Skip to content

Commit

Permalink
Refactor OpenStack security group creation
Browse files Browse the repository at this point in the history 
* Adds new openstack-security-groups role
* Addresses Issue rhtconsulting#211 and adds all instances to default group
* Defines default security group variable with all groups/rules
* Sets security group variables per type (master,node,nfs,dns)
* Supports specifying no security group for a type (e.g. nfs)
* Uses new Ansible 2.x modules
  • Loading branch information
@vvaldez
vvaldez committed Aug 31, 2016
1 parent 812703c commit 7941623
Show file tree
Hide file tree
Showing 7 changed files with 216 additions and 39 deletions.
8 changes: 5 additions & 3 deletions rhc-ose-ansible/ose-provision.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@
roles:
- role: common
- role: openshift-common
- role: openstack-security-groups
security_groups: "{{ openshift_openstack_security_groups }}"
# Provision Master
- role: openstack-create
type: "master"
image_name: "{{ openshift_openstack_image_name }}"
security_groups: "{{ openshift_openstack_master_security_groups }}"
security_groups: "{{ security_groups_master }}"
key_name: "{{ openstack_key_name }}"
flavor_name: "{{ openshift_openstack_flavor_name }}"
register_host_group: "masters,openshift"
Expand All @@ -23,7 +25,7 @@
- role: openstack-create
type: "node"
image_name: "{{ openshift_openstack_image_name }}"
security_groups: "{{ openshift_openstack_node_security_groups }}"
security_groups: "{{ security_groups_node }}"
key_name: "{{ openstack_key_name }}"
flavor_name: "{{ openshift_openstack_flavor_name }}"
register_host_group: "nodes,openshift"
Expand All @@ -34,7 +36,7 @@
- role: openstack-create
type: "nfs"
image_name: "{{ openshift_openstack_image_name }}"
security_groups: "default"
security_groups: "{{ security_groups_nfs }}"
key_name: "{{ openstack_key_name }}"
flavor_name: "{{ openshift_openstack_flavor_name }}"
register_host_group: "nfs,openshift"
Expand Down
2 changes: 1 addition & 1 deletion rhc-ose-ansible/playbooks/dns-provision.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@
key_name: "{{ openstack_key_name }}"
image_name: "{{ openshift_openstack_image_name }}"
flavor_name: "m1.small"
security_groups: "dns,default"
security_groups: "{{ security_groups_dns }}"
register_host_group: "dns,openshift"
node_count: "1"
56 changes: 53 additions & 3 deletions rhc-ose-ansible/roles/openshift-common/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,60 @@ default_openshift_storage_disk_volume: "/dev/vdb"
default_openshift_master_count: 1
default_openshift_node_count: 2
default_openshift_app_domain: "apps"

