Create usefull security groups by default
We need to create some default security groups, that will allow to use OpenStack cloud immediately after the deployment. By default it will create the following security groups: 1. global_http - security group which opens HTTP/HTTPS for external traffic. 2. global_ssh - security group which opens SSH port for external traffic. 3. allow_all - security group which allows all traffic for any TCP/UDP ports from external network. Change-Id: I23ea837cbe92b5091f07de291f0e9f5f40e6fd44 Closes-Bug: #1349819
This commit is contained in:
parent
618f848d04
commit
57fdc97653
|
@ -0,0 +1 @@
|
|||
include ::openstack_tasks::openstack_controller::security_group
|
|
@ -54,3 +54,14 @@
|
|||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/openstack-controller/keystone.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 1800
|
||||
|
||||
- id: nova-security-group
|
||||
type: puppet
|
||||
version: 2.0.0
|
||||
groups: [primary-controller]
|
||||
required_for: [deploy_end]
|
||||
requires: [primary-openstack-controller]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/openstack-controller/security-group.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 1800
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# Copyright (C) 2015-2016 Mirantis
|
||||
|
||||
class openstack_tasks::openstack_controller::security_group {
|
||||
notice('MODULAR: openstack_controller/security_group.pp')
|
||||
|
||||
$nova_hash = hiera_hash('nova', {})
|
||||
|
||||
if pick($nova_hash['create_default_security_groups'], true) {
|
||||
Nova_security_rule {
|
||||
ensure => present,
|
||||
ip_protocol => 'tcp',
|
||||
ip_range => '0.0.0.0/0',
|
||||
}
|
||||
|
||||
nova_security_group { 'global_http':
|
||||
ensure => present,
|
||||
description => 'Allow HTTP traffic'
|
||||
}
|
||||
|
||||
nova_security_rule { 'http_01':
|
||||
from_port => '80',
|
||||
to_port => '80',
|
||||
security_group => 'global_http'
|
||||
}
|
||||
|
||||
nova_security_rule { 'http_02':
|
||||
from_port => '443',
|
||||
to_port => '443',
|
||||
security_group => 'global_http'
|
||||
}
|
||||
|
||||
nova_security_group { 'global_ssh':
|
||||
ensure => present,
|
||||
description => 'Allow SSH traffic'
|
||||
}
|
||||
|
||||
nova_security_rule { 'ssh_01':
|
||||
from_port => '22',
|
||||
to_port => '22',
|
||||
security_group => 'global_ssh'
|
||||
}
|
||||
|
||||
nova_security_group { 'allow_all':
|
||||
ensure => present,
|
||||
description => 'Allow all traffic'
|
||||
}
|
||||
|
||||
nova_security_rule { 'all_01':
|
||||
from_port => '1',
|
||||
to_port => '65535',
|
||||
security_group => 'allow_all'
|
||||
}
|
||||
|
||||
nova_security_rule { 'all_02':
|
||||
ip_protocol => 'udp',
|
||||
from_port => '1',
|
||||
to_port => '65535',
|
||||
security_group => 'allow_all'
|
||||
}
|
||||
|
||||
nova_security_rule { 'all_03':
|
||||
ip_protocol => 'icmp',
|
||||
from_port => '1',
|
||||
to_port => '255',
|
||||
security_group => 'allow_all'
|
||||
}
|
||||
} else {
|
||||
nova_security_group { ['global_http', 'global_ssh', 'allow_all']:
|
||||
ensure => absent
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,69 @@
|
|||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'openstack-controller/security-group.pp'
|
||||
|
||||
describe manifest do
|
||||
|
||||
shared_examples 'catalog' do
|
||||
it 'should create default security groups' do
|
||||
if Noop.puppet_function('pick', nova_hash['create_default_security_groups'], true)
|
||||
should contain_nova_security_group('global_http')
|
||||
|
||||
should contain_nova_security_rule('http_01').with(
|
||||
'ip_protocol' => 'tcp',
|
||||
'from_port' => '80',
|
||||
'to_port' => '80',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'global_http'
|
||||
)
|
||||
should contain_nova_security_rule('http_02').with(
|
||||
'ip_protocol' => 'tcp',
|
||||
'from_port' => '443',
|
||||
'to_port' => '443',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'global_http'
|
||||
)
|
||||
|
||||
should contain_nova_security_group('global_ssh')
|
||||
|
||||
should contain_nova_security_rule('ssh_01').with(
|
||||
'ip_protocol' => 'tcp',
|
||||
'from_port' => '22',
|
||||
'to_port' => '22',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'global_ssh'
|
||||
)
|
||||
|
||||
should contain_nova_security_group('allow_all')
|
||||
|
||||
should contain_nova_security_rule('all_01').with(
|
||||
'ip_protocol' => 'tcp',
|
||||
'from_port' => '1',
|
||||
'to_port' => '65535',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'allow_all'
|
||||
)
|
||||
should contain_nova_security_rule('all_02').with(
|
||||
'ip_protocol' => 'udp',
|
||||
'from_port' => '1',
|
||||
'to_port' => '65535',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'allow_all'
|
||||
)
|
||||
should contain_nova_security_rule('all_03').with(
|
||||
'ip_protocol' => 'icmp',
|
||||
'from_port' => '1',
|
||||
'to_port' => '255',
|
||||
'ip_range' => '0.0.0.0/0',
|
||||
'security_group' => 'allow_all'
|
||||
)
|
||||
else
|
||||
should contain_nova_security_group('global_http').with('ensure' => 'absent')
|
||||
should contain_nova_security_group('global_ssh').with('ensure' => 'absent')
|
||||
should contain_nova_security_group('allow_all').with('ensure' => 'absent')
|
||||
end
|
||||
end
|
||||
end # end of shared_examples
|
||||
|
||||
test_ubuntu_and_centos manifest
|
||||
end
|
Loading…
Reference in New Issue