtraFirewallRules:
+      '303 allow arbitrary tcp rule for controller':
+        dport: 12347
+        proto: tcp
+        source: 127.0.0.1
+        action: insert
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@ -34,6 +34,23 @@ parameters:
    default: {}
    description: Mapping of firewall rules.
    type: json
+    tags:
+      - role_specific
+
+resources:
+  # Merging role-specific parameters (RoleParameters) with the default parameters.
+  # RoleParameters will have the precedence over the default parameters.
+  RoleParametersValue:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        map_replace:
+          - map_replace:
+            - extra_firewall_rules: ExtraFirewallRules
+            - values: {get_param: [RoleParameters]}
+          - values:
+              ExtraFirewallRules: {get_param: ExtraFirewallRules}

 conditions:
  no_ctlplane:
@ -60,7 +77,7 @@ outputs:
                    source: <%net_cidr%>
                    proto: 'tcp'
                    dport: 22
-          - {get_param: ExtraFirewallRules}
+          - {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
      host_prep_tasks:
        - if:
            - no_ctlplane
--- a/environments/firewall.yaml
+++ b/environments/firewall.yaml
@ -0,0 +1,23 @@
+# This is an example of custom firewall rules that one could apply for specific
+# roles.
+
+parameter_defaults:
+
+# This firewall rule will autorize 12345/tcp from localhost on all the nodes
+# in the overcloud:
+#  ExtraFirewallRules:
+#    '301 allow arbitrary tcp rule':
+#      dport: 12345
+#      proto: tcp
+#      source: 127.0.0.1
+#      action: insert
+
+# This firewall rule will autorize 12345/tcp from localhost on all the
+# compute nodes:
+#  ComputeParameters:
+#    ExtraFirewallRules:
+#      '301 allow arbitrary tcp rule':
+#        dport: 12345
+#        proto: tcp
+#        source: 127.0.0.1
+#        action: insert