Memcached - Use net_cidr_map for firewall rules

Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes NetCidrMapValue a list of ip networks. Iterate over the list of cidr' from the MemcachedNetwork entry in the cidr map and create firewall rules for each ip network. Partial: blueprint tripleo-routed-networks-templates Change-Id: I7e3d8127b9d3d8c09327f90ccb26ae1bc62565ad
2018-11-20 00:29:58 +01:00 · 2018-11-20 00:29:58 +01:00 · f2ff3eb741
commit f2ff3eb741
parent 5666a4fe0d
1 changed files with 24 additions and 21 deletions
--- a/deployment/memcached/memcached-container-puppet.yaml
+++ b/deployment/memcached/memcached-container-puppet.yaml
@ -82,13 +82,6 @@ outputs:
      service_name: memcached
      monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
      config_settings:
-        memcached_network:
-          # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, MemcachedNetwork]}
-          str_replace:
-            template:
-              "%{hiera('$NETWORK_subnet')}"
-            params:
-              $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
        # NOTE: bind IP is found in hiera replacing the network name with the local node IP
        # for the given network; replacement examples (eg. for internal_api):
        # internal_api -> IP
@ -114,20 +107,30 @@ outputs:
                - ''
        memcached::disable_cachedump: true
        tripleo::memcached::firewall_rules:
-          '121 memcached':
-            dport: 11211
-            # https://access.redhat.com/security/cve/cve-2018-1000115
-            # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
-            proto: 'tcp'
-            # Memcached traffic shouldn't be open on the internet.
-            # Even if binding is configured on internal_api network, enforce it
-            # via firewall as well.
-            source:
-              if:
-              - memcached_network_unset
-              - "%{hiera('memcached_network')}"
-              - {get_param: MemcachedIpSubnet}
-        memcached::logstdout: true
+          # https://access.redhat.com/security/cve/cve-2018-1000115
+          # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
+          # Memcached traffic shouldn't be open on the internet.
+          # Even if binding is configured on internal_api network, enforce it
+          # via firewall as well.
+          if:
+            - memcached_network_unset
+            - map_merge:
+                repeat:
+                  for_each:
+                    <%net_cidr%>:
+                      get_param:
+                        - ServiceData
+                        - net_cidr_map
+                        - {get_param: [ServiceNetMap, MemcachedNetwork]}
+                  template:
+                    '121 memcached <%net_cidr%>':
+                      dport: 11211
+                      proto: 'tcp'
+                      source: <%net_cidr%>
+            - '121 memcached':
+                dport: 11211
+                proto: 'tcp'
+                source: {get_param: MemcachedIpSubnet}
      service_config_settings:
        collectd:
            tripleo.collectd.plugins.memcached: