diff options
author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-06-23 17:14:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-06-23 17:14:44 +0200 |
commit | 6ab4acbc8e03e22600cad41413425bab5202a37e (patch) | |
tree | 34d3633c00d33731a264cc28a7082fd8875e0d6e /roles/openstack-stack | |
parent | 1b07329f99bf31d6a644f851b02bea4f25eabe17 (diff) | |
parent | 3f10c266aab0881ab294513d4ef93a1528d33c6b (diff) | |
download | openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.gz openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.bz2 openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.xz openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.zip |
Merge pull request #488 from bogdando/fix_flat_sg
Fix flat sec group and infra/dns sec rules
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 92 |
1 files changed, 33 insertions, 59 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index c750865a5..cba03e2ca 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -142,18 +142,17 @@ resources: # cluster_id: {{ stack_name }} # public_key: {{ ssh_public_key }} -{% if openstack_flat_secgrp|bool %} - flat-secgrp: + common-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: - template: openshift-ansible-cluster_id-flat-secgrp + template: openshift-ansible-cluster_id-common-secgrp params: cluster_id: {{ stack_name }} description: str_replace: - template: Security group for cluster_id OpenShift cluster + template: Basic ssh/dns security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: @@ -164,20 +163,36 @@ resources: remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp - port_range_min: 4001 - port_range_max: 4001 - - direction: ingress - protocol: tcp - port_range_min: 8443 - port_range_max: 8444 - - direction: ingress - protocol: tcp port_range_min: 53 port_range_max: 53 - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 + +{% if openstack_flat_secgrp|bool %} + flat-secgrp: + type: OS::Neutron::SecurityGroup + properties: + name: + str_replace: + template: openshift-ansible-cluster_id-flat-secgrp + params: + cluster_id: {{ stack_name }} + description: + str_replace: + template: Security group for cluster_id OpenShift cluster + params: + cluster_id: {{ stack_name }} + rules: + - direction: ingress + protocol: tcp + port_range_min: 4001 + port_range_max: 4001 + - direction: ingress + protocol: tcp + port_range_min: 8443 + port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 8053 @@ -246,14 +261,6 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" - - direction: ingress - protocol: tcp - port_range_min: 80 - port_range_max: 80 - - direction: ingress - protocol: tcp - port_range_min: 443 - port_range_max: 443 {% else %} master-secgrp: type: OS::Neutron::SecurityGroup @@ -271,11 +278,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 4001 port_range_max: 4001 - direction: ingress @@ -284,14 +286,6 @@ resources: port_range_max: 8444 - direction: ingress protocol: tcp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: tcp port_range_min: 8053 port_range_max: 8053 - direction: ingress @@ -335,11 +329,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 2379 port_range_max: 2379 remote_mode: remote_group_id @@ -366,11 +355,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 10250 port_range_max: 10250 remote_mode: remote_group_id @@ -399,6 +383,7 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" +{% endif %} infra-secgrp: type: OS::Neutron::SecurityGroup @@ -422,7 +407,6 @@ resources: protocol: tcp port_range_min: 443 port_range_max: 443 -{% endif %} dns-secgrp: type: OS::Neutron::SecurityGroup @@ -472,11 +456,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} remote_ip_prefix: {{ lb_ingress_cidr }} @@ -518,6 +497,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -558,6 +538,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: lb-secgrp } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -606,6 +587,7 @@ resources: - { get_resource: etcd-secgrp } {% endif %} {% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -649,6 +631,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -691,12 +674,8 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } - { get_resource: infra-secgrp } -{% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -735,11 +714,6 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } -{% endif %} - { get_resource: dns-secgrp } floating_network: {{ external_network }} net_name: |