implement default ssh-from-ctlplane rule via hiera

With the accompanying change in puppet-tripleo, this removes the hardcoded firewall rule allowing ssh traffic in tripleo::firewall::pre and replaces it with a configuration in tripleo-firewall.yaml that allows only ssh access from the undercloud's controlplane network address. This allows operators to define more granular ssh firewall rules via tripleo::firewall::firewall_rules. Needed-By: I14b540e6564c5b7c5d54b4f1fd5368b000744135 Change-Id: I89cff59947dda3f51482486c41a3d67c4aa36a3e
2018-07-12 15:36:48 -04:00 · 2018-07-12 15:36:48 -04:00 · a433e05e66
parent 7e1a0a9014
commit a433e05e66
1 changed files with 6 additions and 0 deletions
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@ -47,6 +47,12 @@ outputs:
      config_settings:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
+        tripleo::tripleo_firewall::firewall_rules:
+          '003 accept ssh from controlplane':
+            source: "%{hiera('ctlplane_subnet')}"
+            proto: 'tcp'
+            dport: 22
+
      step_config: |
        include ::tripleo::firewall
      upgrade_tasks: