[mas01] Fix iptables pillar compatibility format

[fuel.git] / mcp / reclass / classes / cluster / all-mcp-arch-common / infra / maas.yml.j2

diff --git a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2 b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
index efa04ce..4b11478 100644 (file)
--- a/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
+++ b/mcp/reclass/classes/cluster/all-mcp-arch-common/infra/maas.yml.j2
@@ -10,7 +10,6 @@
 # NOTE: pod_config is generated and transferred into its final location on
 # cfg01 only during deployment to prevent leaking sensitive data
 classes:
-  - system.linux.system.single.simple
   - system.maas.region.single
   - service.maas.cluster.single
   - cluster.all-mcp-arch-common.opnfv.lab_proxy_pdf
@@ -20,20 +19,21 @@ parameters:
     mcpcontrol_interface: ${_param:opnfv_fn_vm_primary_interface}
     primary_interface: ${_param:opnfv_fn_vm_secondary_interface}
     pxe_admin_interface: ${_param:opnfv_fn_vm_tertiary_interface}
-    interface_mtu: 1500
-    # MaaS has issues using MTU > 1500 for PXE interface
-    pxe_admin_interface_mtu: 1500
     linux_system_codename: xenial
     maas_admin_username: opnfv
-    maas_admin_password: opnfv_secret
-    maas_db_password: opnfv_secret
     dns_server01: '{{ nm.dns_public[0] }}'
-    single_address: ${_param:infra_maas_node01_deploy_address}
+    pxe_admin_address: ${_param:infra_maas_node01_deploy_address}
+    single_address: ${_param:pxe_admin_address}
     hwe_kernel: 'hwe-16.04'
     opnfv_maas_timeout_comissioning: {{ nm.maas_timeout_comissioning }}
     opnfv_maas_timeout_deploying: {{ nm.maas_timeout_deploying }}
   maas:
     region:
+      timeout:
+        # Set maas.wait_for_<state> timeouts to ~2.5x of MaaS <state> timeout
+        ready: {{ nm.maas_timeout_comissioning * 150 }}
+        deployed: {{ nm.maas_timeout_deploying * 150 }}
+        attempts: 3
       boot_sources_delete_all_others: true
       boot_sources:
         resources_mirror:
@@ -86,26 +86,7 @@ parameters:
           distributions: '${_param:openstack_version}-armband'
           components: 'main'
           arches: 'arm64'
-          key: &armband_key |
-            -----BEGIN PGP PUBLIC KEY BLOCK-----
-            Version: GnuPG v2.0.14 (GNU/Linux)
-
-            mQENBFagAroBCADWboNIjuF6lB1mWv2+EbvqY3lKl5mLKhr2DnSUkKeHUPBv8gNM
-            qK8Q00AMIyPiyEhgjA+dWizZ+5aBgxoiY7oMeLJ2Xym36U/8SYq2BWd3SGCbMNoz
-            SJDxDUSM/HFVs6atF1M3DY9oN65hSVnu4uy5Tu6asf6k4rhAyk0z4+pRcPBCu2vq
-            mnGi3COM/+9PShrEKeVOx5W2vRJywUFuq8EDvQnRoJ0GvM28JiJIanw17YwIPxhg
-            BKZVpZjan5X+ihVMXwA2h/G/FS5Omhd50RqV6LWSYs94VJJgYqHx8UMm7izcxI+P
-            ct3IcbD195bPbJ+SbuiFe45ZLsdY1MyGiU2BABEBAAG0K0VuZWEgQXJtYmFuZCBE
-            ZXZvcHMgVGVhbSA8YXJtYmFuZEBlbmVhLmNvbT6JATgEEwECACICGwMGCwkIBwMC
-            BhUIAgkKCwQWAgMBAh4BAheABQJaY3bYAAoJEN6rkLp5irHRoQMH/0PYl0A/6eWw
-            nQ/szhEFrr76Ln6wA4vEO+PiuWj9kTkZM2NaCnkisrIuHSPIVvOLfFmztbE6sKGe
-            t+a2b7Jqw48DZ/gq508aZE4Q307ookxdCOrzIu/796hFO34yXg3sqZoJh3VmKIjY
-            4DL8yG1iAiQ5vOw3IFWQnATwIZUgaCcjmE7HGap+9ePuJfFuQ8mIG5cy28t8qocx
-            AB/B2tucfBMwomYxKqgbLI5AG7iSt58ajvrrNa9f8IX7Ihj/jiuXhUwX+geEp98K
-            IWVI1ftEthZvfBpZW4BS98J4z//dEPi31L4jb9RQXq3afF2RpXchDeUN85bW45nu
-            W/9PMAlgE/U=
-            =m+zE
-            -----END PGP PUBLIC KEY BLOCK-----
+          key: ${_param:armband_key}
 {%- endif %}
       salt_master_ip: ${_param:reclass_config_master}
       domain: ${_param:cluster_domain}
@@ -129,8 +110,8 @@ parameters:
   linux:
     system:
       kernel:
-        ~boot_options:
-          - ipv6.disable=0
+        sysctl:
+          net.ipv4.ip_forward: 1
     network:
       interface:
         mcpcontrol_interface:
@@ -138,6 +119,7 @@ parameters:
           name: ${_param:mcpcontrol_interface}
           type: eth
           proto: dhcp
+          mtu: ${_param:interface_mtu}
         primary_interface:
           enabled: true
           name: ${_param:primary_interface}
@@ -159,8 +141,36 @@ parameters:
         pxe_admin_interface:
           enabled: true
           name: ${_param:pxe_admin_interface}
-          mtu: ${_param:pxe_admin_interface_mtu}
+          # MaaS has issues using MTU > 1500 for PXE interface
+          mtu: 1500
           proto: static
           address: ${_param:single_address}
           netmask: ${_param:opnfv_net_admin_mask}
           type: eth
+  iptables:
+    schema:
+      epoch: 1
+    service:
+      v4:
+        enabled: true
+        persistent_config: /etc/iptables/rules.v4
+      v6:
+        enabled: false
+    tables:
+      v4:
+        filter:
+          chains:
+            INPUT:
+              ruleset:
+                10:
+                  rule: -s ${_param:single_address}/${_param:opnfv_net_admin_mask}
+                11:
+                  rule: -d ${_param:single_address}/${_param:opnfv_net_admin_mask}
+        nat:
+          chains:
+            POSTROUTING:
+              policy: ACCEPT
+              ruleset:
+                10:
+                  rule: -s ${_param:single_address}/${_param:opnfv_net_admin_mask}
+                  action: MASQUERADE