k-s-dean 8553e52acd adds firewalld configuration based on enabled services
This change introduces automated configuration of firewalld and adds
a new filter for extracting services from the project_services dict.
the filter selects any enabled services and their haproxy element
and returns them so they can be iterated over.
This commit also enables automated configuration of firewalld from enabled
openstack services and adds them to the defined zone and reloads the
system firewall.

Change-Id: Iea3680142711873984efff2b701347b6a56dd355
2022-07-27 12:28:40 +01:00

122 lines
4.1 KiB
Python

# Copyright (c) 2019 StackHPC Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import jinja2
from kolla_ansible import exception
from kolla_ansible.helpers import _call_bool_filter
@jinja2.pass_context
def service_enabled(context, service):
"""Return whether a service is enabled.
:param context: Jinja2 Context object.
:param service: Service definition, dict.
:returns: A boolean.
"""
enabled = service.get('enabled')
if enabled is None:
raise exception.FilterError(
"Service definition for '%s' does not have an 'enabled' attribute"
% service.get("container_name", "<unknown>"))
return _call_bool_filter(context, enabled)
@jinja2.pass_context
def extract_haproxy_services(context, services):
"""Return a Dict of haproxy services
:param context: Jinja2 Context object.
:param service: Services definition, dict.
:returns: A Dict.
"""
haproxy = {}
for key in services:
service = services.get(key)
if service_enabled(context, service):
service_haproxy = service.get('haproxy')
if service_haproxy:
if not set(haproxy).isdisjoint(set(service_haproxy)):
raise exception.FilterError(
"haproxy service names should be unique")
haproxy.update(service_haproxy)
return haproxy
@jinja2.pass_context
def service_mapped_to_host(context, service):
"""Return whether a service is mapped to this host.
There are two ways to describe the service to host mapping. The most common
is via a 'group' attribute, where the service is mapped to all hosts in the
group. The second approach is via a 'host_in_groups' attribute, which is a
boolean expression which should be evaluated for every host. The latter
approach takes precedence over the first.
:param context: Jinja2 Context object.
:param service: Service definition, dict.
:returns: A boolean.
"""
host_in_groups = service.get("host_in_groups")
if host_in_groups is not None:
return _call_bool_filter(context, host_in_groups)
group = service.get("group")
if group is not None:
return group in context.get("group_names") or group == "all"
raise exception.FilterError(
"Service definition for '%s' does not have a 'group' or "
"'host_in_groups' attribute" %
service.get("container_name", "<unknown>"))
@jinja2.pass_context
def service_enabled_and_mapped_to_host(context, service):
"""Return whether a service is enabled and mapped to this host.
:param context: Jinja2 Context object.
:param service: Service definition, dict.
:returns: A boolean.
"""
return (service_enabled(context, service) and
service_mapped_to_host(context, service))
@jinja2.pass_context
def select_services_enabled_and_mapped_to_host(context, services):
"""Select services that are enabled and mapped to this host.
:param context: Jinja2 Context object.
:param services: Service definitions, dict.
:returns: A dict containing enabled services mapped to this host.
"""
return {service_name: service
for service_name, service in services.items()
if service_enabled_and_mapped_to_host(context, service)}
def get_filters():
return {
"extract_haproxy_services": extract_haproxy_services,
"service_enabled": service_enabled,
"service_mapped_to_host": service_mapped_to_host,
"service_enabled_and_mapped_to_host": (
service_enabled_and_mapped_to_host),
"select_services_enabled_and_mapped_to_host": (
select_services_enabled_and_mapped_to_host),
}