firewall: make ExtraFirewallRules role specific
Allow our operators to override ExtraFirewallRules per role. Also add an environment file that hopefully provide enough example on how this feature can be used. Also making sure that CI is testing this change. Change-Id: I776f1cdb780ab57d7554985f0b7c2139356cdf3a
This commit is contained in:
parent
d84aee0f00
commit
dbe38cac18
ci/environments
deployment/tripleo-firewall
environments
@ -85,3 +85,10 @@ parameter_defaults:
|
||||
proto: udp
|
||||
source: 127.0.0.1
|
||||
action: append
|
||||
StandaloneParameters:
|
||||
ExtraFirewallRules:
|
||||
'303 allow arbitrary tcp rule for controller':
|
||||
dport: 12347
|
||||
proto: tcp
|
||||
source: 127.0.0.1
|
||||
action: insert
|
||||
|
@ -34,6 +34,23 @@ parameters:
|
||||
default: {}
|
||||
description: Mapping of firewall rules.
|
||||
type: json
|
||||
tags:
|
||||
- role_specific
|
||||
|
||||
resources:
|
||||
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
||||
# RoleParameters will have the precedence over the default parameters.
|
||||
RoleParametersValue:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
map_replace:
|
||||
- map_replace:
|
||||
- extra_firewall_rules: ExtraFirewallRules
|
||||
- values: {get_param: [RoleParameters]}
|
||||
- values:
|
||||
ExtraFirewallRules: {get_param: ExtraFirewallRules}
|
||||
|
||||
conditions:
|
||||
no_ctlplane:
|
||||
@ -60,7 +77,7 @@ outputs:
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- {get_param: ExtraFirewallRules}
|
||||
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
||||
host_prep_tasks:
|
||||
- if:
|
||||
- no_ctlplane
|
||||
|
23
environments/firewall.yaml
Normal file
23
environments/firewall.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
# This is an example of custom firewall rules that one could apply for specific
|
||||
# roles.
|
||||
|
||||
parameter_defaults:
|
||||
|
||||
# This firewall rule will autorize 12345/tcp from localhost on all the nodes
|
||||
# in the overcloud:
|
||||
# ExtraFirewallRules:
|
||||
# '301 allow arbitrary tcp rule':
|
||||
# dport: 12345
|
||||
# proto: tcp
|
||||
# source: 127.0.0.1
|
||||
# action: insert
|
||||
|
||||
# This firewall rule will autorize 12345/tcp from localhost on all the
|
||||
# compute nodes:
|
||||
# ComputeParameters:
|
||||
# ExtraFirewallRules:
|
||||
# '301 allow arbitrary tcp rule':
|
||||
# dport: 12345
|
||||
# proto: tcp
|
||||
# source: 127.0.0.1
|
||||
# action: insert
|
Loading…
Reference in New Issue
Block a user