diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml index 270e82ee8d..748ddb8c3d 100644 --- a/ci/environments/scenario003-standalone.yaml +++ b/ci/environments/scenario003-standalone.yaml @@ -85,3 +85,10 @@ parameter_defaults: proto: udp source: 127.0.0.1 action: append + StandaloneParameters: + ExtraFirewallRules: + '303 allow arbitrary tcp rule for controller': + dport: 12347 + proto: tcp + source: 127.0.0.1 + action: insert diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml index ac69b735b7..ad97cd512e 100644 --- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml +++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml @@ -34,6 +34,23 @@ parameters: default: {} description: Mapping of firewall rules. type: json + tags: + - role_specific + +resources: + # Merging role-specific parameters (RoleParameters) with the default parameters. + # RoleParameters will have the precedence over the default parameters. + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - extra_firewall_rules: ExtraFirewallRules + - values: {get_param: [RoleParameters]} + - values: + ExtraFirewallRules: {get_param: ExtraFirewallRules} conditions: no_ctlplane: @@ -60,7 +77,7 @@ outputs: source: <%net_cidr%> proto: 'tcp' dport: 22 - - {get_param: ExtraFirewallRules} + - {get_attr: [RoleParametersValue, value, extra_firewall_rules]} host_prep_tasks: - if: - no_ctlplane diff --git a/environments/firewall.yaml b/environments/firewall.yaml new file mode 100644 index 0000000000..aa8efb1d44 --- /dev/null +++ b/environments/firewall.yaml @@ -0,0 +1,23 @@ +# This is an example of custom firewall rules that one could apply for specific +# roles. + +parameter_defaults: + +# This firewall rule will autorize 12345/tcp from localhost on all the nodes +# in the overcloud: +# ExtraFirewallRules: +# '301 allow arbitrary tcp rule': +# dport: 12345 +# proto: tcp +# source: 127.0.0.1 +# action: insert + +# This firewall rule will autorize 12345/tcp from localhost on all the +# compute nodes: +# ComputeParameters: +# ExtraFirewallRules: +# '301 allow arbitrary tcp rule': +# dport: 12345 +# proto: tcp +# source: 127.0.0.1 +# action: insert