Andrew Bogott has submitted this change and it was merged.
Change subject: Keystone: open up firewall to allow labs access to keystone API
......................................................................
Keystone: open up firewall to allow labs access to keystone API
The admin API remains open only to labs services;
the public api (port 5000) is now open to all
production hosts and all Labs instances.
Bug: T150092
Change-Id: If1729c11ad535a63565c65566f09f96ce7ac1487
---
M modules/role/manifests/labs/openstack/nova/controller.pp
1 file changed, 18 insertions(+), 7 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
Rush: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/role/manifests/labs/openstack/nova/controller.pp
b/modules/role/manifests/labs/openstack/nova/controller.pp
index fac3a14..f298dd0 100644
--- a/modules/role/manifests/labs/openstack/nova/controller.pp
+++ b/modules/role/manifests/labs/openstack/nova/controller.pp
@@ -56,6 +56,10 @@
srange => '@resolve(tendril.wikimedia.org)',
}
+ include network::constants
+ $prod_networks = $network::constants::production_networks
+ $labs_networks = $network::constants::labs_networks
+
$fwrules = {
wikitech_ssh_public => {
rule => 'saddr (0.0.0.0/0) proto tcp dport (ssh) ACCEPT;',
@@ -69,14 +73,22 @@
keystone_redis_replication => {
rule => "saddr (${spare_master}) proto tcp dport (6379) ACCEPT;",
},
- wikitech_openstack_services => {
- rule => "saddr (${wikitech} ${spare_master}) proto tcp dport
(5000 35357 9292) ACCEPT;",
+ # keystone admin API only for openstack services that might need it
+ keystone_admin => {
+ rule => "saddr (${labs_nodes} ${spare_master} ${api_host}
+ ${designate} ${designate_secondary} ${horizon}
+ ${wikitech}
+ ) proto tcp dport (35357) ACCEPT;",
},
- horizon_openstack_services => {
- rule => "saddr ${horizon} proto tcp dport (5000 35357 9292)
ACCEPT;",
+ # keystone public API for all prod hosts and labs instances
+ keystone_public => {
+ rule => "saddr (${prod_networks} ${labs_networks}
+ ) proto tcp dport (5000) ACCEPT;",
},
- keystone => {
- rule => "saddr (${labs_nodes} ${spare_master} ${api_host}
${designate} ${designate_secondary}) proto tcp dport (5000 35357) ACCEPT;",
+ # glance API for all prod hosts and labs instances
+ glance => {
+ rule => "saddr (${prod_networks} ${labs_networks}
+ ) proto tcp dport (9292) ACCEPT;",
},
mysql_nova => {
rule => "saddr ${labs_nodes} proto tcp dport (3306) ACCEPT;",
@@ -100,4 +112,3 @@
create_resources (ferm::rule, $fwrules)
}
-
--
To view, visit https://gerrit.wikimedia.org/r/320787
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If1729c11ad535a63565c65566f09f96ce7ac1487
Gerrit-PatchSet: 10
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
