5102e5130a
This patch enables Firewalling in this Puppet modules in a flexible way. * Enable firewalling optionnaly (disabled by default). * Enable 'pre' firewalling with defaults rules. * Enable 'post' firewalling with DROP rule, with a debug option to disable it. * Enable default rules for all services (OpenStack, etc). * Ability to add custom firewall rules with Hiera * Update puppetlabs-firewall refs * Refactorize unit-tests
84 lines
2.6 KiB
Puppet
84 lines
2.6 KiB
Puppet
#
|
|
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: cloud::volume::api
|
|
#
|
|
# Volume API node
|
|
#
|
|
# === Parameters:
|
|
#
|
|
# [*firewall_settings*]
|
|
# (optional) Allow to add custom parameters to firewall rules
|
|
# Should be an hash.
|
|
# Default to {}
|
|
#
|
|
class cloud::volume::api(
|
|
$ks_cinder_internal_port = 8776,
|
|
$ks_cinder_password = 'cinderpassword',
|
|
$ks_keystone_internal_host = '127.0.0.1',
|
|
$ks_keystone_internal_proto = 'http',
|
|
$ks_glance_internal_host = '127.0.0.1',
|
|
$ks_glance_api_internal_port = 9292,
|
|
$api_eth = '127.0.0.1',
|
|
$ks_glance_internal_proto = 'http',
|
|
$default_volume_type = undef,
|
|
$firewall_settings = {},
|
|
# Maintain backward compatibility for multi-backend
|
|
$volume_multi_backend = false
|
|
) {
|
|
|
|
include 'cloud::volume'
|
|
|
|
if ! $volume_multi_backend {
|
|
$default_volume_type_real = undef
|
|
} else {
|
|
if ! $default_volume_type {
|
|
fail('when using multi-backend, you should define a default_volume_type value in cloud::volume::controller')
|
|
} else {
|
|
$default_volume_type_real = $default_volume_type
|
|
}
|
|
}
|
|
|
|
class { 'cinder::api':
|
|
keystone_password => $ks_cinder_password,
|
|
keystone_auth_host => $ks_keystone_internal_host,
|
|
keystone_auth_protocol => $ks_keystone_internal_proto,
|
|
bind_host => $api_eth,
|
|
default_volume_type => $default_volume_type_real
|
|
}
|
|
|
|
class { 'cinder::glance':
|
|
glance_api_servers => "${ks_glance_internal_proto}://${ks_glance_internal_host}:${ks_glance_api_internal_port}",
|
|
glance_request_timeout => '10',
|
|
glance_num_retries => '10'
|
|
}
|
|
|
|
if $::cloud::manage_firewall {
|
|
cloud::firewall::rule{ '100 allow cinder-api access':
|
|
port => $ks_cinder_internal_port,
|
|
extras => $firewall_settings,
|
|
}
|
|
}
|
|
|
|
@@haproxy::balancermember{"${::fqdn}-cinder_api":
|
|
listening_service => 'cinder_api_cluster',
|
|
server_names => $::hostname,
|
|
ipaddresses => $api_eth,
|
|
ports => $ks_cinder_internal_port,
|
|
options => 'check inter 2000 rise 2 fall 5'
|
|
}
|
|
|
|
}
|