From c59650772c8d7d2e84a19782ef8d53cec02deb9b Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Wed, 15 Jul 2015 11:58:46 +0200 Subject: Implement firewalling in tripleo::firewall Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325 --- spec/classes/tripleo_init_spec.rb | 91 --------------------------------------- 1 file changed, 91 deletions(-) (limited to 'spec/classes/tripleo_init_spec.rb') diff --git a/spec/classes/tripleo_init_spec.rb b/spec/classes/tripleo_init_spec.rb index 9f01857..57b45e2 100644 --- a/spec/classes/tripleo_init_spec.rb +++ b/spec/classes/tripleo_init_spec.rb @@ -20,95 +20,4 @@ require 'spec_helper' describe 'tripleo' do - let :params do - { } - end - - shared_examples_for 'tripleo node' do - - context 'with firewall enabled' do - before :each do - params.merge!( - :manage_firewall => true, - ) - end - - it 'configure basic pre firewall rules' do - is_expected.to contain_firewall('000 accept related established rules').with( - :proto => 'all', - :state => ['RELATED', 'ESTABLISHED'], - :action => 'accept', - ) - is_expected.to contain_firewall('001 accept all icmp').with( - :proto => 'icmp', - :action => 'accept', - :state => ['NEW'], - ) - is_expected.to contain_firewall('002 accept all to lo interface').with( - :proto => 'all', - :iniface => 'lo', - :action => 'accept', - :state => ['NEW'], - ) - is_expected.to contain_firewall('003 accept ssh').with( - :port => '22', - :proto => 'tcp', - :action => 'accept', - :state => ['NEW'], - ) - end - - it 'configure basic post firewall rules' do - is_expected.to contain_firewall('999 drop all').with( - :proto => 'all', - :action => 'drop', - :source => '0.0.0.0/0', - ) - end - end - - context 'with custom firewall rules' do - before :each do - params.merge!( - :manage_firewall => true, - :firewall_rules => { - '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'}, - '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'} - } - ) - end - it 'configure custom firewall rules' do - is_expected.to contain_firewall('300 add custom application 1').with( - :port => '999', - :proto => 'udp', - :action => 'accept', - :state => ['NEW'], - ) - is_expected.to contain_firewall('301 add custom application 2').with( - :port => '8081', - :proto => 'tcp', - :action => 'accept', - :state => ['NEW'], - ) - end - end - - end - - context 'on Debian platforms' do - let :facts do - { :osfamily => 'Debian' } - end - - it_configures 'tripleo node' - end - - context 'on RedHat platforms' do - let :facts do - { :osfamily => 'RedHat' } - end - - it_configures 'tripleo node' - end - end -- cgit 1.2.3-korg