Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: f00ed98)
Composable firewall rules
authorDan Prince <dprince@redhat.com>
Wed, 20 Jul 2016 14:48:23 +0000 (10:48 -0400)
committerGiulio Fidente <gfidente@redhat.com>
Mon, 25 Jul 2016 13:24:16 +0000 (15:24 +0200)
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03

28 files changed:
puppet/hieradata/controller.yaml patch | blob | history
puppet/services/ceilometer-api.yaml patch | blob | history
puppet/services/ceph-mon.yaml patch | blob | history
puppet/services/cinder-api.yaml patch | blob | history
puppet/services/cinder-volume.yaml patch | blob | history
puppet/services/database/mongodb.yaml patch | blob | history
puppet/services/database/mysql.yaml patch | blob | history
puppet/services/database/redis.yaml patch | blob | history
puppet/services/glance-api.yaml patch | blob | history
puppet/services/glance-registry.yaml patch | blob | history
puppet/services/gnocchi-api.yaml patch | blob | history
puppet/services/haproxy.yaml patch | blob | history
puppet/services/heat-api-cfn.yaml patch | blob | history
puppet/services/heat-api-cloudwatch.yaml patch | blob | history
puppet/services/heat-api.yaml patch | blob | history
puppet/services/horizon.yaml patch | blob | history
puppet/services/keystone.yaml patch | blob | history
puppet/services/memcached.yaml patch | blob | history
puppet/services/neutron-dhcp.yaml patch | blob | history
puppet/services/neutron-server.yaml patch | blob | history
puppet/services/nova-api.yaml patch | blob | history
puppet/services/pacemaker.yaml patch | blob | history
puppet/services/rabbitmq.yaml patch | blob | history
puppet/services/sahara-api.yaml patch | blob | history
puppet/services/snmp.yaml patch | blob | history
puppet/services/swift-proxy.yaml patch | blob | history
puppet/services/swift-storage.yaml patch | blob | history
puppet/services/time/ntp.yaml patch | blob | history

diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index 072c7c0..3ec656d 100644 (file)
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
 controller_classes: []
 # firewall
 tripleo::firewall::firewall_rules:
-  '101 mongodb_config':
-    dport: 27019
-  '102 mongodb_sharding':
-    dport: 27018
-  '103 mongod':
-    dport: 27017
-  '104 mysql galera':
-    dport:
-      - 873
-      - 3306
-      - 4444
-      - 4567
-      - 4568
-      - 9200
-  '105 ntp':
-    dport: 123
-    proto: udp
-  '106 vrrp':
-    proto: vrrp
-  '107 haproxy stats':
-    dport: 1993
-  '108 redis':
-    dport:
-      - 6379
-      - 26379
-  '109 rabbitmq':
-    dport:
-      - 4369
-      - 5672
-      - 35672
-  '110 ceph':
-    dport:
-      - 6789
-      - '6800-6810'
-  '111 keystone':
-    dport:
-      - 5000
-      - 13000
-      - 35357
-      - 13357
-  '112 glance':
-    dport:
-      - 9292
-      - 9191
-      - 13292
-  '113 nova':
-    dport:
-      - 6080
-      - 13080
-      - 8773
-      - 3773
-      - 8774
-      - 13774
-      - 8775
-  '114 neutron server':
-    dport:
-      - 9696
-      - 13696
-  '115 neutron dhcp input':
-    proto: 'udp'
-    dport: 67
-  '116 neutron dhcp output':
-    proto: 'udp'
-    chain: 'OUTPUT'
-    dport: 68
-  '118 neutron vxlan networks':
-    proto: 'udp'
-    dport: 4789
-  '119 cinder':
-    dport:
-      - 8776
-      - 13776
-  '120 iscsi initiator':
-    dport: 3260
-  '121 memcached':
-    dport: 11211
-  '122 swift proxy':
-    dport:
-      - 8080
-      - 13808
-  '123 swift storage':
-    dport:
-      - 873
-      - 6000
-      - 6001
-      - 6002
-  '124 ceilometer':
-    dport:
-      - 8777
-      - 13777
-  '125 heat':
-    dport:
-      - 8000
-      - 13800
-      - 8003
-      - 13003
-      - 8004
-      - 13004
-  '126 horizon':
-    dport:
-      - 80
-      - 443
-  '127 snmp':
-    dport: 161
-    proto: 'udp'
   '128 aodh':
     dport:
       - 8042
       - 13042
-  '129 gnocchi-api':
-    dport:
-      - 8041
-      - 13041
-  '130 pacemaker tcp':
-    proto: 'tcp'
-    dport:
-      - 2224
-      - 3121
-      - 21064
-  '131 pacemaker udp':
-    proto: 'udp'
-    dport: 5405
-  '132 sahara':
-    dport:
-      - 8386
-      - 13386
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index 5dce7c3..d0f3767 100644 (file)
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -23,6 +23,12 @@ outputs:
     value:
       service_name: ceilometer-api
       config_settings:
-        get_attr: [CeilometerServiceBase, role_data, config_settings]
+        map_merge:
+          - get_attr: [CeilometerServiceBase, role_data, config_settings]
+          - tripleo.ceilometer_api.firewall_rules:
+              '124 ceilometer':
+                dport:
+                  - 8777
+                  - 13777
       step_config: |
         include ::tripleo::profile::base::ceilometer::api
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
index 68a5945..257264a 100644 (file)
