Andrew Bogott has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/349531 )
Change subject: Designate: Allow labs clients to access the designate API.
......................................................................
Designate: Allow labs clients to access the designate API.
Bug: T45580
Change-Id: I594632a8937ef21daee7e0759d554dd730508c2b
---
M modules/role/manifests/labs/openstack/designate/server.pp
1 file changed, 9 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/31/349531/1
diff --git a/modules/role/manifests/labs/openstack/designate/server.pp
b/modules/role/manifests/labs/openstack/designate/server.pp
index 81ca727..83fc429 100644
--- a/modules/role/manifests/labs/openstack/designate/server.pp
+++ b/modules/role/manifests/labs/openstack/designate/server.pp
@@ -38,6 +38,15 @@
rule => "saddr (${wikitech_ip} ${horizon_ip} ${controller_ip}) proto
tcp dport (9001) ACCEPT;",
}
+ # Allow labs instances to hit the designate api. This is
+ # not as permissive as it looks since keystone only allows
+ # novaobserver to authenticate from within labs.
+ include network::constants
+ $labs_networks = join($network::constants::labs_networks, ' ')
+ ferm::rule { 'designate-api-for-labs':
+ rule => "saddr (${labs_networks} proto tcp dport (9001) ACCEPT;",
+ }
+
# allow axfr traffic between mdns and pdns on the pdns hosts
ferm::rule { 'mdns-axfr':
rule => "saddr (${dns_host_ip} ${dns_host_secondary_ip} ) proto tcp
dport (5354) ACCEPT;",
--
To view, visit https://gerrit.wikimedia.org/r/349531
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I594632a8937ef21daee7e0759d554dd730508c2b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