default_openshift_openstack_master_security_groups: "ose3-master"
default_openshift_openstack_node_security_groups: "ose3-node"
default_openshift_openstack_flavor_name: "m1.medium"
default_openshift_openstack_image_name: "_OS1_rhel-guest-image-7.2-20151102.0.x86_64.qcow2"
default_openshift_openstack_master_storage_size: 10
default_openshift_openstack_node_storage_size: 10
default_openshift_openstack_master_security_groups:
- name: default
rules: []
- name: ose3_master
rules:
- name: ssh
from_port: 22
to_port: 22
protocol: tcp
cidr: 0.0.0.0/0
- name: http
from_port: 80
to_port: 80
protocol: tcp
cidr: 0.0.0.0/0
- name: https
from_port: 443
to_port: 443
protocol: tcp
cidr: 0.0.0.0/0
- name: https-8443
from_port: 8443
to_port: 8443
protocol: tcp
cidr: 0.0.0.0/0
default_openshift_openstack_node_security_groups:
- name: default
rules: []
- name: ose3_nodes
rules:
- name: ssh
from_port: 22
to_port: 22
protocol: tcp
cidr: 0.0.0.0/0
- name: http
from_port: 80
to_port: 80
protocol: tcp
cidr: 0.0.0.0/0
default_openshift_openstack_dns_security_groups:
- name: default
rules: []
- name: dns
rules:
- name: dns
from_port: 53
to_port: 53
protocol: udp
cidr: 0.0.0.0/0
default_openshift_openstack_nfs_security_groups:
- name: default
rules: []
6 changes: 4 additions & 2 deletions rhc-ose-ansible/roles/openshift-common/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@
openshift_master_count: "{{ openshift_master_count | default(default_openshift_master_count) }}"
openshift_node_count: "{{ openshift_node_count | default(default_openshift_node_count) }}"
openshift_app_domain: "{{ openshift_app_domain | default(default_openshift_app_domain) }}"
openshift_openstack_master_security_groups: "{{ openshift_openstack_master_security_groups | default(default_openshift_openstack_master_security_groups) }}"
openshift_openstack_node_security_groups: "{{ openshift_openstack_node_security_groups | default(default_openshift_openstack_node_security_groups) }}"
openshift_openstack_flavor_name: "{{ openshift_openstack_flavor_name | default(default_openshift_openstack_flavor_name) }}"
openshift_openstack_image_name: "{{ openshift_openstack_image_name | default(default_openshift_openstack_image_name) }}"
openshift_openstack_master_storage_size: "{{ openshift_openstack_master_storage_size | default(default_openshift_openstack_master_storage_size) }}"
openshift_openstack_node_storage_size: "{{ openshift_openstack_node_storage_size | default(default_openshift_openstack_node_storage_size) }}"
openshift_openstack_master_security_groups: "{{ openshift_openstack_master_security_groups | default(default_openshift_openstack_master_security_groups) }}"
openshift_openstack_node_security_groups: "{{ openshift_openstack_node_security_groups | default(default_openshift_openstack_node_security_groups) }}"
openshift_openstack_dns_security_groups: "{{ openshift_openstack_dns_security_groups | default(default_openshift_openstack_dns_security_groups) }}"
openshift_openstack_nfs_security_groups: "{{ openshift_openstack_nfs_security_groups | default(default_openshift_openstack_nfs_security_groups) }}"
31 changes: 1 addition & 30 deletions rhc-ose-ansible/roles/openstack-create/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,35 +4,6 @@
when:
- image_name is not defined or security_groups is not defined or key_name is not defined or image_name is not defined or flavor_name is not defined

- name: "Check for Security Groups"
shell: "nova secgroup-list"
with_items: security_groups.split(',')
register: secgroup_list

- name: "Create Security Groups if required"
shell: "nova secgroup-create {{ item.item }} {{ item.item }}"
when: not item.stdout | search('{{ item.item }}')
with_items: secgroup_list.results

- name: "Initialize SSH rule fact"
set_fact:
ssh_rule_found: false

- name: "Check for SSH rule in Security Groups"
shell: "nova secgroup-list-rules {{ item }}"
with_items: security_groups.split(',')
register: secgroup_rule_list

- name: "Set SSH rule fact on match"
set_fact:
ssh_rule_found: true
when: item.stdout | search('tcp.*22.*22')
with_items: secgroup_rule_list.results

- name: "Create SSH Rule in first Security Group if required"
shell: nova secgroup-add-rule {{ security_groups.split(',').0 }} tcp 22 22 0.0.0.0/0
when: not ssh_rule_found

- name: "Search for valid OpenStack Flavor"
shell: "nova flavor-list | awk \"/{{flavor_name }}/\"'{print $2}'"
register: flavor_query
Expand All @@ -54,7 +25,7 @@
register: neutron
ignore_errors: true