--- a/puppet/services/ceph-mon.yaml
+++ b/puppet/services/ceph-mon.yaml
@@ -53,5 +53,10 @@ outputs:
               - {get_param: NovaRbdPoolName}
               - {get_param: GlanceRbdPoolName}
               - {get_param: GnocchiRbdPoolName}
+            tripleo.ceph_mon.firewall_rules:
+              '110 ceph':
+                dport:
+                  - 6789
+                  - '6800-6810'
       step_config: |
         include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 0b4817a..0cefb38 100644 (file)
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -39,5 +39,10 @@ outputs:
             cinder::api::keystone_password: {get_param: CinderPassword}
             cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
             tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+            tripleo.cinder_api.firewall_rules:
+              '119 cinder':
+                dport:
+                  - 8776
+                  - 13776
       step_config: |
         include ::tripleo::profile::base::cinder::api
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index 69a38b0..8f63ff6 100644 (file)
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -76,5 +76,8 @@ outputs:
             tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+            tripleo.cinder_volume.firewall_rules:
+              '120 iscsi initiator':
+                dport: 3260
       step_config: |
         include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index c2d36fc..6885cfd 100644 (file)
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -25,5 +25,12 @@ outputs:
           - get_attr: [MongoDbBase, role_data, config_settings]
           - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
             mongodb::server::service_manage: True
+            tripleo.mongodb.firewall_rules:
+              '101 mongodb_config':
+                dport: 27019
+              '102 mongodb_sharding':
+                dport: 27018
+              '103 mongod':
+                dport: 27017
       step_config: |
-        include ::tripleo::profile::base::database::mongodb
\ No newline at end of file
+        include ::tripleo::profile::base::database::mongodb
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 992dc11..0a19b2a 100644 (file)
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -17,5 +17,14 @@ outputs:
     value:
       service_name: mysql
       config_settings:
+        tripleo.mysql.firewall_rules:
+          '104 mysql galera':
+            dport:
+              - 873
+              - 3306
+              - 4444
+              - 4567
+              - 4568
+              - 9200
       step_config: |
         include ::tripleo::profile::base::database::mysql
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index 080f72b..ef005f7 100644 (file)
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -22,5 +22,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [RedisBase, role_data, config_settings]
+          - tripleo.redis.firewall_rules:
+              '108 redis':
+                dport:
+                  - 6379
+                  - 26379
       step_config: |
         include ::tripleo::profile::base::database::redis
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 120c57f..ee4c17c 100644 (file)
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -104,5 +104,10 @@ outputs:
         glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
         glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
         glance::keystone::auth::password: {get_param: GlancePassword }
+        tripleo.glance_api.firewall_rules:
+          '112 glance_api':
+            dport:
+              - 9292
+              - 13292
       step_config: |
         include ::tripleo::profile::base::glance::api
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index 6d2144e..f9d9dd6 100644 (file)
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -49,5 +49,9 @@ outputs:
           - '%'
           - "%{hiera('mysql_bind_host')}"
 
+        tripleo.glance_registry.firewall_rules:
+          '112 glance_registry':
+            dport:
+              - 9191
       step_config: |
         include ::tripleo::profile::base::glance::registry
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f687763..bf23cda 100644 (file)
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -24,5 +24,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [GnocchiServiceBase, role_data, config_settings]
+          - tripleo.gnocchi_api.firewall_rules:
+              '129 gnocchi-api':
+                dport:
+                  - 8041
+                  - 13041
       step_config: |
         include ::tripleo::profile::base::gnocchi::api
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 73b4000..1a629c1 100644 (file)
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -15,5 +15,9 @@ outputs:
     description: Role data for the HAproxy role.
