summaryrefslogtreecommitdiffstats
path: root/roles/openstack-stack
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-06-23 17:14:44 +0200
committerGitHub <noreply@github.com>2017-06-23 17:14:44 +0200
commit6ab4acbc8e03e22600cad41413425bab5202a37e (patch)
tree34d3633c00d33731a264cc28a7082fd8875e0d6e /roles/openstack-stack
parent1b07329f99bf31d6a644f851b02bea4f25eabe17 (diff)
parent3f10c266aab0881ab294513d4ef93a1528d33c6b (diff)
downloadopenshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.gz
openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.bz2
openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.xz
openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.zip
Merge pull request #488 from bogdando/fix_flat_sg
Fix flat sec group and infra/dns sec rules
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j292
1 files changed, 33 insertions, 59 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index c750865a5..cba03e2ca 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -142,18 +142,17 @@ resources:
# cluster_id: {{ stack_name }}
# public_key: {{ ssh_public_key }}
-{% if openstack_flat_secgrp|bool %}
- flat-secgrp:
+ common-secgrp:
type: OS::Neutron::SecurityGroup
properties:
name:
str_replace:
- template: openshift-ansible-cluster_id-flat-secgrp
+ template: openshift-ansible-cluster_id-common-secgrp
params:
cluster_id: {{ stack_name }}
description:
str_replace:
- template: Security group for cluster_id OpenShift cluster
+ template: Basic ssh/dns security group for cluster_id OpenShift cluster
params:
cluster_id: {{ stack_name }}
rules:
@@ -164,20 +163,36 @@ resources:
remote_ip_prefix: {{ ssh_ingress_cidr }}
- direction: ingress
protocol: tcp
- port_range_min: 4001
- port_range_max: 4001
- - direction: ingress
- protocol: tcp
- port_range_min: 8443
- port_range_max: 8444
- - direction: ingress
- protocol: tcp
port_range_min: 53
port_range_max: 53
- direction: ingress
protocol: udp
port_range_min: 53
port_range_max: 53
+
+{% if openstack_flat_secgrp|bool %}
+ flat-secgrp:
+ type: OS::Neutron::SecurityGroup
+ properties:
+ name:
+ str_replace:
+ template: openshift-ansible-cluster_id-flat-secgrp
+ params:
+ cluster_id: {{ stack_name }}
+ description:
+ str_replace:
+ template: Security group for cluster_id OpenShift cluster
+ params:
+ cluster_id: {{ stack_name }}
+ rules:
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 4001
+ port_range_max: 4001
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 8443
+ port_range_max: 8444
- direction: ingress
protocol: tcp
port_range_min: 8053
@@ -246,14 +261,6 @@ resources:
port_range_min: 30000
port_range_max: 32767
remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
- - direction: ingress
- protocol: tcp
- port_range_min: 80
- port_range_max: 80
- - direction: ingress
- protocol: tcp
- port_range_min: 443
- port_range_max: 443
{% else %}
master-secgrp:
type: OS::Neutron::SecurityGroup
@@ -271,11 +278,6 @@ resources:
rules:
- direction: ingress
protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ ssh_ingress_cidr }}
- - direction: ingress
- protocol: tcp
port_range_min: 4001
port_range_max: 4001
- direction: ingress
@@ -284,14 +286,6 @@ resources:
port_range_max: 8444
- direction: ingress
protocol: tcp
- port_range_min: 53
- port_range_max: 53
- - direction: ingress
- protocol: udp
- port_range_min: 53
- port_range_max: 53
- - direction: ingress
- protocol: tcp
port_range_min: 8053
port_range_max: 8053
- direction: ingress
@@ -335,11 +329,6 @@ resources:
rules:
- direction: ingress
protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ ssh_ingress_cidr }}
- - direction: ingress
- protocol: tcp
port_range_min: 2379
port_range_max: 2379
remote_mode: remote_group_id
@@ -366,11 +355,6 @@ resources:
rules:
- direction: ingress
protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ ssh_ingress_cidr }}
- - direction: ingress
- protocol: tcp
port_range_min: 10250
port_range_max: 10250
remote_mode: remote_group_id
@@ -399,6 +383,7 @@ resources:
port_range_min: 30000
port_range_max: 32767
remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+{% endif %}
infra-secgrp:
type: OS::Neutron::SecurityGroup
@@ -422,7 +407,6 @@ resources:
protocol: tcp
port_range_min: 443
port_range_max: 443
-{% endif %}
dns-secgrp:
type: OS::Neutron::SecurityGroup
@@ -472,11 +456,6 @@ resources:
rules:
- direction: ingress
protocol: tcp
- port_range_min: 22
- port_range_max: 22
- remote_ip_prefix: {{ ssh_ingress_cidr }}
- - direction: ingress
- protocol: tcp
port_range_min: {{ openshift_master_api_port | default(8443) }}
port_range_max: {{ openshift_master_api_port | default(8443) }}
remote_ip_prefix: {{ lb_ingress_cidr }}
@@ -518,6 +497,7 @@ resources:
subnet: { get_resource: subnet }
secgrp:
- { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} }
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -558,6 +538,7 @@ resources:
subnet: { get_resource: subnet }
secgrp:
- { get_resource: lb-secgrp }
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -606,6 +587,7 @@ resources:
- { get_resource: etcd-secgrp }
{% endif %}
{% endif %}
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -649,6 +631,7 @@ resources:
subnet: { get_resource: subnet }
secgrp:
- { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -691,12 +674,8 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
-{% if openstack_flat_secgrp|bool %}
- - { get_resource: flat-secgrp }
-{% else %}
- - { get_resource: node-secgrp }
- { get_resource: infra-secgrp }
-{% endif %}
+ - { get_resource: common-secgrp }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -735,11 +714,6 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
-{% if openstack_flat_secgrp|bool %}
- - { get_resource: flat-secgrp }
-{% else %}
- - { get_resource: node-secgrp }
-{% endif %}
- { get_resource: dns-secgrp }
floating_network: {{ external_network }}
net_name: