summaryrefslogtreecommitdiffstats
path: root/roles/openstack-stack
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-08-16 09:14:06 +0200
committerTomas Sedovic <tomas@sedovic.cz>2017-08-16 09:14:06 +0200
commit6ebad037254b0c254638f6e6dfbd48e451a1ceeb (patch)
treee9aeb0cc4e48a1e908c6c1156a50f0c4734fc650 /roles/openstack-stack
parentfca4c6047bb35582b5254d4a087f7119364a8725 (diff)
downloadopenshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.gz
openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.bz2
openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.xz
openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.zip
Access UI via a bastion node (#596)
When using a bastion and a single master, use the lb-secgrp to access UI port allowed from the ingress bastion node cidr. For HA (masters>1), UI still should be accessed via the LB node's ingress cidr, omitting the bastion. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r--roles/openstack-stack/defaults/main.yml1
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j220
2 files changed, 16 insertions, 5 deletions
diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml
index 803a96389..c8529612e 100644
--- a/roles/openstack-stack/defaults/main.yml
+++ b/roles/openstack-stack/defaults/main.yml
@@ -13,3 +13,4 @@ num_infra: 1
nodes_to_remove: []
etcd_volume_size: 2
use_bastion: False
+ui_ssh_tunnel: False
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index c41bf15be..a670ff0e3 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -439,7 +439,7 @@ resources:
port_range_min: 53
port_range_max: 53
remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
-{% if num_masters > 1 %}
+{% if num_masters > 1 or ui_ssh_tunnel|bool %}
lb-secgrp:
type: OS::Neutron::SecurityGroup
properties:
@@ -450,14 +450,21 @@ resources:
protocol: tcp
port_range_min: {{ openshift_master_api_port | default(8443) }}
port_range_max: {{ openshift_master_api_port | default(8443) }}
- remote_ip_prefix: {{ lb_ingress_cidr }}
- {% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %}
+ remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }}
+{% if ui_ssh_tunnel|bool %}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: {{ openshift_master_api_port | default(8443) }}
+ port_range_max: {{ openshift_master_api_port | default(8443) }}
+ remote_ip_prefix: {{ ssh_ingress_cidr }}
+{% endif %}
+{% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %}
- direction: ingress
protocol: tcp
port_range_min: {{ openshift_master_console_port | default(8443) }}
port_range_max: {{ openshift_master_console_port | default(8443) }}
- remote_ip_prefix: {{ lb_ingress_cidr }}
- {% endif %}
+ remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }}
+{% endif %}
{% endif %}
etcd:
@@ -696,6 +703,9 @@ resources:
{% else %}
- { get_resource: node-secgrp }
{% endif %}
+{% if ui_ssh_tunnel|bool and num_masters < 2 %}
+ - { get_resource: lb-secgrp }
+{% endif %}
- { get_resource: infra-secgrp }
- { get_resource: common-secgrp }
floating_network: {{ external_network }}