Andrew Bogott has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/349531 )
Change subject: Designate: Allow labs clients to access the designate API.
......................................................................
Designate: Allow labs clients to access the designate API.
Bug: T45580
Change-Id: I594632a8937ef21daee7e0759d554dd730508c2b
---
M modules/role/manifests/labs/openstack/designate/server.pp
1 file changed, 13 insertions(+), 1 deletion(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/role/manifests/labs/openstack/designate/server.pp
b/modules/role/manifests/labs/openstack/designate/server.pp
index 81ca727..005f522 100644
--- a/modules/role/manifests/labs/openstack/designate/server.pp
+++ b/modules/role/manifests/labs/openstack/designate/server.pp
@@ -33,11 +33,23 @@
secondary_pdns_ip => $dns_host_secondary_ip,
}
- # Poke a firewall hole for the designate api
+ # Open designate API to Labs web UIs and the commandline on labcontrol
ferm::rule { 'designate-api':
rule => "saddr (${wikitech_ip} ${horizon_ip} ${controller_ip}) proto
tcp dport (9001) ACCEPT;",
}
+ # Allow labs instances to hit the designate api.
+ #
+ # This is not as permissive as it looks; The wmfkeystoneauth
+ # plugin (via the password whitelist) only allows 'novaobserver'
+ # to authenticate from within labs, and the novaobserver is
+ # limited by the designate policy.json to read-only queries.
+ include network::constants
+ $labs_networks = join($network::constants::labs_networks, ' ')
+ ferm::rule { 'designate-api-for-labs':
+ rule => "saddr (${labs_networks} proto tcp dport (9001) ACCEPT;",
+ }
+
# allow axfr traffic between mdns and pdns on the pdns hosts
ferm::rule { 'mdns-axfr':
rule => "saddr (${dns_host_ip} ${dns_host_secondary_ip} ) proto tcp
dport (5354) ACCEPT;",
--
To view, visit https://gerrit.wikimedia.org/r/349531
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I594632a8937ef21daee7e0759d554dd730508c2b
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Chasemp <[email protected]>
Gerrit-Reviewer: Madhuvishy <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
