[MediaWiki-commits] [Gerrit] operations/puppet[production]: Keystone: open up firewall for public keystone API

Andrew Bogott (Code Review) Thu, 10 Nov 2016 07:32:46 -0800

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320787


Change subject: Keystone: open up firewall for public keystone API
......................................................................

Keystone: open up firewall for public keystone API

The admin API remains open only to labs services;
the public api (port 5000) is now open to all
production hosts and all Labs instances.

Bug: T150092
Change-Id: If1729c11ad535a63565c65566f09f96ce7ac1487
---
M modules/role/manifests/labs/openstack/nova.pp
1 file changed, 18 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/87/320787/1

diff --git a/modules/role/manifests/labs/openstack/nova.pp 
b/modules/role/manifests/labs/openstack/nova.pp
index 670575d..ec866e8 100644
--- a/modules/role/manifests/labs/openstack/nova.pp
+++ b/modules/role/manifests/labs/openstack/nova.pp
@@ -214,6 +214,10 @@
         srange => '@resolve(tendril.wikimedia.org)',
     }
 
+    include network::constants
+    $prod_networks = $network::constants::production_networks
+    $labs_networks = $network::constants::labs_networks
+
     $fwrules = {
         wikitech_ssh_public => {
             rule  => 'saddr (0.0.0.0/0) proto tcp dport (ssh) ACCEPT;',
@@ -227,14 +231,22 @@
         keystone_redis_replication => {
             rule  => "saddr (${spare_master}) proto tcp dport (6379) ACCEPT;",
         },
-        wikitech_openstack_services => {
-            rule  => "saddr (${wikitech} ${spare_master}) proto tcp dport 
(5000 35357 9292) ACCEPT;",
+        # keystone admin API only for openstack services that might need it
+        keystone_admin => {
+            rule  => "saddr (${labs_nodes} ${spare_master} ${api_host}
+                             ${designate} ${designate_secondary} ${horizon}
+                             ${wikitech}
+                             ) proto tcp dport (35357) ACCEPT;",
         },
-        horizon_openstack_services => {
-            rule  => "saddr ${horizon} proto tcp dport (5000 35357 9292) 
ACCEPT;",
+        # keystone public API for all prod hosts and labs instances
+        keystone_public => {
+            rule  => "saddr (${prod_networks} ${labs_networks}
+                             ) proto tcp dport (5000) ACCEPT;",
         },
-        keystone => {
-            rule  => "saddr (${labs_nodes} ${spare_master} ${api_host} 
${designate} ${designate_secondary}) proto tcp dport (5000 35357) ACCEPT;",
+        # glance API for all prod hosts and labs instances
+        glance => {
+            rule  => "saddr (${prod_networks} ${labs_networks}
+                             ) proto tcp dport (9292) ACCEPT;",
         },
         mysql_nova => {
             rule  => "saddr ${labs_nodes} proto tcp dport (3306) ACCEPT;",

-- 
To view, visit https://gerrit.wikimedia.org/r/320787
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If1729c11ad535a63565c65566f09f96ce7ac1487
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Keystone: open up firewall for public keystone API

Reply via email to