- name: "Check for Neutron services - (a failure assumes Legacy Networking (Nova Network)"
- name: "Check for Neutron services - a failure assumes Legacy Networking (Nova Network)"
set_fact:
neutron_floatingip_needed: 'yes'
when: neutron.rc == 0
Expand Down
46 changes: 46 additions & 0 deletions rhc-ose-ansible/roles/openstack-security-groups/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
default_openshift_openstack_security_groups:
- name: ose3_master
type: master
rules:
- name: ssh
from_port: 22
to_port: 22
protocol: tcp
cidr: 0.0.0.0/0
- name: http
from_port: 80
to_port: 80
protocol: tcp
cidr: 0.0.0.0/0
- name: https
from_port: 443
to_port: 443
protocol: tcp
cidr: 0.0.0.0/0
- name: https-8443
from_port: 8443
to_port: 8443
protocol: tcp
cidr: 0.0.0.0/0
- name: ose3_nodes
type: node
rules:
- name: ssh
from_port: 22
to_port: 22
protocol: tcp
cidr: 0.0.0.0/0
- name: http
from_port: 80
to_port: 80
protocol: tcp
cidr: 0.0.0.0/0
- name: dns
type: dns
rules:
- name: dns
from_port: 53
to_port: 53
protocol: udp
cidr: 0.0.0.0/0
106 changes: 106 additions & 0 deletions rhc-ose-ansible/roles/openstack-security-groups/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
- name: "Set OpenStack Security Group Facts"
set_fact:
openshift_openstack_security_groups: "{{ openshift_openstack_security_groups | default(default_openshift_openstack_security_groups) }}"

- name: "Determine security group for master"
set_fact:
security_groups_master: "{{ item.name }}"
when: "'{{ item.type }}' == 'master'"
with_items: "{{ security_groups }}"

- name: "Set security groups for master if found"
set_fact:
security_groups_master: "{{ ['default',security_groups_master | default('')] | join(',') }}"
when:
- security_groups_master is defined
- security_groups_master is not none
- security_groups_master|trim != ''

- name: "Set security groups for master not found"
set_fact:
security_groups_master: "default"
when: security_groups_master is undefined

- name: "Determine security group for node"
set_fact:
security_groups_node: "{{ item.name }}"
when: "'{{ item.type }}' == 'node'"
with_items: "{{ security_groups }}"

- name: "Set security groups for node if found"
set_fact:
security_groups_node: "{{ ['default',security_groups_node | default('')] | join(',') }}"
when:
- security_groups_node is defined
- security_groups_node is not none
- security_groups_node|trim != ''

- name: "Set security groups for node not found"
set_fact:
security_groups_node: "default"
when: security_groups_node is undefined

- name: "Determine security group for dns"
set_fact:
security_groups_dns: "{{ item.name }}"
when: "'{{ item.type }}' == 'dns'"
with_items: "{{ security_groups }}"

- name: "Set security groups for dns if found"
set_fact:
security_groups_dns: "{{ ['default',security_groups_dns | default('')] | join(',') }}"
when:
- security_groups_dns is defined
- security_groups_dns is not none
- security_groups_dns|trim != ''

- name: "Set security groups for dns not found"
set_fact:
security_groups_dns: "default"
when: security_groups_dns is undefined

- name: "Determine security group for nfs"
set_fact:
security_groups_nfs: "{{ item.name }}"
when: "'{{ item.type }}' == 'nfs'"
with_items: "{{ security_groups }}"

- name: "Set security groups for nfs if found"
set_fact:
security_groups_nfs: "{{ ['default',security_groups_nfs | default('')] | join(',') }}"
when:
- security_groups_nfs is defined
- security_groups_nfs is not none
- security_groups_nfs|trim != ''

- name: "Set security groups for nfs not found"
set_fact:
security_groups_nfs: "default"
when: security_groups_nfs is undefined

- debug:
var: "{{ 'security_groups_' + item }}"
with_items:
- master
- node
- dns
- nfs

- name: "Create Security Groups if required"
os_security_group:
name: "{{ item.name }}"
state: present
with_items: "{{ security_groups }}"

- name: "Create SSH Rule in matching Security Group if required"
os_security_group_rule:
security_group: "{{ item.0.name }}"
protocol: "{{ item.1.protocol }}"
port_range_min: "{{ item.1.from_port }}"
port_range_max: "{{ item.1.to_port }}"
remote_ip_prefix: "{{ item.1.cidr }}"
when: item.1.name is defined
with_subelements:
- "{{ security_groups }}"
- rules

0 comments on commit 7941623

Please sign in to comment.