openstack/tripleo-heat-templates
Code Issues Proposed changes
01b4d2e76d
tripleo-heat-templates/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
Cédric Jeanneret 0074098f0e Cleanup iptables resources 
The only supported firewall engine is nftables from now on.
Tripleo-ansible has been cleaned from its tripleo_iptables related
resources and actions, meaning we don't need to keep the FirewallEngine
anymore.

This patch also removes an old and deprecated upgrade action related to
puppet-firewall - since Train, we're using tripleo_iptables and related,
meaning there shouldn't be any trailing config at this point. Especially
since iptables and ip6tables services are now deactivated for good.

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063
Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a
2022-10-03 08:07:31 +02:00

111 lines
3.5 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
TripleO Firewall settings
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ExtraFirewallRules:
default: {}
description: Mapping of firewall rules.
type: json
tags:
- role_specific
resources:
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- extra_firewall_rules: ExtraFirewallRules
- values: {get_param: [RoleParameters]}
- values:
ExtraFirewallRules: {get_param: ExtraFirewallRules}
outputs:
role_data:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
config_settings: {}
firewall_rules:
map_merge:
- map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
host_firewall_tasks:
- name: Run firewall role
include_role:
name: tripleo_firewall
update_tasks:
- name: Cleanup tripleo-iptables services
when:
- (step | int) == 1
block: &tripleo_firewall_teardown
- name: Disable tripleo-iptables.service
systemd:
name: tripleo-iptables.service
state: stopped
enabled: false
register: systemd_tripleo_iptables
failed_when: false
- name: Cleanup tripleo-iptables.services
file:
path: /etc/systemd/system/tripleo-iptables.service
state: absent
- name: Disable tripleo-ip6tables.service
systemd:
name: tripleo-ip6tables.service
state: stopped
enabled: false
register: systemd_tripleo_ip6tables
failed_when: false
- name: Cleanup tripleo-ip6tables.services
file:
path: /etc/systemd/system/tripleo-ip6tables.service
state: absent
- name: Reload systemd
systemd:
daemon_reload: true
when:
- (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed)
upgrade_tasks:
- name: Cleanup tripleo-iptables services
when:
- (step | int) == 1
block: *tripleo_firewall_teardown
View Git Blame Copy Permalink