1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
# File 'modules/profile/manifests/openstack/base/designate/firewall/api.pp', line 1
class profile::openstack::base::designate::firewall::api(
Array[Stdlib::Fqdn] $labweb_hosts = lookup('profile::openstack::base::labweb_hosts'),
Array[Stdlib::Fqdn] $openstack_controllers = lookup('profile::openstack::base::openstack_controllers'),
Stdlib::Fqdn $osm_host = lookup('profile::openstack::base::osm_host'),
) {
# Open designate API to WMCS web UIs and the commandline on control servers, also prometheus
$clients_ipv4 = flatten([
$labweb_hosts,
$openstack_controllers,
$osm_host,
])
$clients_ipv6 = flatten([
$labweb_hosts,
$openstack_controllers,
])
ferm::service { 'designate-api':
proto => 'tcp',
port => '9001',
srange => inline_template("(@resolve((<%= @clients_ipv4.join(' ') %>)) @resolve((<%= @clients_ipv6.join(' ') %>), AAAA))")
}
ferm::service { 'designate-tls-api':
proto => 'tcp',
port => '29001',
srange => inline_template("(@resolve((<%= @clients_ipv4.join(' ') %>)) @resolve((<%= @clients_ipv6.join(' ') %>), AAAA))")
}
# Allow labs instances to hit the designate api.
# This is not as permissive as it looks; The wmfkeystoneauth
# plugin (via the password whitelist) only allows 'novaobserver'
# to authenticate from within labs, and the novaobserver is
# limited by the designate policy.json to read-only queries.
include network::constants
$labs_networks = join($network::constants::labs_networks, ' ')
ferm::service { 'designate-api-for-labs':
proto => 'tcp',
port => '9001',
srange => "(${labs_networks})",
}
ferm::service { 'designate-tls-api-for-labs':
proto => 'tcp',
port => '29001',
srange => "(${labs_networks})",
}
}
|