     value:
       service_name: haproxy
+      config_settings:
+        tripleo.haproxy.firewall_rules:
+          '107 haproxy stats':
+            dport: 1993
       step_config: |
         include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
index 8d23733..67c89bb 100644 (file)
--- a/puppet/services/heat-api-cfn.yaml
+++ b/puppet/services/heat-api-cfn.yaml
@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
             heat::keystone::auth_cfn::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api_cfn.firewall_rules:
+              '125 heat_cfn':
+                dport:
+                  - 8000
+                  - 13800
       step_config: |
         include ::tripleo::profile::base::heat::api_cfn
diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml
index c996cf1..32a0a58 100644 (file)
--- a/puppet/services/heat-api-cloudwatch.yaml
+++ b/puppet/services/heat-api-cloudwatch.yaml
@@ -27,5 +27,10 @@ outputs:
         map_merge:
           - get_attr: [HeatBase, role_data, config_settings]
           - heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+            tripleo.heat_api_cloudwatch.firewall_rules:
+              '125 heat_cloudwatch':
+                dport:
+                  - 8003
+                  - 13003
       step_config: |
         include ::tripleo::profile::base::heat::api_cloudwatch
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index 41c7d9a..0bb208d 100644 (file)
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
             heat::keystone::auth::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api.firewall_rules:
+              '125 heat_api':
+                dport:
+                  - 8004
+                  - 13004
       step_config: |
         include ::tripleo::profile::base::heat::api
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 022e3fb..dc7ba8c 100644 (file)
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -31,5 +31,10 @@ outputs:
             template: MECHANISMS
             params:
               MECHANISMS: {get_param: NeutronMechanismDrivers}
+        tripleo.horizon.firewall_rules:
+          '126 horizon':
+            dport:
+              - 80
+              - 443
       step_config: |
         include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 83bab34..de920de 100644 (file)
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -136,5 +136,12 @@ outputs:
         keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
         # override via extraconfig:
         keystone::wsgi::apache::threads: 1
+        tripleo.keystone.firewall_rules:
+          '111 keystone':
+            dport:
+              - 5000
+              - 13000
+              - 35357
+              - 13357
       step_config: |
         include ::tripleo::profile::base::keystone
diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml
index 55f8c08..ceb29b5 100644 (file)
--- a/puppet/services/memcached.yaml
+++ b/puppet/services/memcached.yaml
@@ -16,5 +16,8 @@ outputs:
     value:
       service_name: memcached
       config_settings:
+        tripleo.memcached.firewall_rules:
+          '121 memcached':
+            dport: 11211
       step_config: |
         include ::tripleo::profile::base::memcached
diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml
index 5b903ea..1c57aa4 100644 (file)
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@@ -28,5 +28,13 @@ outputs:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
           - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+            tripleo.neutron_dhcp.firewall_rules:
+              '115 neutron dhcp input':
+                proto: 'udp'
+                dport: 67
+              '116 neutron dhcp output':
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 68
       step_config: |
         include tripleo::profile::base::neutron::dhcp
diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml
index 61af11f..253a6bf 100644 (file)
--- a/puppet/services/neutron-server.yaml
+++ b/puppet/services/neutron-server.yaml
@@ -72,5 +72,15 @@ outputs:
             neutron::db::mysql::allowed_hosts:
               - '%'
               - "%{hiera('mysql_bind_host')}"
+            tripleo.neutron_server.firewall_rules:
+              '114 neutron server':
+                dport:
+                  - 9696
+                  - 13696
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '106 vrrp':
+                proto: vrrp
       step_config: |
         include tripleo::profile::base::neutron::server
