Kevin Carter 50367fbe35 Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2019-11-18 15:40:22 -06:00

158 lines
5.6 KiB
YAML

heat_template_version: rocky
description: >
Chrony time service deployment using ansible, this YAML file
creates the interface between the HOT template
and the ansible role that actually installs
and configure chronyd.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
NtpServer:
default: ['0.pool.ntp.org', '1.pool.ntp.org', '2.pool.ntp.org', '3.pool.ntp.org']
description: NTP servers list. Defaulted to a set of pool.ntp.org servers
in order to have a sane default for Pacemaker deployments when
not configuring this parameter by default.
type: comma_delimited_list
NtpPool:
default: []
description: NTP pool list. Defaults to [], so only NtpServer is used by
default.
type: comma_delimited_list
ChronyGlobalServerOptions:
default: ''
description: Default server options for the configured NTP servers in
chrony.conf. If this is specified, NtpIburstEnable, MaxPoll,
and MinPoll are ignored.
type: string
ChronyGlobalPoolOptions:
default: ''
description: Default pool options for the configured NTP pools in
chrony.conf. If this is specified, NtpIburstEnable, MaxPoll,
and MinPoll are ignored.
type: string
NtpIburstEnable:
default: true
description: Specifies whether to enable the iburst option for every NTP
peer. If iburst is enabled, when the ntp server is unreachable
ntp will send a burst of eight packages instead of one. This
is designed to speed up the initial syncrhonization.
type: boolean
MaxPoll:
description: Specify maximum poll interval of upstream servers for NTP
messages, in seconds to the power of two.
The maximum poll interval defaults to 10 (1,024 s).
Allowed values are 4 to 17.
type: number
default: 10
constraints:
- range: { min: 4, max: 17 }
MinPoll:
description: Specify minimum poll interval of upstream servers for NTP
messages, in seconds to the power of two.
The minimum poll interval defaults to 6 (64 s).
Allowed values are 4 to 17.
type: number
default: 6
constraints:
- range: { min: 4, max: 17 }
EnablePackageInstall:
default: 'false'
description: Set to true to enable package installation at deploy time
type: boolean
ChronyAclRules:
default: ['deny all']
description: Access Control List of NTP clients. By default no clients
are permitted.
type: comma_delimited_list
conditions:
chrony_global_server_settings_is_empty: {equals: [{get_param: ChronyGlobalServerOptions}, '']}
chrony_global_pool_settings_is_empty: {equals: [{get_param: ChronyGlobalPoolOptions}, '']}
ntp_iburst: {equals: [{get_param: NtpIburstEnable}, true]}
outputs:
role_data:
description: Role chrony using composable timesync services.
value:
service_name: chrony
firewall_rules:
'105 ntp':
dport: 123
proto: udp
host_prep_tasks:
- name: Populate service facts (chrony)
service_facts: # needed to make yaml happy
- name: Disable NTP before configuring Chrony
service:
name: ntpd
state: stopped
enabled: no
when: "'ntpd.service' in ansible_facts.services"
- name: Install, Configure and Run Chrony
include_role:
name: chrony
- name: Ensure chrony has been restarted
meta: flush_handlers
- name: Ensure system is NTP time synced
command: chronyc makestep
ansible_group_vars:
chrony_role_action: all
chrony_ntp_servers: {get_param: NtpServer}
chrony_ntp_pools: {get_param: NtpPool}
chrony_global_server_settings:
if:
- chrony_global_server_settings_is_empty
- str_replace:
template: IBURST minpoll MINPOLL maxpoll MAXPOLL
params:
IBURST:
if:
- ntp_iburst
- iburst
- ''
MINPOLL: { get_param: MinPoll }
MAXPOLL: { get_param: MaxPoll }
- {get_param: ChronyGlobalServerOptions}
chrony_global_pool_settings:
if:
- chrony_global_pool_settings_is_empty
- str_replace:
template: IBURST minpoll MINPOLL maxpoll MAXPOLL
params:
IBURST:
if:
- ntp_iburst
- iburst
- ''
MINPOLL: { get_param: MinPoll }
MAXPOLL: { get_param: MaxPoll }
- {get_param: ChronyGlobalPoolOptions}
chrony_manage_package: {get_param: EnablePackageInstall}
chrony_acl_rules: {get_param: ChronyAclRules}