0074098f0e
The only supported firewall engine is nftables from now on. Tripleo-ansible has been cleaned from its tripleo_iptables related resources and actions, meaning we don't need to keep the FirewallEngine anymore. This patch also removes an old and deprecated upgrade action related to puppet-firewall - since Train, we're using tripleo_iptables and related, meaning there shouldn't be any trailing config at this point. Especially since iptables and ip6tables services are now deactivated for good. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063 Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a
111 lines
3.5 KiB
YAML
111 lines
3.5 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
TripleO Firewall settings
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ExtraFirewallRules:
|
|
default: {}
|
|
description: Mapping of firewall rules.
|
|
type: json
|
|
tags:
|
|
- role_specific
|
|
|
|
resources:
|
|
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
|
# RoleParameters will have the precedence over the default parameters.
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- extra_firewall_rules: ExtraFirewallRules
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ExtraFirewallRules: {get_param: ExtraFirewallRules}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the TripleO firewall settings
|
|
value:
|
|
service_name: tripleo_firewall
|
|
config_settings: {}
|
|
firewall_rules:
|
|
map_merge:
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
|
template:
|
|
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
|
source: <%net_cidr%>
|
|
proto: 'tcp'
|
|
dport: 22
|
|
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
|
host_firewall_tasks:
|
|
- name: Run firewall role
|
|
include_role:
|
|
name: tripleo_firewall
|
|
update_tasks:
|
|
- name: Cleanup tripleo-iptables services
|
|
when:
|
|
- (step | int) == 1
|
|
block: &tripleo_firewall_teardown
|
|
- name: Disable tripleo-iptables.service
|
|
systemd:
|
|
name: tripleo-iptables.service
|
|
state: stopped
|
|
enabled: false
|
|
register: systemd_tripleo_iptables
|
|
failed_when: false
|
|
- name: Cleanup tripleo-iptables.services
|
|
file:
|
|
path: /etc/systemd/system/tripleo-iptables.service
|
|
state: absent
|
|
- name: Disable tripleo-ip6tables.service
|
|
systemd:
|
|
name: tripleo-ip6tables.service
|
|
state: stopped
|
|
enabled: false
|
|
register: systemd_tripleo_ip6tables
|
|
failed_when: false
|
|
- name: Cleanup tripleo-ip6tables.services
|
|
file:
|
|
path: /etc/systemd/system/tripleo-ip6tables.service
|
|
state: absent
|
|
- name: Reload systemd
|
|
systemd:
|
|
daemon_reload: true
|
|
when:
|
|
- (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed)
|
|
upgrade_tasks:
|
|
- name: Cleanup tripleo-iptables services
|
|
when:
|
|
- (step | int) == 1
|
|
block: *tripleo_firewall_teardown
|