Puppet Class: profile::openstack::base::designate::firewall::api

Defined in:
modules/profile/manifests/openstack/base/designate/firewall/api.pp

Overview

Parameters:

  • labweb_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::openstack::base::labweb_hosts'))
  • prometheus_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('prometheus_nodes'))
  • openstack_controllers (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::openstack::base::openstack_controllers'))
  • osm_host (Stdlib::Fqdn) (defaults to: lookup('profile::openstack::base::osm_host')) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# File 'modules/profile/manifests/openstack/base/designate/firewall/api.pp', line 1

class profile::openstack::base::designate::firewall::api(
    Array[Stdlib::Fqdn] $labweb_hosts = lookup('profile::openstack::base::labweb_hosts'),
    Array[Stdlib::Fqdn] $prometheus_nodes = lookup('prometheus_nodes'),
    Array[Stdlib::Fqdn] $openstack_controllers = lookup('profile::openstack::base::openstack_controllers'),
    Stdlib::Fqdn $osm_host = lookup('profile::openstack::base::osm_host'),
) {
    # Open designate API to WMCS web UIs and the commandline on control servers, also prometheus
    $clients_ipv4 = flatten([
        $labweb_hosts,
        $openstack_controllers,
        $prometheus_nodes,
        $osm_host,
    ])
    $clients_ipv6 = flatten([
        $labweb_hosts,
        $openstack_controllers,
        $prometheus_nodes,
    ])

    ferm::service { 'designate-api':
        proto  => 'tcp',
        port   => '9001',
        srange => inline_template("(@resolve((<%= @clients_ipv4.join(' ') %>)) @resolve((<%= @clients_ipv6.join(' ') %>), AAAA))")
    }

    ferm::service { 'designate-tls-api':
        proto  => 'tcp',
        port   => '29001',
        srange => inline_template("(@resolve((<%= @clients_ipv4.join(' ') %>)) @resolve((<%= @clients_ipv6.join(' ') %>), AAAA))")
    }

    # Allow labs instances to hit the designate api.
    # This is not as permissive as it looks; The wmfkeystoneauth
    # plugin (via the password whitelist) only allows 'novaobserver'
    # to authenticate from within labs, and the novaobserver is
    # limited by the designate policy.json to read-only queries.
    include network::constants
    $labs_networks = join($network::constants::labs_networks, ' ')

    ferm::service { 'designate-api-for-labs':
        proto  => 'tcp',
        port   => '9001',
        srange => "(${labs_networks})",
    }

    ferm::service { 'designate-tls-api-for-labs':
        proto  => 'tcp',
        port   => '29001',
        srange => "(${labs_networks})",
    }
}