From 4c9d0fc6da6ec156dfd4f4e8d371e1fa60274514 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Fri, 12 Jun 2015 15:20:17 -0400
Subject: Implement Advanced Firewalling support

Consume puppet-tripleo to create/manage IPtables from Heat templates.

This review put in place the logic to enable and setup firewall rules.

A known set of rules are applied. More to come.

Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
---
 puppet/controller.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'puppet/controller.yaml')

diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 2e8c3126..d3a8a93d 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -278,6 +278,14 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the new ones.
+    type: boolean
   MysqlClusterUniquePart:
     description: A unique identifier of the MySQL cluster the controller is in.
     type: string
@@ -819,6 +827,8 @@ resources:
         enable_galera: {get_param: EnableGalera}
         enable_ceph_storage: {get_param: EnableCephStorage}
         enable_swift_storage: {get_param: EnableSwiftStorage}
+        manage_firewall: {get_param: ManageFirewall}
+        purge_firewall_rules: {get_param: PurgeFirewallRules}
         mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
         mysql_max_connections: {get_param: MysqlMaxConnections}
         mysql_root_password: {get_param: MysqlRootPassword}
@@ -1274,6 +1284,9 @@ resources:
                 # Redis
                 redis::bind: {get_input: redis_network}
                 redis_vip: {get_input: redis_vip}
+                # Firewall
+                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
+                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                 # Misc
                 memcached::listen_ip: {get_input: memcached_network}
                 neutron_public_interface_ip: {get_input: neutron_public_interface_ip}
-- 
cgit 1.2.3-korg