diff options
author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-08-16 09:14:06 +0200 |
---|---|---|
committer | Tomas Sedovic <tomas@sedovic.cz> | 2017-08-16 09:14:06 +0200 |
commit | 6ebad037254b0c254638f6e6dfbd48e451a1ceeb (patch) | |
tree | e9aeb0cc4e48a1e908c6c1156a50f0c4734fc650 /roles/openstack-stack | |
parent | fca4c6047bb35582b5254d4a087f7119364a8725 (diff) | |
download | openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.gz openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.bz2 openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.tar.xz openshift-6ebad037254b0c254638f6e6dfbd48e451a1ceeb.zip |
Access UI via a bastion node (#596)
When using a bastion and a single master, use the lb-secgrp
to access UI port allowed from the ingress bastion node cidr.
For HA (masters>1), UI still should be accessed via
the LB node's ingress cidr, omitting the bastion.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r-- | roles/openstack-stack/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 20 |
2 files changed, 16 insertions, 5 deletions
diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index 803a96389..c8529612e 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -13,3 +13,4 @@ num_infra: 1 nodes_to_remove: [] etcd_volume_size: 2 use_bastion: False +ui_ssh_tunnel: False diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index c41bf15be..a670ff0e3 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -439,7 +439,7 @@ resources: port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" -{% if num_masters > 1 %} +{% if num_masters > 1 or ui_ssh_tunnel|bool %} lb-secgrp: type: OS::Neutron::SecurityGroup properties: @@ -450,14 +450,21 @@ resources: protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} - remote_ip_prefix: {{ lb_ingress_cidr }} - {% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %} + remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }} +{% if ui_ssh_tunnel|bool %} + - direction: ingress + protocol: tcp + port_range_min: {{ openshift_master_api_port | default(8443) }} + port_range_max: {{ openshift_master_api_port | default(8443) }} + remote_ip_prefix: {{ ssh_ingress_cidr }} +{% endif %} +{% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %} - direction: ingress protocol: tcp port_range_min: {{ openshift_master_console_port | default(8443) }} port_range_max: {{ openshift_master_console_port | default(8443) }} - remote_ip_prefix: {{ lb_ingress_cidr }} - {% endif %} + remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }} +{% endif %} {% endif %} etcd: @@ -696,6 +703,9 @@ resources: {% else %} - { get_resource: node-secgrp } {% endif %} +{% if ui_ssh_tunnel|bool and num_masters < 2 %} + - { get_resource: lb-secgrp } +{% endif %} - { get_resource: infra-secgrp } - { get_resource: common-secgrp } floating_network: {{ external_network }} |