Merge "Update elasticsearch firewall rules"
This commit is contained in:
Zuul
Gerrit Code Review
commit
2631f10226
@ -6,28 +6,34 @@ elasticsearch_nodes:
|
||||
- elasticsearch05.openstack.org
|
||||
- elasticsearch06.openstack.org
|
||||
- elasticsearch07.openstack.org
|
||||
elasticsearch_clients:
|
||||
- logstash.openstack.org
|
||||
- logstash-worker01.openstack.org
|
||||
- logstash-worker02.openstack.org
|
||||
- logstash-worker03.openstack.org
|
||||
- logstash-worker04.openstack.org
|
||||
- logstash-worker05.openstack.org
|
||||
- logstash-worker06.openstack.org
|
||||
- logstash-worker07.openstack.org
|
||||
- logstash-worker08.openstack.org
|
||||
- logstash-worker09.openstack.org
|
||||
- logstash-worker10.openstack.org
|
||||
- logstash-worker11.openstack.org
|
||||
- logstash-worker12.openstack.org
|
||||
- logstash-worker13.openstack.org
|
||||
- logstash-worker14.openstack.org
|
||||
- logstash-worker15.openstack.org
|
||||
- logstash-worker16.openstack.org
|
||||
- logstash-worker17.openstack.org
|
||||
- logstash-worker18.openstack.org
|
||||
- logstash-worker19.openstack.org
|
||||
- logstash-worker20.openstack.org
|
||||
elasticsearch_iptables_rule_data:
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
|
||||
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
|
||||
logstash_iptables_rule_data:
|
||||
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
|
||||
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
# passed around in test.sh
|
||||
#
|
||||
$elasticsearch_nodes = hiera_array('elasticsearch_nodes')
|
||||
$elasticsearch_clients = hiera_array('elasticsearch_clients')
|
||||
|
||||
#
|
||||
# Default: should at least behave like an openstack server
|
||||
@ -520,19 +519,13 @@ node /^subunit-worker\d+\.openstack\.org$/ {
|
||||
# Node-OS: xenial
|
||||
node /^elasticsearch0[1-7]\.openstack\.org$/ {
|
||||
$group = "elasticsearch"
|
||||
$iptables_nodes_rule = regsubst ($elasticsearch_nodes,
|
||||
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
||||
$iptables_clients_rule = regsubst ($elasticsearch_clients,
|
||||
'^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
||||
$iptables_rule = flatten([$iptables_nodes_rule, $iptables_clients_rule])
|
||||
class { 'openstack_project::server':
|
||||
iptables_public_tcp_ports => [22],
|
||||
iptables_rules6 => $iptables_rule,
|
||||
iptables_rules4 => $iptables_rule,
|
||||
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
|
||||
sysadmins => hiera('sysadmins', []),
|
||||
}
|
||||
class { 'openstack_project::elasticsearch_node':
|
||||
discover_nodes => $elasticsearch_nodes,
|
||||
discover_nodes => $elasticsearch_nodes,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user