Create usefull security groups by default

We need to create some default security groups, that will
allow to use OpenStack cloud immediately after the deployment.

By default it will create the following security groups:
1. global_http - security group which opens HTTP/HTTPS for external traffic.
2. global_ssh - security group which opens SSH port for external traffic.
3. allow_all - security group which allows all traffic
for any TCP/UDP ports from external network.

Change-Id: I23ea837cbe92b5091f07de291f0e9f5f40e6fd44
Closes-Bug: #1349819
This commit is contained in:
Alexey Deryugin 2016-03-23 16:43:32 +03:00
parent 618f848d04
commit 57fdc97653
4 changed files with 153 additions and 0 deletions

View File

@ -0,0 +1 @@
include ::openstack_tasks::openstack_controller::security_group

View File

@ -54,3 +54,14 @@
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/openstack-controller/keystone.pp
puppet_modules: /etc/puppet/modules
timeout: 1800
- id: nova-security-group
type: puppet
version: 2.0.0
groups: [primary-controller]
required_for: [deploy_end]
requires: [primary-openstack-controller]
parameters:
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/openstack-controller/security-group.pp
puppet_modules: /etc/puppet/modules
timeout: 1800

View File

@ -0,0 +1,72 @@
# Copyright (C) 2015-2016 Mirantis
class openstack_tasks::openstack_controller::security_group {
notice('MODULAR: openstack_controller/security_group.pp')
$nova_hash = hiera_hash('nova', {})
if pick($nova_hash['create_default_security_groups'], true) {
Nova_security_rule {
ensure => present,
ip_protocol => 'tcp',
ip_range => '0.0.0.0/0',
}
nova_security_group { 'global_http':
ensure => present,
description => 'Allow HTTP traffic'
}
nova_security_rule { 'http_01':
from_port => '80',
to_port => '80',
security_group => 'global_http'
}
nova_security_rule { 'http_02':
from_port => '443',
to_port => '443',
security_group => 'global_http'
}
nova_security_group { 'global_ssh':
ensure => present,
description => 'Allow SSH traffic'
}
nova_security_rule { 'ssh_01':
from_port => '22',
to_port => '22',
security_group => 'global_ssh'
}
nova_security_group { 'allow_all':
ensure => present,
description => 'Allow all traffic'
}
nova_security_rule { 'all_01':
from_port => '1',
to_port => '65535',
security_group => 'allow_all'
}
nova_security_rule { 'all_02':
ip_protocol => 'udp',
from_port => '1',
to_port => '65535',
security_group => 'allow_all'
}
nova_security_rule { 'all_03':
ip_protocol => 'icmp',
from_port => '1',
to_port => '255',
security_group => 'allow_all'
}
} else {
nova_security_group { ['global_http', 'global_ssh', 'allow_all']:
ensure => absent
}
}
}

View File

@ -0,0 +1,69 @@
require 'spec_helper'
require 'shared-examples'
manifest = 'openstack-controller/security-group.pp'
describe manifest do
shared_examples 'catalog' do
it 'should create default security groups' do
if Noop.puppet_function('pick', nova_hash['create_default_security_groups'], true)
should contain_nova_security_group('global_http')
should contain_nova_security_rule('http_01').with(
'ip_protocol' => 'tcp',
'from_port' => '80',
'to_port' => '80',
'ip_range' => '0.0.0.0/0',
'security_group' => 'global_http'
)
should contain_nova_security_rule('http_02').with(
'ip_protocol' => 'tcp',
'from_port' => '443',
'to_port' => '443',
'ip_range' => '0.0.0.0/0',
'security_group' => 'global_http'
)
should contain_nova_security_group('global_ssh')
should contain_nova_security_rule('ssh_01').with(
'ip_protocol' => 'tcp',
'from_port' => '22',
'to_port' => '22',
'ip_range' => '0.0.0.0/0',
'security_group' => 'global_ssh'
)
should contain_nova_security_group('allow_all')
should contain_nova_security_rule('all_01').with(
'ip_protocol' => 'tcp',
'from_port' => '1',
'to_port' => '65535',
'ip_range' => '0.0.0.0/0',
'security_group' => 'allow_all'
)
should contain_nova_security_rule('all_02').with(
'ip_protocol' => 'udp',
'from_port' => '1',
'to_port' => '65535',
'ip_range' => '0.0.0.0/0',
'security_group' => 'allow_all'
)
should contain_nova_security_rule('all_03').with(
'ip_protocol' => 'icmp',
'from_port' => '1',
'to_port' => '255',
'ip_range' => '0.0.0.0/0',
'security_group' => 'allow_all'
)
else
should contain_nova_security_group('global_http').with('ensure' => 'absent')
should contain_nova_security_group('global_ssh').with('ensure' => 'absent')
should contain_nova_security_group('allow_all').with('ensure' => 'absent')
end
end
end # end of shared_examples
test_ubuntu_and_centos manifest
end