Merge "Ensure we get a subnet for ctlplane"

2019-08-10 16:25:54 +00:00 · 2019-08-10 16:25:54 +00:00 · e1d94316c8
parent 1e33ed8366 9e5efd5911
commit e1d94316c8
1 changed files with 23 additions and 9 deletions
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@ -39,6 +39,12 @@ parameters:
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean

+conditions:
+  get_ctlplane_from_hiera:
+    equals:
+      - get_param: [ServiceData, net_cidr_map, ctlplane]
+      - Null
+
 outputs:
  role_data:
    description: Role data for the TripleO firewall settings
@ -48,15 +54,23 @@ outputs:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
        tripleo::tripleo_firewall::firewall_rules:
-          map_merge:
-            repeat:
-              for_each:
-                <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
-              template:
-                '003 accept ssh from ctlplane subnet <%net_cidr%>':
-                  source: <%net_cidr%>
-                  proto: 'tcp'
-                  dport: 22
+          if:
+            - get_ctlplane_from_hiera
+            -
+              "004 accept ssh from ctlplane subnet %{hiera('ctlplane_subnet')}":
+                source: "%{hiera('ctlplane_subnet')}"
+                proto: 'tcp'
+                port: 22
+            -
+              map_merge:
+                repeat:
+                  for_each:
+                    <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
+                  template:
+                    '003 accept ssh from ctlplane subnet <%net_cidr%>':
+                      source: <%net_cidr%>
+                      proto: 'tcp'
+                      dport: 22

      step_config: |
        include ::tripleo::firewall