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index f6c4105..0dd8fd5 100644 (file)
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -32,5 +32,15 @@ outputs:
             nova::api::metadata_workers: {get_param: NovaWorkers}
             nova::cron::archive_deleted_rows::hour: '"*/12"'
             nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+            tripleo.nova_api.firewall_rules:
+              '113 nova_api':
+                dport:
+                  - 6080
+                  - 13080
+                  - 8773
+                  - 3773
+                  - 8774
+                  - 13774
+                  - 8775
       step_config: |
         include tripleo::profile::base::nova::api
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 3b78bef..9520cb9 100644 (file)
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -16,5 +16,15 @@ outputs:
     value:
       service_name: pacemaker
       config_settings:
+        tripleo.pacemaker.firewall_rules:
+          '130 pacemaker tcp':
+            proto: 'tcp'
+            dport:
+              - 2224
+              - 3121
+              - 21064
+          '131 pacemaker udp':
+            proto: 'udp'
+            dport: 5405
       step_config: |
         include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 7b4b10e..3c5909c 100644 (file)
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -36,5 +36,11 @@ outputs:
         rabbitmq::default_user: {get_param: RabbitUserName}
         rabbitmq::default_pass: {get_param: RabbitPassword}
         rabbit_ipv6: {get_param: RabbitIPv6}
+        tripleo.rabbitmq.firewall_rules:
+          '109 rabbitmq':
+            dport:
+              - 4369
+              - 5672
+              - 35672
       step_config: |
         include ::tripleo::profile::base::rabbitmq
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index a0a98b1..c911201 100644 (file)
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -49,5 +49,10 @@ outputs:
             sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
             sahara::keystone::auth::password: {get_param: SaharaPassword }
             sahara::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.sahara_api.firewall_rules:
+              '132 sahara':
+                dport:
+                  - 8386
+                  - 13386
       step_config: |
         include ::tripleo::profile::base::sahara::api
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 36e510b..458f444 100644 (file)
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,5 +28,9 @@ outputs:
       config_settings:
         snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
         snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+        tripleo.snmp.firewall_rules:
+          '127 snmp':
+            dport: 161
+            proto: 'udp'
       step_config: |
         include ::tripleo::profile::base::snmp
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 3ae1b01..12165cc 100644 (file)
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -51,5 +51,10 @@ outputs:
         swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
         swift::keystone::auth::password: {get_param: SwiftPassword}
         swift::keystone::auth::region: {get_param: KeystoneRegion}
+        tripleo.swift_proxy.firewall_rules:
+          '122 swift proxy':
+            dport:
+              - 8080
+              - 13808
       step_config: |
         include ::tripleo::profile::base::swift::proxy
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 02746a9..d63dc87 100644 (file)
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -41,5 +41,12 @@ outputs:
         # Swift
         swift::storage::all::mount_check: {get_param: SwiftMountCheck}
         tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
+        tripleo.swift_storage.firewall_rules:
+          '123 swift storage':
+            dport:
+              - 873
+              - 6000
+              - 6001
+              - 6002
       step_config: |
         include ::tripleo::profile::base::swift::storage
diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml
index a0e51fe..59d25dd 100644 (file)
--- a/puppet/services/time/ntp.yaml
+++ b/puppet/services/time/ntp.yaml
@@ -24,5 +24,9 @@ outputs:
       service_name: ntp
       config_settings:
         ntp::ntpservers: {get_param: NtpServer}
+        tripleo.ntp.firewall_rules:
+          '105 ntp':
+            dport: 123
+            proto: udp
       step_config: |
         include ::ntp