summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2017-09-15 17:10:47 -0700
committerGitHub <noreply@github.com>2017-09-15 17:10:47 -0700
commit37d6601922aae3420f52e36b55876beece585ab6 (patch)
treeb6cbb6b965addcd62ca91e733ea1d32092a3b252
parent2747d1f1458e33979658f0075bbebab5c3cb6b34 (diff)
parent3f102592e305b81f6b0eb778a7170fc1cad8a6b1 (diff)
downloadopenshift-37d6601922aae3420f52e36b55876beece585ab6.tar.gz
openshift-37d6601922aae3420f52e36b55876beece585ab6.tar.bz2
openshift-37d6601922aae3420f52e36b55876beece585ab6.tar.xz
openshift-37d6601922aae3420f52e36b55876beece585ab6.zip
Merge pull request #5345 from smarterclayton/firewall
Automatic merge from submit-queue Add `openshift_node_open_ports` to allow arbitrary firewall exposure It should be possible for an admin to define an arbitrary set of ports to be exposed on each node that will relate to the cluster function. This adds a new global variable for the node that supports Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>}) which is the same format accepted by the firewall role. @sdodson as discussed, open to alternatives. I used this from origin-gce with openshift_node_open_ports: - service: Router stats port: 1936/tcp - service: Open node ports port: 9000-10000/tcp - service: Open node ports port: 9000-10000/udp Which then allows me to set firewall rules appropriately. Alternatives considered: * Simpler external format (have to parse inputs) * Additional parameter to role - felt ugly
-rw-r--r--roles/openshift_node/defaults/main.yml4
1 files changed, 3 insertions, 1 deletions
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 5424a64d2..433e92201 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -60,7 +60,7 @@ openshift_deployment_type: origin
openshift_node_bootstrap: False
r_openshift_node_os_firewall_deny: []
-r_openshift_node_os_firewall_allow:
+default_r_openshift_node_os_firewall_allow:
- service: Kubernetes kubelet
port: 10250/tcp
- service: http
@@ -79,6 +79,8 @@ r_openshift_node_os_firewall_allow:
- service: Kubernetes service NodePort UDP
port: "{{ openshift_node_port_range | default('') }}/udp"
cond: "{{ openshift_node_port_range is defined }}"
+# Allow multiple port ranges to be added to the role
+r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow | union(openshift_node_open_ports | default([])) }}"
oreg_url: ''
oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}"