openstack/tripleo-heat-templates
Code Issues Proposed changes
55d1945c97
tripleo-heat-templates/ci/environments/scenario003-standalone.yaml
Emilien Macchi dbe38cac18 firewall: make ExtraFirewallRules role specific 
Allow our operators to override ExtraFirewallRules per role.
Also add an environment file that hopefully provide enough example on
how this feature can be used.

Also making sure that CI is testing this change.

Change-Id: I776f1cdb780ab57d7554985f0b7c2139356cdf3a
2020-10-01 01:43:06 +00:00

95 lines
4.1 KiB
YAML
Raw Blame History

resource_registry:
OS::TripleO::Services::CinderApi: OS::Heat::None
OS::TripleO::Services::CinderScheduler: OS::Heat::None
OS::TripleO::Services::CinderVolume: OS::Heat::None
OS::TripleO::Services::Horizon: OS::Heat::None
OS::TripleO::Services::SwiftProxy: OS::Heat::None
OS::TripleO::Services::SwiftStorage: OS::Heat::None
OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None
OS::TripleO::Services::MistralApi: ../../deployment/mistral/mistral-api-container-puppet.yaml
OS::TripleO::Services::MistralEngine: ../../deployment/mistral/mistral-engine-container-puppet.yaml
OS::TripleO::Services::MistralExecutor: ../../deployment/mistral/mistral-executor-container-puppet.yaml
OS::TripleO::Services::MistralEventEngine: ../../deployment/mistral/mistral-event-engine-container-puppet.yaml
OS::TripleO::Services::OsloMessagingRpc: ../../deployment/messaging/rpc-qdrouterd-container-puppet.yaml
OS::TripleO::Services::OsloMessagingNotify: ../../deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml
OS::TripleO::Services::DesignateApi: ../../deployment/experimental/designate/designate-api-container-puppet.yaml
OS::TripleO::Services::DesignateCentral: ../../deployment/experimental/designate/designate-central-container-puppet.yaml
OS::TripleO::Services::DesignateProducer: ../../deployment/experimental/designate/designate-producer-container-puppet.yaml
OS::TripleO::Services::DesignateWorker: ../../deployment/experimental/designate/designate-worker-container-puppet.yaml
OS::TripleO::Services::DesignateMDNS: ../../deployment/experimental/designate/designate-mdns-container-puppet.yaml
OS::TripleO::Services::Redis: ../../deployment/database/redis-container-puppet.yaml
parameter_defaults:
Debug: true
# we don't deploy Swift so we switch to file backend.
GlanceBackend: 'file'
KeystoneTokenProvider: 'fernet'
SwiftCeilometerPipelineEnabled: false
NotificationDriver: 'noop'
NeutronPluginExtensions: qos,port_security,dns
RpcPort: 31459
NotifyPort: 5672
DesignatePools: |
- name: default
# The name is immutable. There will be no option to change the name after
# creation and the only way will to change it will be to delete it
# (and all zones associated with it) and recreate it.
description: Default Pool
attributes: {}
# List out the NS records for zones hosted within this pool
# This should be a record that is created outside of designate, that
# points to the public IP of the controller node.
ns_records:
- hostname: ns1-1.example.org.
priority: 1
# List out the nameservers for this pool. These are the actual BIND servers.
# We use these to verify changes have propagated to all nameservers.
nameservers:
- host: 192.168.24.251
port: 53
# List out the targets for this pool. For BIND there will be one
# entry for each BIND server, as we have to run rndc command on each server
targets:
- type: bind9
description: BIND9 Server 1
# List out the designate-mdns servers from which BIND servers should
# request zone transfers (AXFRs) from.
# This should be the IP of the controller node.
# If you have multiple controllers you can add multiple masters
# by running designate-mdns on them, and adding them here.
masters:
- host: 127.0.0.1
port: 5354
# BIND Configuration options
options:
host: 192.168.24.251
port: 53
rndc_host: 192.168.24.251
rndc_port: 953
rndc_key_file: /etc/rndc.key
ContainerCli: podman
ExtraFirewallRules:
'301 allow arbitrary tcp rule':
dport: 12345
proto: tcp
source: 127.0.0.1
action: insert
'302 allow arbitrary udp rule':
dport: 12345
proto: udp
source: 127.0.0.1
action: append
StandaloneParameters:
ExtraFirewallRules:
'303 allow arbitrary tcp rule for controller':
dport: 12347
proto: tcp
source: 127.0.0.1
action: insert
View Git Blame Copy Permalink