Merge "Move firewall to a plugin-specific task"
This commit is contained in:
commit
9e43b8d89a
63
deployment_scripts/keystone_firewall.pp
Normal file
63
deployment_scripts/keystone_firewall.pp
Normal file
@ -0,0 +1,63 @@
|
||||
notice('MODULAR: detach-keystone/keystone_firewall.pp')
|
||||
|
||||
$network_scheme = hiera_hash('network_scheme')
|
||||
$network_metadata = hiera_hash('network_metadata')
|
||||
|
||||
$corosync_input_port = 5404
|
||||
$corosync_output_port = 5405
|
||||
$keystone_admin_port = 35357
|
||||
$keystone_public_port = 5000
|
||||
$memcached_port = 11211
|
||||
$pcsd_port = 2224
|
||||
|
||||
$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
|
||||
$memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
|
||||
$keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
|
||||
|
||||
# allow connections from haproxy namespace
|
||||
firewall {'030 allow connections from haproxy namespace':
|
||||
source => '240.0.0.2',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'102 keystone':
|
||||
port => [$keystone_public_port, $keystone_admin_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $keystone_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache tcp':
|
||||
port => $memcached_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $memcache_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache udp':
|
||||
port => $memcached_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $memcache_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
@ -4,8 +4,8 @@
|
||||
requires: [deploy_start, primary-standalone-database]
|
||||
required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
|
||||
tasks: [fuel_pkgs, hiera, globals, tools, logging,
|
||||
netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
|
||||
deploy_start, cluster, keystone-vip, cluster-haproxy,
|
||||
netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
|
||||
ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
|
||||
openstack-haproxy-stats, task-keystone-db, memcached, apache,
|
||||
task-keystone]
|
||||
parameters:
|
||||
@ -18,8 +18,8 @@
|
||||
requires: [deploy_start, primary-standalone-keystone]
|
||||
required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
|
||||
tasks: [fuel_pkgs, hiera, globals, tools, logging,
|
||||
netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
|
||||
deploy_start, cluster, keystone-vip, cluster-haproxy,
|
||||
netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
|
||||
ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
|
||||
openstack-haproxy-stats, task-keystone-db, memcached, apache,
|
||||
task-keystone]
|
||||
parameters:
|
||||
@ -60,8 +60,8 @@
|
||||
- id: task-keystone
|
||||
type: puppet
|
||||
role: [primary-standalone-keystone, standalone-keystone]
|
||||
requires: [deploy_start, keystone-haproxy, keystone-vip, task-keystone-db,
|
||||
memcached, apache]
|
||||
requires: [deploy_start, firewall, keystone-firewall, keystone-haproxy,
|
||||
keystone-vip, task-keystone-db, memcached, apache]
|
||||
required_for: [openstack-controller]
|
||||
parameters:
|
||||
puppet_manifest: '/etc/puppet/modules/osnailyfacter/modular/keystone/keystone.pp'
|
||||
@ -82,6 +82,17 @@
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 1800
|
||||
|
||||
- id: keystone-firewall
|
||||
type: puppet
|
||||
role: [primary-standalone-keystone, standalone-keystone]
|
||||
requires: [keystone-hiera-override, firewall]
|
||||
required_for: [cluster]
|
||||
parameters:
|
||||
puppet_manifest: 'keystone_firewall.pp'
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 180
|
||||
cwd: /
|
||||
|
||||
- id: disable_standalone_keystone_service_token
|
||||
type: puppet
|
||||
role: [primary-standalone-keystone, standalone-keystone]
|
||||
|
Loading…
Reference in New Issue
Block a user