From cea4f2e358f778d6a7ad77dcac627482f295459e Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 14 Apr 2023 21:25:13 +0200 Subject: [PATCH] Change default CIDR for security_group At the moment security group allows to access Amphora SSH/API from any network which is insecure. We're changing default for security groups to allow access only from Octavia Management network. Change-Id: I6ea6ab4ec1c28a3b354d40f6744434eefb05fcfe --- defaults/main.yml | 2 +- ..._security_group_rule_cidr_default-dbf0cdfd17731a73.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/octavia_security_group_rule_cidr_default-dbf0cdfd17731a73.yaml diff --git a/defaults/main.yml b/defaults/main.yml index fe18e0a6..fcffe283 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -273,7 +273,7 @@ octavia_amp_image_upload_enabled: "{{ octavia_download_artefact }}" # Name of the Octavia security group octavia_security_group_name: octavia_sec_grp # Restrict access to only authorized hosts -octavia_security_group_rule_cidr: +octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}" # ssh enabled - switch to True if you need ssh access to the amphora octavia_ssh_enabled: False octavia_ssh_key_name: octavia_key diff --git a/releasenotes/notes/octavia_security_group_rule_cidr_default-dbf0cdfd17731a73.yaml b/releasenotes/notes/octavia_security_group_rule_cidr_default-dbf0cdfd17731a73.yaml new file mode 100644 index 00000000..b4095b0f --- /dev/null +++ b/releasenotes/notes/octavia_security_group_rule_cidr_default-dbf0cdfd17731a73.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + Default value for ``octavia_security_group_rule_cidr`` is changed and + defined to the CIDR of Octavia management network. + To preserve previous behaviour, please override the variable to + `0.0.0.0/0`.